Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Amatera Stealer 4.0.2 Beta is a reworked C++ information stealer that has been marketed as Malware-as-a-Service since 2018. This updated version introduces stronger anti-debugging and anti-analysis capabilities, includes geofencing checks tied to Kaspersky products and Ukrainian keyboard layouts, and replaces AES-256-CBC with an ECDH key exchange combined with ChaCha20-Poly1305 for command-and-control encryption. Its collection modules have also expanded to target additional cryptocurrency wallets and browser extensions, while adding support for harvesting Discord and Signal artifacts. Delivery relies on a ClickFix mshta.exe chain that deploys a 32-bit shellcode loader, which reflectively injects the stealer directly into memory.
Investigation
The eSentire Threat Response Unit observed the full delivery chain in a finance-sector environment in April 2026. Their analysis identified a 32-bit shellcode loader that resolved seven core APIs, decrypted its payload using a 128-byte XOR key, decompressed it with aPLib, and performed reflective PE injection. The loader also implemented the RecycledGate and FreshyCalls syscall resolution method together with encryption of syscall numbers. Configuration data was delivered over HTTPS through an ECDH-based key exchange protected by ChaCha20-Poly1305, and access to the configuration required a hard-coded GUID.
Mitigation
Defenders should block mshta.exe execution for files retrieved from untrusted URLs and disable the Run dialog through Group Policy where possible. Application control tools such as AppLocker or WDAC should be used to prevent unauthorized PowerShell and HTA execution. Security teams should also monitor for known Kaspersky driver paths and checks for Ukrainian keyboard layouts, as these may indicate evasion behavior. Endpoint protection should be capable of detecting reflective injection techniques and loaders that rely on API hashing.
Response
If Amatera Stealer activity is detected, isolate the affected system immediately, stop the malicious process, and collect memory dumps for key and payload analysis. Capture decrypted TLS traffic where possible to recover configuration details and identify any exfiltrated data. A full review of credentials and cryptocurrency wallets present on the host should be conducted. Organizations should also launch indicator-based hunting across the environment using the reported IOCs and related attacker techniques.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ffcc99 classDef process fill:#99ff99 classDef technique fill:#ffeb99 classDef operator fill:#ff9900 %% Node definitions action_user_execution["<b>Action</b> – <b>T1218.005</b> mshta Execution<br/>User runs malicious HTML Application"] class action_user_execution action process_powershell["<b>Process</b> – PowerShell<br/>Base64 encoded command"] class process_powershell process tool_reflective_loader["<b>Tool</b> – Reflective Loader<br/>Downloads 32u2011bit shellcode"] class tool_reflective_loader tool technique_reflective_loader["<b>Technique</b> – <b>T1620</b> Reflective Code Loading"] class technique_reflective_loader technique technique_xor_obfusc["<b>Technique</b> – <b>T1027.002</b> XOR Obfuscation"] class technique_xor_obfusc technique technique_aplib_compress["<b>Technique</b> – <b>T1027.007</b> aPLib Compression"] class technique_aplib_compress technique technique_anti_debug["<b>Technique</b> – <b>T1652</b> Detect Analysis Environment"] class technique_anti_debug technique malware_stealer["<b>Malware</b> – Stealer<br/>Collects credentials, seed phrases and private keys"] class malware_stealer malware technique_credential_browser["<b>Technique</b> – <b>T1555.003</b> Credentials from Web Browsers"] class technique_credential_browser technique technique_credential_manager["<b>Technique</b> – <b>T1555.004</b> Credentials from Windows Credential Manager"] class technique_credential_manager technique technique_credential_manager_file["<b>Technique</b> – <b>T1555.005</b> Credentials from Password Managers"] class technique_credential_manager_file technique technique_credential_chat["<b>Technique</b> – <b>T1552.008</b> Unsecured Chat Transmission"] class technique_credential_chat technique technique_credential_files["<b>Technique</b> – <b>T1552.001</b> Credential Files"] class technique_credential_files technique technique_search_downloads["<b>Technique</b> – Search Downloads for Seed Phrases and Private Keys"] class technique_search_downloads technique technique_zip["<b>Technique</b> – <b>T1560</b> Archive Collected Data"] class technique_zip technique technique_https_exfil["<b>Technique</b> – <b>T1573.001</b> Use HTTPS for C2"] class technique_https_exfil technique technique_encrypted_exfil["<b>Technique</b> – <b>T1041</b> Encrypted Traffic Exfiltration"] class technique_encrypted_exfil technique %% Connections showing flow action_user_execution –>|executes| process_powershell process_powershell –>|downloads| tool_reflective_loader tool_reflective_loader –>|implements| technique_reflective_loader tool_reflective_loader –>|uses| technique_xor_obfusc tool_reflective_loader –>|uses| technique_aplib_compress tool_reflective_loader –>|evades detection via| technique_anti_debug tool_reflective_loader –>|loads| malware_stealer malware_stealer –>|harvests| technique_credential_browser malware_stealer –>|harvests| technique_credential_manager malware_stealer –>|harvests| technique_credential_manager_file malware_stealer –>|harvests| technique_credential_chat malware_stealer –>|harvests| technique_credential_files malware_stealer –>|searches| technique_search_downloads malware_stealer –>|archives| technique_zip technique_zip –>|exfiltrates via| technique_https_exfil technique_https_exfil –>|uses encryption| technique_encrypted_exfil "
Attack Flow
Detections
Suspicious LOLBAS MSHTA Defense Evasion Behavior by Detection of Associated Commands (via process_creation)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
IOCs (HashSha256) to detect: Amatera Stealer 4.0.2 Beta: What’s New in This Variant
View
PowerShell Creation of Decoy Kaspersky Driver Files [Windows Powershell]
View
Network Connection to Amatera Stealer C2 and Dropper URL [Windows Network Connection]
View
Potential Malicious Execution via mshta and PowerShell [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker who has obtained PowerShell execution on a compromised host wishes to exploit a Kaspersky driver‑evasion bug. They use PowerShell’sNew-Itemcmdlet to drop four decoy driver files (klif.sys,kldisk.sys,klhk.sys,kneps.sys) intoC:WindowsSysWOW64drivers. By doing so they generate the exact command‑line strings that the Sigma rule matches, thereby provoking an alert while also planting files that could be leveraged for later privilege‑escalation or persistence. -
Regression Test Script:
# PowerShell script to create the four decoy Kaspersky driver files. $driverPath = "C:WindowsSysWOW64drivers" $files = @("klif.sys","kldisk.sys","klhk.sys","kneps.sys") foreach ($f in $files) { $fullPath = Join-Path -Path $driverPath -ChildPath $f try { New-Item -Path $fullPath -ItemType File -Force -ErrorAction Stop | Out-Null Write-Host "[+] Created $fullPath" } catch { Write-Warning "[-] Failed to create $fullPath : $_" } } -
Cleanup Commands:
# Remove the created decoy driver files to restore the host to its original state. $driverPath = "C:WindowsSysWOW64drivers" $files = @("klif.sys","kldisk.sys","klhk.sys","kneps.sys") foreach ($f in $files) { $fullPath = Join-Path -Path $driverPath -ChildPath $f if (Test-Path $fullPath) { Remove-Item -Path $fullPath -Force Write-Host "[+] Removed $fullPath" } }