Risk actors have noticed the more and more widespread ClickFix method to ship a distant entry trojan named NetSupport RAT since early January 2025.
NetSupport RAT, sometimes propagated by way of bogus web sites and pretend browser updates, grants attackers full management over the sufferer’s host, permitting them to watch the gadget’s display screen in real-time, management the keyboard and mouse, add and obtain recordsdata, and launch and execute malicious instructions.
Initially often called NetSupport Supervisor, it was developed as a reliable distant IT assist program, however has since been repurposed by malicious actors to focus on organizations and seize delicate info, together with screenshots, audio, video, and recordsdata.
“ClickFix is a way utilized by risk actors to inject a faux CAPTCHA webpage on compromised web sites, instructing customers to observe sure steps to repeat and execute malicious PowerShell instructions on their host to obtain and run malware payloads,” eSentire mentioned in an evaluation.
Within the assault chains recognized by the cybersecurity firm, the PowerShell command is used to obtain and execute the NetSupport RAT consumer from a distant server that hosts the malicious elements within the type of PNG picture recordsdata.
The event comes because the ClickFix method can also be getting used to propagate an up to date model of the Lumma Stealer malware that makes use of the ChaCha20 cipher for decrypting a configuration file containing the record of command-and-control (C2) servers.
“These adjustments present perception into the evasive techniques employed by the developer(s) who’re actively working to avoid present extraction and evaluation instruments,” eSentire mentioned.
