Proofpoint has identified Amatera Stealer, a new variant of the ACR Stealer, rebranded and marketed as malware-as-a-service (MaaS) with advanced features and sophisticated anti-analysis capabilities. This malware enhances its stealth by employing NTSockets for communication with its command and control server and utilizes complex HTTP requests that avoid traditional DNS resolution. Amatera Stealer is distributed through ClearFake, which injects malicious scripts into legitimate sites, using techniques such as EtherHiding and ClickFix to deceive users and extract sensitive information from web browsers, cryptocurrency wallets, and messaging applications while evading detection. The overarching development of Amatera Stealer highlights a significant evolution in the threat landscape posed by information stealers, particularly amid increased competition from other malware solutions.