Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 11 December 2025 16:57
Securonix specialists have discovered a multi-layered malware campaign aimed at secretly installing the NetSupport RAT remote access tool . The attack involves a series of carefully hidden stages, each designed to ensure maximum stealth and leave minimal traces on the compromised device.
The initial download of the malicious code begins with a JavaScript file injected into the hacked websites. This script has a complex structure and hidden logic that is activated only when certain conditions are met.
It can detect the user’s device type and even record whether it’s their first visit to the page, allowing it to perform malicious actions only once per device . If the conditions are met, the script injects an invisible frame into the page or loads the next stage: an HTML application.
The second stage, the researchers report , involves launching an HTA file, a hidden application executed via the native Windows tool mshta.exe. It extracts the encrypted PowerShell script, decrypts it using a multi-stage process, and executes it directly in memory. This ensures that all malicious activity occurs without creating persistent files, significantly hindering detection by antivirus software.
The final step involves downloading and installing the NetSupport RAT . To do this, a PowerShell script downloads the archive, unpacks it into an inconspicuous directory, and runs the executable file using a JScript wrapper . To maintain its presence on the system, a shortcut is created in the startup folder, disguised as a Windows Update component. This approach allows attackers to maintain access even after the device is rebooted.
NetSupport RAT is an initially legitimate remote administration tool actively used by attackers for espionage, data theft, and remote control. During this campaign, it gains full control of the infected system, intercepting keyboard input, managing files, executing commands, and using proxy functions to navigate the network.
Experts estimate that the malicious infrastructure is constantly maintained and updated, and that its architecture indicates the developers’ high level of expertise. The attack targets users of corporate systems and spreads through fake websites and hidden redirects. Despite its high level of sophistication, it has not yet been possible to determine the operators’ exact affiliation with any known cybercriminal group.
The detected campaign highlights the importance of blocking the execution of unsigned scripts, tightening control over system process behavior, monitoring startup directories, and analyzing suspicious network activity. Particular care is recommended in limiting the use of mshta.exe and monitoring attempts to download files to the %TEMP% and ProgramData folders.
Redazione