Threat actors have observed the increasingly common ClickFix technique to deliver a remote access trojan named NetSupport RAT since early January 2025.
NetSupport RAT, typically propagated via bogus websites and fake browser updates, grants attackers full control over the victim’s host, allowing them to monitor the device’s screen in real-time, control the keyboard and mouse, upload and download files, and launch and execute malicious commands.
Originally known as NetSupport Manager, it was developed as a legitimate remote IT support program, but has since been repurposed by malicious actors to target organizations and capture sensitive information, including screenshots, audio, video, and files.
“ClickFix is a technique used by threat actors to inject a fake CAPTCHA webpage on compromised websites, instructing users to follow certain steps to copy and execute malicious PowerShell commands on their host to download and run malware payloads,” eSentire said in an analysis.
In the attack chains identified by the cybersecurity company, the PowerShell command is used to download and execute the NetSupport RAT client from a remote server that hosts the malicious components in the form of PNG image files.
The development comes as the ClickFix approach is also being used to propagate an updated version of the Lumma Stealer malware that uses the ChaCha20 cipher for decrypting a configuration file containing the list of command-and-control (C2) servers.
“These changes provide insight into the evasive tactics employed by the developer(s) who are actively working to circumvent current extraction and analysis tools,” eSentire said.
