Deploying NetSupport RAT via WordPress & ClickFix
Essential information
- Published
- 10/07/2025 21:49
- Modified
- 13/07/2025 11:35
- Tags
- 2025-07-10 dom manipulation fake captcha netsupport rat phishing post-exploitation remote access wordpress
- Related entities
- 21 observables, 7 techniques (mitre), 1 malware, 1 others
Description
A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.