According to a recent report, new malware uses the ClickFix social engineering tactic, a phishing technique where users are tricked into executing a command under the pretext of completing a CAPTCHA or fixing a system issue.
Bad actors are primarily hunting for crypto users, but they are also targeting browsers, messaging apps, FTP clients, and email accounts.
The campaign is dangerous because it combines social engineering with advanced malware delivery that can evade detection.
Evolved from ACR (AcridRain) Stealer, a malware previously sold via a malware-as-a-service (MaaS) model until mid-2024. It is now being sold via a subscription.
Users are tricked into running a command in Windows Run under the pretext of completing a CAPTCHA (ClickFix).
The campaign is part of a broader phishing ecosystem with fake invoices and VBS attachments. Visitors to fake ClickFix pages (SmartApeSG campaign) to deliver NetSupport RAT.
There are also fake Booking.com CAPTCHA and spoofed internal email alerts with fake delivery notifications that prompt victims to click links that steal login credentials.
High-value targets
Cryptocurrency wallets contain directly transferable assets, which is why crypto wallets are considered to be high-value targets. Malware bypasses antivirus, EDR, and sandboxes. Attackers only deploy RATs on machines with valuable crypto data.
Once stolen, it can be transferred globally in minutes without intermediaries.
Unlike bank accounts, crypto transactions are irreversible, so once an attacker has the private keys, the victim usually cannot recover the funds.
A single compromised wallet can yield hundreds of thousands or even millions of dollars.
Malware like Amatera Stealer is specifically designed to detect and extract crypto wallet files, browser wallets, and private keys.
Dan Burgin
Vladislav Sopov
U.Today Editorial Team