The first quarter of 2025 has seen a significant rise in cybersecurity threats, with cybercriminals launching aggressive campaigns and refining their tactics. In this context, it’s essential to be aware of the latest malware families and their characteristics.
Below, we’ll delve into the details of five notable malware families, including their technical characteristics and behaviors observed in controlled environments.
Exploiting ClickFix: The NetSupport RAT
At the beginning of 2025, threat actors started exploiting the ClickFix technique to distribute the NetSupport Remote Access Trojan (RAT). This method involves injecting fake CAPTCHA pages into compromised websites, prompting users to execute malicious PowerShell commands that download and run the NetSupport RAT.
Once installed, this RAT grants attackers full control over the victim’s system, enabling activities such as real-time screen monitoring, file manipulation, and execution of arbitrary commands.
Technical Characteristics of NetSupport RAT
- Allows attackers to view and control the victim’s screen in real time.
- Uploads, downloads, modifies, and deletes files on the infected system.
- Executes system commands and PowerShell scripts remotely.
- Captures copied text, including passwords and sensitive data.
- Records user keystrokes for credential theft.
- Starts, stops, and modifies system processes and services.
- Installs itself in startup folders, registry keys, or scheduled tasks to survive reboots.
- Employs process injection and code obfuscation to evade detection.
- Maintains a stealthy connection with attackers using encrypted traffic.
By running the NetSupport RAT payload in ANY.RUN’s Interactive Sandbox, we can observe its behavior and analyze its actions.
View NetSupport RAT analysis session
 |
| Malicious archive opened inside ANY.RUN sandbox |
When NetSupport RAT infects a system, it immediately establishes a connection with a command-and-control (C2) server, allowing attackers to operate the compromised machine remotely.
 |
| CnC connection detected by ANY.RUN sandbox |
Through this connection, attackers can execute system commands, deploy additional malware, and modify system settings.
Equip your team with ANY.RUN’s Interactive Sandbox to analyze unlimited malware in real time, uncover threats faster, and strengthen your defenses.
NetSupport RAT employs multiple Tactics, Techniques, and Procedures (TTPs) to maintain persistence, evade detection, and gather system data. Key TTPs include:
- Persistence & Execution: Modifies registry startup keys, executes scripts via wscript.exe.
- Discovery: Reads computer name, checks system language, and accesses environment variables.
- Defense Evasion & C2 Communication: Drops legitimate Windows executables, creates internet connection objects for remote control.
These techniques demonstrate how NetSupport RAT establishes control while avoiding detection, all of which are visible in ANY.RUN’s ATT&CK mapping.
 |
| Main TTPs used by NetSupport RAT |
Lynx Ransomware: Sophisticated Attacks and Robust Encryption
The Lynx Ransomware-as-a-Service (RaaS) group is a highly organized entity, offering a structured affiliate program and robust encryption methods. Building upon the foundation of the earlier INC ransomware, Lynx has enhanced its capabilities and expanded its reach, targeting a diverse range of industries across multiple countries.
Lynx’s affiliate panel allows its affiliates to configure victim profiles, generate custom ransomware samples, and manage data-leak schedules within a user-friendly interface. Because of its structured approach, it becomes one of the most accessible ransomware even for those with limited technical expertise.
To incentivize participation, Lynx offers affiliates an 80% share of ransom proceeds. The group maintains a leak site where stolen data is published if victims fail to pay the ransom.
Major Attacks of Lynx in Q1
In the
Source Link
