Amatera Stealer

A newly observed information stealer, Amatera Stealer, has surged in use since mid-June 2025. Proofpoint experts documented its evolution from the widely circulated ACR Stealer, noting significant enhancements in anti-analysis tactics and distribution sophistication. A recent campaign deployed via compromised websites illustrates how easily unsuspecting users can become victims of data exfiltration.

---

Threat Overview

Information stealers like Amatera target sensitive user data—browser credentials, cryptocurrency wallets, system information—by injecting malicious JavaScript into legitimate pages. Once executed, the stealer harvests stored cookies, autofill data, and login tokens before relaying them to a remote server. What happens if these details fall into the wrong hands? Identity theft, fraudulent transactions, and further network compromise are all too common outcomes.

---

In-Depth Analysis

Infection Vector

Amatera Stealer propagates through ClearFake campaigns—attackers compromise legitimate websites by injecting malicious HTML and JavaScript that silently deliver the stealer payload when users visit the page. In other instances, social engineering lures victims into downloading seemingly benign “browser updates” or “security tools” that are in fact Amatera installers.

Behavioral Profile

Once executed, Amatera Stealer:

• Performs process injection to evade endpoint defenses by running in the context of trusted applications.
• Utilizes NTSockets for encrypted C2 communication, avoiding standard network hooks.
• Invokes WoW64 syscalls to bypass user-mode API monitoring, thwarting common analysis tools.
• Scans installed browsers and crypto wallets, harvesting credentials, cookies, and autofill data.
• Deploys secondary payloads on compromised machines, expanding its toolkit for future attacks.

Risk Assessment

With a subscription price starting around $199, Amatera Stealer is accessible to a wide range of cybercriminals—both novices and seasoned operators. The stolen data can fuel account takeovers, unauthorized fund transfers, and further malware distribution (e.g., ransomware deployment). Enterprises face heightened risk: lateral movement facilitated by harvested credentials can lead to large-scale breaches and regulatory penalties.

Manual Removal of Info-Stealers (For experienced users)

Step 1: Boot into Safe Mode with Networking

Info-stealers often run in the background, making removal difficult. Restarting in Safe Mode with Networking ensures they don’t load at startup.

For Windows 10/11

1. Press Win + R, type msconfig, and hit Enter.
2. In the System Configuration window, go to the Boot tab.
3. Check Safe boot → Network.
4. Click Apply > OK > Restart.

For Windows 7/8

1. Restart your PC and press F8 before Windows loads.
2. Select Safe Mode with Networking and press Enter.

---

Step 2: Stop Malicious Processes in Task Manager

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Look for unusual processes (high CPU usage, unknown names).
3. Right-click on them and select End Task.

Common Info-Stealer Process Names:

• StealC.exe
• RedLine.exe
• Vidar.exe
• ClipBanker.exe
• Randomized system-like names

---

Step 3: Uninstall Suspicious Applications

1. Press Win + R, type appwiz.cpl, and press Enter.
2. Locate any suspicious or unknown programs.
3. Right-click and select Uninstall.

---

Step 4: Delete Malicious Files and Registry Entries

Info-stealers often store files in hidden locations.

Delete Suspicious Files

1. Open File Explorer and navigate to:
   • C:\Users\YourUser\AppData\Local
   • C:\Users\YourUser\AppData\Roaming
   • C:\ProgramData
   • C:\Windows\Temp
2. Delete any suspicious folders with randomized names.

Remove Malicious Registry Entries

1. Press Win + R, type regedit, and hit Enter.
2. Navigate to:
   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3. Delete suspicious registry keys (e.g., StealerLoader, TrojanRun).

---

Step 5: Reset Browsers and Flush DNS

Since info-stealers target browsers, clearing stored credentials is essential.

Reset Browser Data

1. Open Chrome, Edge, or Firefox.
2. Go to Settings → Privacy & Security → Clear Browsing Data.
3. Select Passwords, Cookies, and Cached files → Click Clear Data.

Flush DNS Cache

1. Open Command Prompt as Administrator.
2. Type the following commands and press Enter:bashCopyEditipconfig /flushdns ipconfig /release ipconfig /renew
3. Restart your computer.

---

Step 6: Scan for Rootkits

Some info-stealers use rootkit techniques to stay hidden.

1. Download Microsoft Safety Scanner or Malwarebytes Anti-Rootkit.
2. Perform a deep system scan.
3. Remove any detected threats.

---

Step 7: Change All Passwords & Enable 2FA

Since credentials may have been stolen, update passwords immediately for:

• Email accounts
• Banking/finance sites
• Social media accounts
• Cryptocurrency wallets
• Work and business logins

Enable two-factor authentication (2FA) for extra security.

---

Automatic Removal with SpyHunter (Recommended)

(For users who want a fast, reliable removal solution)

SpyHunter is an advanced malware removal tool designed to detect and eliminate info-stealers, trojans, and spyware.

Step 1: Download SpyHunter

Click Here to Download SpyHunter

Step 2: Install and Launch SpyHunter

1. Open the SpyHunter-Installer.exe file from your Downloads folder.
2. Follow the on-screen instructions.
3. Launch SpyHunter after installation.

Step 3: Scan Your System for Info-Stealers

1. Click “Start Scan” to perform a deep scan.
2. SpyHunter will identify all malware-related files.
3. Click “Remove” to eliminate detected threats.

Step 4: Enable SpyHunter’s Real-Time Protection

• Go to Settings → Enable Real-Time Protection.
• This prevents future infections.

---

How to Prevent Info-Stealer Infections

• Avoid Cracked Software & Torrents – These often contain malware.
• Use Strong, Unique Passwords – Consider a password manager.
• Enable Two-Factor Authentication (2FA) – Protects against account theft.
• Keep Windows & Software Updated – Security updates fix vulnerabilities.
• Beware of Phishing Emails – Do not click unknown links or attachments.
• Use a Reliable Anti-Malware Solution – SpyHunter detects and removes threats in real time.

---

Conclusion

Early detection and swift removal of Amatera Stealer are critical. Its advanced evasion methods and modular design make manual cleanup challenging once infections have taken root. Employ reputable anti-malware tools, maintain up-to-date software, and remain vigilant against unexpected browser behaviors.