Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

CIRCL OSINT Feed

ThreatFox MISP Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

Proofpoint has identified Amatera Stealer, a rebranded version of ACR Stealer with enhanced capabilities and evasion techniques. Distributed via ClearFake website injects, it utilizes sophisticated attack chains and web injects. Amatera Stealer employs NTSockets for stealthy C2 communication, WoW64 Syscalls to bypass user-mode hooking, and supports HTTPS requests. It focuses on stealing information from browsers, crypto wallets, and various software. The malware can also execute secondary payloads. Amatera Stealer is actively developed and sold as a malware-as-a-service, with subscription plans ranging from $199 to $1,499.

Amatera Stealer is a sophisticated information-stealing malware identified as a rebranded and enhanced version of the previously known ACR Stealer. It is distributed primarily through ClearFake website injections, which are malicious code injections into legitimate websites to silently deliver the malware to victims. The malware employs advanced evasion techniques including the use of NTSockets for stealthy command and control (C2) communication, which helps it avoid detection by traditional network monitoring tools. Additionally, it leverages WoW64 syscalls to bypass user-mode hooking, a common technique used by security software to intercept and block malicious API calls. Amatera Stealer supports HTTPS requests, further obfuscating its network traffic and making detection more challenging.

The primary objective of Amatera Stealer is to exfiltrate sensitive information from infected systems. It targets web browsers to steal stored credentials, cookies, and browsing data, as well as cryptocurrency wallets, which are high-value targets due to the direct financial impact. It also targets various software applications to broaden its data collection scope. The malware has the capability to execute secondary payloads, allowing attackers to deploy additional malicious tools or ransomware after initial infection. Amatera Stealer is actively developed and marketed as malware-as-a-service (MaaS), with subscription pricing tiers ranging from $199 to $1,499, indicating a commercial and scalable threat model.

Technical indicators include multiple file hashes and domains associated with the malware’s infrastructure, such as "amaprox.icu" and "badnesspandemic.shop". The malware’s tactics align with several MITRE ATT&CK techniques, including credential dumping (T1056.001), web injects (T1573.001), process injection (T1055), and stealthy communication (T1102), among others. Despite its sophistication, there are no known exploits in the wild targeting specific vulnerabilities, suggesting infection relies on social engineering or exploitation of web injects to deliver the payload.

Overall, Amatera Stealer represents a medium-severity threat due to its targeted data theft capabilities, evasion sophistication, and active commercial distribution, posing a significant risk to individuals and organizations handling sensitive credentials and cryptocurrency assets.

Detailed information about Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication. Get real-time updates, technical details, and mitigatio

Title	Severity	Type	Source	Date

Threats Tagged 'acr stealer'

Filter Threats

Threats Tagged 'acr stealer'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility