Reddit NetSec

AlienVault OTX General

CVE Database V5

Reddit InfoSec News

Exploit-DB RSS Feed

CIRCL OSINT Feed

ThreatFox MISP Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.

This threat involves a sophisticated attack campaign leveraging compromised WordPress websites to distribute a malicious variant of the NetSupport Manager Remote Access Tool (RAT). The attackers initiate the infection chain through phishing campaigns that lure victims to compromised WordPress sites. These sites have been manipulated using Document Object Model (DOM) techniques and injected JavaScript files to evade detection and present a fake CAPTCHA page, increasing the likelihood of user interaction and trust. Upon interaction, a batch file is downloaded and executed on the victim's machine, which subsequently downloads and runs the NetSupport Client component. NetSupport Manager is a legitimate remote administration tool often used for remote support, but in this context, it is weaponized as a RAT to provide attackers with persistent remote access. Post-infection, the attackers exploit NetSupport's built-in capabilities for reconnaissance, lateral movement, and further exploitation within the victim environment. The attack infrastructure is linked to multiple IP addresses and domains, many associated with hosting providers in Moldova, indicating a geographically clustered command and control setup. The use of compromised WordPress sites and phishing campaigns highlights a multi-stage attack vector combining social engineering, web compromise, and malware deployment. The threat actors employ advanced evasion techniques such as DOM manipulation and multiple JavaScript payloads to avoid detection by security tools. Although no specific CVE or known exploits in the wild are reported, the attack leverages common tactics, techniques, and procedures (TTPs) including phishing (T1566), execution through batch files (T1059.003), remote access (T1021.001), persistence (T1547.001), and reconnaissance (T1082, T1016). The medium severity rating reflects the complexity and potential impact of the attack, though it requires user interaction and initial phishing success to propagate.

Detailed information about Deploying NetSupport RAT via WordPress & ClickFix. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'fake captcha'

Filter Threats

Threats Tagged 'fake captcha'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility