A campaign dubbed ‘JS#SMUGGLER’ is using compromised websites to deliver the NetSupport remote access trojan (RAT), according to an analysis published by Securonix.
Researchers say the multi-stage attack chain consists of three core components: an obfuscated JavaScript loader injected into legitimate websites, an HTML Application (HTA) executed via mshta.exe, and an encrypted PowerShell payload that ultimately downloads and launches NetSupport RAT.
NetSupport RAT is a legitimate remote-control software repurposed for malicious use. It grants attackers extensive access to infected systems, including remote desktop control, file manipulation, command execution, data theft, and proxying capabilities.
Securonix notes there is no clear attribution linking JS#SMUGGLER, which it describes as “an actively maintained, professional-grade malware framework,” to a known threat group or nation-state. Its targeting is more opportunistic rather than highly targeted.
The campaign uses hidden iframes (obfuscated JavaScript (“phone.js”)), and device-aware branching to determine whether to inject a fullscreen iframe (mobile) or load a remote second-stage script (desktop). The loader also implements a subtle first-visit tracking mechanism using localStorage to ensure the malicious logic executes only once per user.
From there, the attack dynamically constructs a URL to fetch an HTA file, which runs in a minimized, stealthy state. This HTA drops and decrypts a temporary PowerShell stager directly in memory, then removes itself to limit forensic traces. The stager’s final task is to download and deploy NetSupport RAT.