Cybersecurity experts are raising alarms about a new malicious campaign that is using fake websites to trick people into running PowerShell scripts—unaware that they are actually opening the door to a malware known as NetSupport RAT.
Malware Campaign Uses Fake Sites and PowerShell to Target Users
The DomainTools Investigation Team (DTI) has uncovered a malicious campaign involving fraudulent websites that mimic well-known platforms like Gitcode and DocuSign. These fake sites host multi-stage PowerShell scripts that begin with what appears to be a harmless command but ultimately trigger a chain of downloads that fully install malware on the victim’s system.
These websites are crafted to persuade users to copy and run a PowerShell command directly from the Windows “Run” dialog box. When executed, the initial script activates another script that proceeds to download additional malicious components. The process culminates in the installation of NetSupport RAT, a remote access tool that gives attackers full control over the compromised machine.
It is suspected that this campaign spreads mainly through phishing emails and social media messages, where users click on seemingly legitimate links that redirect them to these dangerous sites.
Notably, the fake Gitcode sites are configured to download a sequence of additional scripts from a remote server identified as tradingviewtool[.]com. These scripts are executed in succession until the malware is fully active on the victim’s computer.
Additionally, several domains impersonating DocuSign—such as docusign.sa[.]com—have been identified using an extra tactic to gain user trust: a “Click to Verify” CAPTCHA. This step is presented as a routine security check but is actually a trick to get users to run the malicious script under the guise of a standard process.
This technique mirrors other recent malware campaigns, such as those distributing EDDIESTEALER, which also use fake verification steps to lower the victim’s guard and prompt actions that compromise their security.
Read more: Crocodrilus Malware Creates Fake Contacts to Deceive via Phone
How the Attack Works and Why It’s So Dangerous
When the user completes the CAPTCHA, what’s actually happening behind the scenes is quite insidious. Without the user's knowledge, the site automatically copies a hidden PowerShell command to their clipboard—a tactic known as clipboard poisoning.
Next, the site instructs the user to open the Windows “Run” dialog (by pressing Win + R), paste the content (with Ctrl + V), and press Enter. That’s the critical moment: the malicious script is executed on their computer.
This method is especially dangerous because it manipulates the user into launching the attack themselves. The use of clipboard poisoning combined with social engineering (disguising the action as a security verification step) makes the technique highly effective and difficult to detect until it’s too late.
The PowerShell Script Chain: A Multi-Stage Malware Deployment
The initial PowerShell script downloaded another file named wbdims.exe from GitHub. This file served as a persistence mechanism—meaning it ensured the malware would automatically start each time the user turned on or restarted their computer.
Although this file was no longer available at the time of the investigation, it was previously delivered via the domain docusign.sa[.]com/verification/c.php. Once executed, the user's browser automatically redirected to another page: docusign.sa[.]com/verification/s.php?an=1, triggering the next phase of the attack.
Second Stage: ZIP Delivery and Final Payload
In this second stage, another PowerShell script downloaded a ZIP file from the same server, this time with the parameter an set to "2". The ZIP archive contained an executable named jp2launcher.exe, which was executed immediately upon download. This step completed the installation of NetSupport RAT—a software that gives the attacker full remote control over the infected machine.
Why the Multi-Stage Approach?
This entire process involves several steps: one script downloads another script, which then executes another component, and so on. Why such complexity? The layered structure is likely designed to evade antivirus detection and to complicate efforts by security researchers to analyze and dismantle the attack.
Possible Attribution and Background
As of now, the identity of the attackers behind this campaign remains unknown. However, DomainTools found evidence linking it to a previously known operation called SocGholish (also known as FakeUpdates), which had already been detected back in October 2024. That operation used similar tactics: fake domains, obfuscated scripts, and sophisticated techniques to hide their tracks.
It’s important to note that NetSupport Manager, the software being used here as a Remote Access Tool (RAT), is not inherently malicious. It is a legitimate remote management tool. However, threat actors—such as FIN7, Scarlet Goldfinch, and Storm-0408—have adapted it for malicious purposes, turning it into a powerful weapon for cyberattacks.
