Threat Actors Exploit ClickFix to Deploy NetSupport RAT in Latest Cyber Attacks

Threat actors have observed the increasingly common ClickFix technique to deliver a remote access trojan named NetSupport RAT since early January 2025.
NetSupport RAT, typically propagated via bogus websites and fake browser updates, grants attackers full control over the victim's host, allowing them to monitor the device's screen in real-time, control the keyboard and mouse, upload and download files, and launch and execute malicious commands.
Originally known as NetSupport Manager, it was developed as a legitimate remote IT support program, but has since been repurposed by malicious actors to target organizations and capture sensitive information, including screenshots, audio, video, and files.
"ClickFix is a technique used by threat actors to inject a fake CAPTCHA webpage on compromised websites, instructing users to follow certain steps to copy and execute malicious PowerShell commands on their host to download and run malware payloads," eSentire said in an analysis.
In the attack chains identified by the cybersecurity company, the PowerShell command is used to download and execute the NetSupport RAT client from a remote server that hosts the malicious components in the form of PNG image files.

The development comes as the ClickFix approach is also being used to propagate an updated version of the Lumma Stealer malware that uses the ChaCha20 cipher for decrypting a configuration file containing the list of command-and-control (C2) servers.
"These changes provide insight into the evasive tactics employed by the developer(s) who are actively working to circumvent current extraction and analysis tools," eSentire said.
Protecting Your Software Supply Chain: Assessing the Risks Before Deployment
Progress Software Patches High-Severity LoadMaster Flaws Affecting Multiple Versions
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
MediumWeb Cache Deception
InformationalGET for POST
InformationalUser Agent Fuzzer
InformationalInformation Disclosure - Suspicious Comments in XML via WebSocket
HighPII Disclosure
MediumInsecure JSF ViewState
Free online web security scanner