Alert: Fake DocuSign & Gitcodes Pages Install NetSupport RAT Malware!

Security researchers at DomainTools have uncovered a highly deceptive malware campaign designed to exploit user trust and familiarity with online services by using spoofed websites — including fake Docusign verification pages and Gitcodes paste tools — to trick victims into manually infecting their own machines.

The campaign culminates in the delivery of the NetSupport RAT, a legitimate remote support tool often abused by cybercriminals for stealthy system control.

“This analysis highlights a sophisticated and persistent malicious campaign… using seemingly innocuous ‘verify you are human’ CAPTCHAs and malicious PowerShell scripts disguised as legitimate prompts,” the report warns.

The attack flow begins with phishing or malvertising lures that direct users to websites mimicking popular platforms like Gitcodes or Docusign. These pages present users with fake CAPTCHA challenges and then instruct them to copy a PowerShell script into the Windows Run prompt (Win + R).

“Victims are lured into copying and pasting these scripts into their Windows Run prompt, which then download and execute multiple stages of additional scripts.”

In reality, this script kicks off a multi-stage downloader chain ultimately installing NetSupport RAT and establishing persistence on the system.

Malicious PowerShell scripts were hosted on the spoofed domain gitcodes[.]org, presented under a banner reading: “Gitcodes – #1 paste tool since 2002!”

The first-stage script retrieves a secondary payload from tradingviewtool[.]com, which in turn pulls files from tradingviewtoolz[.]com. These files include a legitimate 7zip executable used to extract and run a malware payload (client32.exe), disguised under a benign name like “My Support”.

“This ensures that client32.exe will automatically start every time the user logs in… Naming it ‘My Support’ is an attempt to make it look less suspicious.”

A more sophisticated variant uses a fake Docusign page (docusign.sa[.]com) masked as a Cloudflare CAPTCHA page. Upon interacting with the fake CAPTCHA, the page executes a function called unsecuredCopyToClipboard():

“The page then initiates Clipboard Poisoning… copying an encoded multi-layered string to the user’s clipboard.”

Victims are prompted to open the Run prompt and execute the copied string — unknowingly launching malware installation routines.

The decoded script downloads a persistence payload (wbdims.exe) and places a shortcut in the Windows Startup folder to ensure it launches on every reboot. Additional stages follow:

• Stage 2: Downloads and executes a new PowerShell script
• Stage 3: Retrieves and runs jp2launcher.exe, a dropper for NetSupport RAT
• Final Payload: Calls out to domains like mhousecreative[.]com and 170.130.55[.]203

Researchers linked the campaign to a broader ecosystem by analyzing SSL issuers, nameservers, and reused scripts. Many were hosted on:

• Discord CDN
• GitHub Repos
• Spoofed media and security tool sites, including oktacheck.it[.]com, hubofnotion[.]com, and others

“The techniques involved are commonplace and NetSupport Manager is a legitimate administration tool known to be leveraged as a RAT by multiple threat groups such as FIN7, Scalert Goldfinch, STORM-0408 and others,” the report concludes.

Related Posts:

• Phishing Alert: Government Impersonation Attacks Surge via DocuSign
• Fake DocuSign Emails: Don’t Get Hooked by Phishing Scams
• Hackers are trying to install NetSupport Remote Access Tool on victim machine through Fake Software Update
• Cisco Talos Warns of Stealthy NetSupport RAT Campaigns
• Cybercriminals Exploit DocuSign API to Send Convincing Phishing Invoices at Scale

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy