NetSupport RAT Returns: Weaponized via WordPress & “ClickFix” for Remote Access
Ddos 
Recently, security researchers at the Cybereason Global Security Operations Center (GSOC) discovered a highly deceptive malware campaign that leverages compromised WordPress sites, phishing lures, and a fake CAPTCHA interface to trick victims into deploying a weaponized version of the legitimate NetSupport Manager Remote Access Tool (RAT).
βThreat actors have been hosting malicious WordPress websites to deliver malicious versions of the legitimate NetSupport Manager Remote Access Tool (RAT),β the report begins.
This multi-stage attack begins with users being redirected to malicious websites via:
- Phishing emails
- Embedded links in PDF attachments
- Game-related websites
Upon visiting a compromised site, a hidden iFrame injects a JavaScript (j.js) from the malicious domain islonline[.]org. When active, this script performs system checksβidentifying the browser and device typeβand then injects a secondary iFrame that leads to a PHP file (index.php), which dynamically loads another script (select.js) responsible for crafting the fake CAPTCHA interface.
βWhile appearing as a human verification step, the page employs navigator.clipboard.writeText(nE.command) to copy a malicious command to the user’s clipboard,β Cybereason explains.
This sneaky trickβcoined the ClickFix techniqueβinstructs users to paste and run the copied command using Win + R, thereby launching the infection manually.
When the clipboard command is executed, it downloads a password-protected ZIP archive and silently extracts a staged NetSupport deployment to %AppData%\Roaming. The archive includes:
- client32.exe: NetSupport RAT client
- remcmdstub.exe: Remote command prompt stub
- client32.ini: Configuration file linking the infected device to the attackerβs NetSupport Gateway
To maintain persistence, the malware creates a Windows Registry Run key, while the initial archive is deleted to cover tracks.
βThe batch file includes large comment blocks filled with junk data between the commandsβ¦ likely an obfuscation technique designed to evade inspection,β notes the Cybereason team.
The attackersβ NetSupport Gateway servers reside within the 94.158.245.0/24 subnet, registered to MivoCloud SRL in Moldova. These hosts expose TCP ports 3389 (RDP) and 443 (HTTPS), signaling public accessibility and remote administration capabilities.
Shodan scans revealed that the NetSupport servers were running Windows Server OS, further linking the threat infrastructure to live, attacker-controlled environments.
Once the NetSupport client is activated, threat actors use its built-in features to:
- Transfer files to public folders
- Launch applications remotely
- Execute commands via remcmdstub.exe
Cybereason observed attackers using NetSupport to run reconnaissance commands like:Β net group /domain “Domain Computers”. This command reveals all Active Directory computer accounts, helping adversaries map the environment for lateral movement or privilege escalation.
Although NetSupport Manager is a legitimate IT support tool, its robust feature set has increasingly made it a favored backdoor for cybercriminals.
βAccording to a recent report, NetSupport Manager was the seventh most prevalent threat in 2024β¦ it is frequently referred to as a malicious Remote Access Trojan due to its widespread exploitation,β the report notes.
Related Posts:
- Cybereason Uncovers Widespread Exploitation of Apache ActiveMQ Vulnerability
- Hackers are trying to install NetSupport Remote Access Tool on victim machine through Fake Software Update
- Cisco Talos Warns of Stealthy NetSupport RAT Campaigns
- NetSupport RAT Wielded in Escalating Cyber Attacks: Educational Institutions, Government Agencies, and Service Businesses at Risk
- Cuckoo Spear Threat Alert: APT10 Targets Japan’s Critical Infrastructure
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
