Cyberattack Alert – NetSupport RAT Spreads Through Compromised WordPress Site Using ClickFix Exploit

Cybersecurity researchers at Cybereason’s Global Security Operations Center (GSOC) have identified a sophisticated campaign in which threat actors exploit compromised WordPress websites to distribute malicious versions of the legitimate NetSupport Manager Remote Access Tool (RAT).

The attack, detected in May 2025, employs a multi-stage delivery mechanism that manipulates victims into unknowingly installing malware through fake CAPTCHA verification pages.

Multi-Stage Attack Chain Targets Windows Users

The attack begins with phishing campaigns distributing malicious website links through emails, PDF attachments, and gaming websites.

When victims access these compromised sites, threat actors inject malicious JavaScript into the website’s meta description and anchor tags, triggering the download of a remote script (j.js) from the domain islonline[.]org.

The malicious script performs reconnaissance by identifying the browser name, user agent details, and whether the victim is using a mobile device or a desktop.

It specifically targets Windows operating systems and tracks previous visits using browser local storage to avoid detection. If the user hasn’t visited before, the script generates an iframe to load a PHP file that continues the attack chain.

ClickFix Technique Exploits User Trust

The most concerning aspect of this campaign is the implementation of the “ClickFix” technique through a fake CAPTCHA verification page.

The select.js script performs DOM manipulations, injecting Tailwind CSS stylesheets and rendering a React-based CAPTCHA challenge that appears legitimate to users.

However, the fake CAPTCHA uses navigator.clipboard.writeText() to copy malicious commands to the victim’s clipboard, then instructs users to paste and execute these commands via the Windows Run dialog box (Win + R).

This social engineering technique bypasses traditional security measures by exploiting user trust in standard verification mechanisms.

Once executed, the malicious batch file (jfgf.bat) downloads a ZIP archive containing the NetSupport Client application and supporting components. The file includes obfuscated junk data between commands to evade detection.

After extraction, the NetSupport Client establishes persistence through Windows Registry Run keys and connects to connectivity servers located within the 94.158.245[.]0/24 network block registered to MivoCloud SRL in Moldova.

Immediate Response Required

Post-exploitation activities occur within hours of initial compromise, with threat actors transferring files to C:\Users\Public\ and launching NetSupport Remote Command Prompt for reconnaissance activities, including Active Directory queries for domain computers.

Security experts recommend immediate containment measures, including endpoint isolation, forensic analysis, credential resets, and blocking of IOC across networks.

The campaign highlights the evolution of social engineering tactics and the critical need for user education about suspicious verification requests, particularly those requiring clipboard actions or manual command execution.