Deploying NetSupport RAT via WordPress & ClickFix

July 13, 2025, 11:35 a.m.

Description

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.

External References

https://www.cybereason.com/blog/net-support-rat-wordpress-clickfix/
https://otx.alienvault.com/pulse/6870355e6a5f2386068698a0
Tags
phishing
wordpress
remote access
netsupport rat
post-exploitation
fake captcha
2025-07-10
dom manipulation

Date

  • Created: July 10, 2025, 9:49 p.m.
  • Published: July 10, 2025, 9:49 p.m.
  • Modified: July 13, 2025, 11:35 a.m.

Indicators

  • 6558b3307215c4b73fc96dc552213427fb9b28c0cb282fe6c38324f1e68e87d6
  • 35ab9ebd4f80da4b4f315f7e8aab038687d681f86dd9015469c7806ad6ab638a
  • 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268
  • 94.158.245.137
  • 94.158.245.118
  • 94.158.245.104
  • 83.229.17.68
  • 77.83.199.34
  • 107.180.0.222
  • 50.87.146.66
  • 94.158.245.131
  • 79.141.173.158
  • 193.111.208.110
  • pemptousia.com
  • lang3666.top
  • jakestrack.com
  • fmovies123.top
  • jaagnet.com
  • christianlouboutin2017.top
  • badgervolleyball.org
  • ace-project.org
Download all indicators here!

Attack Patterns

  • NetSupport RAT

Additional Informations

  • Moldova, Republic of