Stealthy Multi-Stage Cyberattack Uses Trusted Windows Tools to Deploy NetSupport RAT

Listen to this Post

Featured Image

Introduction

A wave of quiet, sophisticated cyber intrusions is unfolding across the internet, and most users have no idea it is happening. Security analysts at Securonix have uncovered a new multi-stage malware operation that hides in plain sight, blending encrypted payloads, nested scripts, and legitimate Windows components to compromise both personal and enterprise systems. What makes this campaign especially alarming is not the payload itself, but the precision of its delivery. Every stage is engineered to avoid detection, erase footprints, and adapt to the victim’s environment. It is a reminder that modern cyberattacks no longer smash their way into systems. They slip inside quietly, disguised as normal traffic, waiting for the perfect moment to strike. Below is a full breakdown of how this campaign works and why it matters.

Summary of the Original

A Campaign Built on Layers of Stealth

The newly discovered web-based malware attack relies on a complex, multi-stage architecture designed to deploy NetSupport RAT, a remote-control tool that has increasingly been abused by threat actors. The campaign begins when users land on compromised websites hosting an obfuscated JavaScript loader called phone.js, which is pulled from attacker-controlled domains such as boriver.com. This loader executes only once per browser session by storing markers in localStorage, an unusual evasion tactic for malicious JavaScript.

Device Profiling and Stealthy Redirects

The loader uses layered obfuscation, numeric decoding, junk content, and dynamic string tables to hide its behavior from static analysis. It profiles the device in real time. Mobile users are pushed into a full-screen iframe, while desktop users unknowingly load a remote script from domains such as stoneandjon.com. Security researchers using de-obfuscation tools like CyberChef found hidden URLs, DOM operations, and encryption keys buried under rotating string tables and nested functions.

Silent HTA Execution Through Trusted Windows Tools

Stage two involves a malicious HTML Application file, executed through mshta.exe, a legitimate Microsoft signed binary. This is classic LOLBAS behavior, where trusted system files are repurposed for malicious actions. The HTA file launches invisibly, triggering a fileless PowerShell stager that decrypts its next stage using AES-256-ECB, Base64, and GZIP. The decrypted script runs directly in memory using ExecutionPolicy Bypass, ensuring there are no traditional disk artifacts. Temporary files delete themselves automatically, wiping away evidence.

Stage Three Installs NetSupport RAT

The final decrypted PowerShell payload downloads a ZIP archive named qazx.zip from kindstki.com. Once extracted inside C:\ProgramData\CommunicationLayer, it launches client32.exe using wscript.exe through a concealed script called run.js. Persistence is achieved with a disguised shortcut named WindowsUpdate.lnk placed in the Startup folder. Once deployed, NetSupport RAT grants attackers full remote control, including file manipulation, system commands, screen capture, and proxy routing.

Infrastructure and Threat Attribution

Investigators linked the campaign to several domains and IP addresses spread across the United States and Europe. Hashes and execution traces show similarities to the JSSMUGGLER framework, known for modular and stealth-focused operations. The campaign’s design indicates financially driven threat actors or access-broker groups selling remote entry into compromised systems.

Defense Recommendations

Security teams are urged to block mshta.exe abuse, enforce strict script-execution policies, turn on detailed PowerShell logging, and monitor Startup items. The campaign’s fileless PowerShell architecture means traditional antivirus tools may not detect it. Vigilance at the behavioral and policy level remains the strongest defense.

What Undercode Say

How This Attack Redefines Modern Web-Based Intrusions

This campaign represents a significant evolution in web-delivered malware. Instead of relying on a single exploit or a direct payload drop, the attackers engineered a multi-stage funnel that adapts to its environment. The first smart decision comes from limiting execution to a single session. This drastically reduces noise, making the attack appear almost random during forensic review. Modern attackers understand that noise is the enemy, and this campaign operates as quietly as possible.

Why Trusted Windows Components Make the Attack Dangerous

The use of mshta.exe and wscript.exe is a key strategic choice. These binaries are part of every Windows system, digitally signed, and frequently whitelisted. They do not raise immediate suspicion. By chaining trusted components together, the attackers use Windows against itself. Organizations relying solely on signature-based detection will see nothing suspicious, because everything looks legitimate.

PowerShell as the Perfect Disguise

The attackers continue leveraging legitimate tools in the PowerShell stage. Fileless execution is one of the most effective evasion techniques today. When code runs only in memory, endpoint detection must rely on behavioral analytics. Many smaller organizations do not have these advanced capabilities, giving attackers a wide area of opportunity.

Why NetSupport RAT Remains a Popular Choice

NetSupport RAT is not a dangerous tool by design. It was created for remote administration. This is exactly why attackers love it. Its traffic patterns look normal, its executables are often allowed through filters, and its capabilities are extensive. From a threat actor’s perspective, it provides everything needed to control a system without building custom malware.

Infrastructure Links Suggest Commercialized Cybercrime

The mix of American and European servers, rotating domains, and modular PowerShell scripts points to organized groups that build attack frameworks as products. This aligns with the growing market of access-broker networks. These groups do not always deploy ransomware themselves, but they sell system access to those who will. Campaigns like this are often the preparation phase for larger attacks.

Wider Implications for Enterprises and Users

Organizations must assume that any script-based interaction on the web may hide multi-layered logic. Cybercriminals are moving away from brute force and toward tactical precision. The campaign demonstrates how easily a user can become compromised by doing something entirely normal, like visiting a website. Once attackers infiltrate the system with NetSupport RAT, they can escalate privileges, exfiltrate data, or prepare the environment for ransomware.

The Real Lesson Behind This Campaign

This operation underscores a key principle: the line between legitimate tools and malicious use continues to blur. Cybersecurity is no longer merely about blocking malware. It is about monitoring behavior, enforcing policy, and identifying when trusted components are performing actions they were never meant to do.

🔍 Fact Checker Results

The malware chain genuinely uses mshta.exe and wscript.exe for stealthy execution. ✅

NetSupport RAT is confirmed as the final payload, commonly abused in cybercrime operations. ✅

Infrastructure attribution is still uncertain and may involve multiple threat groups, not a single actor. ❌

📊 Prediction

Cybercriminals will continue shifting toward modular, script-driven, fileless attacks. 🔮
Enterprises without behavioral analytics will face increased exposure to stealthy RAT deployments. ⚠️
Expect more abuse of legitimate administration tools as attackers refine their evasion techniques. 🔧

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon