EVALUSION Campaign Leverages ClickFix for Amatera Stealer and NetSupport RAT Deployment

The digital threat landscape is in constant flux, with adversaries continually refining their tactics to breach defenses and compromise sensitive data. A recent and particularly insidious campaign, dubbed EVALUSION, has emerged, demonstrating a concerning blend of social engineering and advanced malware deployment. This campaign isn’t just another phishing attempt; it cleverly manipulates user trust through a technique known as ClickFix, paving the way for the installation of potent threats like Amatera Stealer and NetSupport RAT. Understanding this new vector is crucial for bolstering our collective cybersecurity posture.

Understanding the EVALUSION Campaign’s Attack Vector

The EVALUSION campaign, first identified in November 2025, represents a significant escalation in how threat actors are bypassing traditional security measures. At its core, the campaign relies on a refined social engineering strategy designed to trick users into executing malicious commands directly from their Windows operating system.

• Initial Lure: While the exact initial lure isn’t detailed in the primary source, such campaigns typically begin with highly convincing phishing emails, malicious advertisements, or compromised websites that prompt users with an urgent call to action.
• The ClickFix Technique: This is the defining characteristic of the EVALUSION campaign. Instead of directly downloading and executing a malicious file, victims are persuaded to open the Windows Run dialog (by pressing Win + R) and then input and execute a series of commands provided by the attackers. This technique exploits user familiarity with a seemingly legitimate system function, making the malicious activity appear less suspicious.
• Bypassing Traditional Detections: By leveraging built-in Windows functionalities and relying on user interaction, ClickFix can often bypass endpoint detection and response (EDR) solutions that primarily focus on file-based malware signatures or suspicious executable downloads. The “malicious” action is initiated by the user, making it harder for automated systems to flag as an immediate threat.

Amatera Stealer: A Potent Information Harvester

Once a user falls victim to the ClickFix technique, their system becomes compromised, leading to the deployment of Amatera Stealer. This is not a run-of-the-mill infostealer; it’s engineered for comprehensive data exfiltration.

• Credential Theft: Amatera Stealer is adept at harvesting login credentials from web browsers (including popular ones like Chrome, Firefox, Edge), email clients, and various other applications.
• Financial Data Extraction: It targets sensitive financial information, such as credit card details, cryptocurrency wallet keys, and banking credentials.
• Sensitive File Exfiltration: Beyond credentials, Amatera can identify and exfiltrate documents, images, and other files deemed valuable by the attackers, often based on specific file extensions or keywords.
• System Information Gathering: Before exfiltration, the stealer typically gathers extensive system information, including operating system details, installed software, hardware configurations, and network settings, providing attackers with a complete profile of the compromised machine.

NetSupport RAT: Persistent Remote Control

In addition to Amatera Stealer, the EVALUSION campaign also deploys NetSupport RAT (Remote Access Trojan). While NetSupport Manager is a legitimate remote administration tool, its powerful capabilities are frequently abused by threat actors to maintain persistent access and control over compromised systems.

• Remote Control and Surveillance: NetSupport RAT allows attackers to remotely control the victim’s computer, view their screen, access files, execute commands, and even activate the webcam and microphone. This level of access enables comprehensive surveillance and direct manipulation of the compromised system.
• Persistence Mechanisms: Attackers configure NetSupport RAT to establish various persistence mechanisms, ensuring that their access to the infected system remains even after reboots or attempts to remove the malware.
• Secondary Payload Delivery: The RAT can serve as a conduit for delivering additional malicious payloads, expanding the scope of the attack, or facilitating further stages of a multi-pronged operation.

Remediation Actions and Protective Measures

Defending against campaigns like EVALUSION requires a multi-layered approach that combines technical controls with robust security awareness training.

• User Education is Paramount:
  • Be Wary of Unsolicited Instructions: Educate users never to execute commands provided via email, chat, or unfamiliar websites, especially if they are prompted to use the “Run” window. Legitimate software installations rarely require this method without prior context or official documentation.
  • Verify Sources: Emphasize verifying the legitimacy of all communications before acting on instructions, even if they appear to come from a trusted entity.
  • Recognize Social Engineering: Conduct regular training on identifying phishing, pretexting, and other social engineering tactics.
• Endpoint Security Enhancements:
  • Advanced Endpoint Detection and Response (EDR): Deploy EDR solutions that can monitor for suspicious process execution, unusual network connections, and anomalous user behavior, even if the initial action is user-initiated.
  • Application Whitelisting/Blacklisting: Implement application controls to restrict the execution of unauthorized applications or scripts, especially those initiated from unusual directories or user profiles.
  • Behavioral Analysis: Configure endpoint solutions to detect suspicious command-line executions and script activity, which are central to the ClickFix technique.
• Network Security:
  • Network Segmentation: Isolate critical assets and segment networks to limit lateral movement in case of a breach.
  • Egress Filtering: Monitor and restrict outbound network connections to known malicious IP addresses or unexpected destinations to prevent data exfiltration by Amatera Stealer or C2 communication by NetSupport RAT.
  • DNS Filtering: Block access to known malicious domains associated with malware distribution and command-and-control infrastructure.
• Regular Backups: Implement a robust, offsite backup strategy to ensure data recovery in the event of a successful attack.
• Patch Management: Keep operating systems, browsers, and all software up-to-date to patch known vulnerabilities that malware might exploit. While ClickFix relies on social engineering, unpatched systems offer more avenues for secondary infections or privilege escalation.

Detection and Mitigation Tools

Leveraging the right tools can significantly enhance an organization’s ability to detect and respond to threats like the EVALUSION campaign.

Tool Name	Purpose	Link
Endpoint Detection and Response (EDR) Solutions	Detects and responds to advanced threats, including suspicious process execution and behavioral anomalies.	(Specific vendors vary, e.g., CrowdStrike, SentinelOne, Microsoft Defender for Endpoint)
Security Information and Event Management (SIEM)	Aggregates and analyzes log data from various sources to identify security incidents and anomalous activity.	(Specific vendors vary, e.g., Splunk, IBM QRadar, Elastic SIEM)
Network Intrusion Detection/Prevention Systems (NIDS/NIPS)	Monitors network traffic for suspicious patterns and known attack signatures, helping to block C2 communications.	(Specific vendors vary, e.g., Snort, Suricata, Fortinet, Palo Alto Networks)
Application Whitelisting Software	Prevents unauthorized applications and scripts from running on endpoints.	(Specific vendors vary, e.g., AppLocker, Carbon Black App Control)
Browser Security Extensions	Provides additional layers of defense against malicious websites and phishing attempts.	(e.g., uBlock Origin, Privacy Badger, reputable password managers)

Conclusion

The EVALUSION campaign underscores a critical shift towards advanced social engineering tactics combined with sophisticated malware payloads. The ClickFix technique, by leveraging legitimate Windows functionalities and user interaction, presents a formidable challenge to traditional security controls. With Amatera Stealer aiming for comprehensive data exfiltration and NetSupport RAT establishing persistent remote access, the potential impact on victims is severe. Proactive measures, centered on comprehensive user education, robust endpoint security, behavioral monitoring, and strong network defenses, are indispensable in mitigating the risks posed by such evolving threats.