Links submitted by the Threat Radar community and AI curated for defenders.

Community Curated

Kaspersky Security Blog

Check Point Research

Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

SANS ISC Handlers Diary

SecurityWeek

Threatpost

Dark Reading

Exploit-DB RSS Feed

The Hacker News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

CastleLoader, a versatile malware loader, has infected 469 devices since May 2025 using Cloudflare-themed ClickFix phishing and fake GitHub repositories. It delivers information stealers and RATs, with a 28.7% infection rate. The malware employs sophisticated techniques, including PowerShell and AutoIT scripts, to load shellcode into memory and connect to C2 servers. CastleLoader's modular design allows deployment of multiple payloads, including StealC, RedLine, NetSupport RAT, DeerStealer, HijackLoader, and SectopRAT. Its campaigns target U.S. government entities and use legitimate file-sharing services and compromised websites for payload retrieval, enhancing resilience against takedowns.

CastleLoader is a sophisticated and modular malware loader that has been active since at least May 2025, infecting 469 devices with a notable infection rate of 28.7%. It primarily spreads through phishing campaigns themed around Cloudflare ClickFix and fake GitHub repositories, leveraging social engineering to trick users into executing malicious payloads. Technically, CastleLoader employs advanced techniques such as PowerShell and AutoIT scripting to load shellcode directly into memory, thereby evading traditional disk-based detection mechanisms. Once executed, it establishes connections to command and control (C2) servers to receive further instructions and payloads. Its modular architecture allows it to deploy a variety of payloads, including information stealers like StealC, DeerStealer, and RedLine, as well as remote access trojans (RATs) such as NetSupport RAT, HijackLoader, and SectopRAT. The malware’s use of legitimate file-sharing services and compromised websites for payload delivery enhances its resilience against takedown efforts and complicates detection. The campaigns have specifically targeted U.S. government entities, indicating a focus on high-value targets. The malware also incorporates multiple MITRE ATT&CK techniques such as T1053 (Scheduled Task), T1140 (Deobfuscate/Decode Files or Information), T1036 (Masquerading), T1055 (Process Injection), T1497 (Virtualization/Sandbox Evasion), T1102 (Web Service), T1204 (User Execution), and others, demonstrating a multi-faceted approach to persistence, evasion, and command and control.

Detailed information about CastleLoader Analysis. Get real-time updates, technical details, and mitigation strategies.

CastleLoader Analysis - Live Threat Intelligence - Threat Radar | OffSeq.com

CastleLoader Analysis

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.

This threat involves a sophisticated attack campaign leveraging compromised WordPress websites to distribute a malicious variant of the NetSupport Manager Remote Access Tool (RAT). The attackers initiate the infection chain through phishing campaigns that lure victims to compromised WordPress sites. These sites have been manipulated using Document Object Model (DOM) techniques and injected JavaScript files to evade detection and present a fake CAPTCHA page, increasing the likelihood of user interaction and trust. Upon interaction, a batch file is downloaded and executed on the victim's machine, which subsequently downloads and runs the NetSupport Client component. NetSupport Manager is a legitimate remote administration tool often used for remote support, but in this context, it is weaponized as a RAT to provide attackers with persistent remote access. Post-infection, the attackers exploit NetSupport's built-in capabilities for reconnaissance, lateral movement, and further exploitation within the victim environment. The attack infrastructure is linked to multiple IP addresses and domains, many associated with hosting providers in Moldova, indicating a geographically clustered command and control setup. The use of compromised WordPress sites and phishing campaigns highlights a multi-stage attack vector combining social engineering, web compromise, and malware deployment. The threat actors employ advanced evasion techniques such as DOM manipulation and multiple JavaScript payloads to avoid detection by security tools. Although no specific CVE or known exploits in the wild are reported, the attack leverages common tactics, techniques, and procedures (TTPs) including phishing (T1566), execution through batch files (T1059.003), remote access (T1021.001), persistence (T1547.001), and reconnaissance (T1082, T1016). The medium severity rating reflects the complexity and potential impact of the attack, though it requires user interaction and initial phishing success to propagate.

Detailed information about Deploying NetSupport RAT via WordPress & ClickFix. Get real-time updates, technical details, and mitigation strategies.

Deploying NetSupport RAT via WordPress & ClickFix - Live Threat Intelligence - Threat Radar | OffSeq.com

Deploying NetSupport RAT via WordPress & ClickFix

This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetSupport RAT, Latrodectus, and Lumma Stealer. ClickFix lures often use clipboard hijacking and can bypass standard detection controls. The article provides case studies of recent campaigns, hunting tips for detecting ClickFix infections, and recommendations for proactive defense measures. It emphasizes the importance of user education and implementing robust security controls to mitigate this evolving threat.

The ClickFix attack vector is a social engineering technique increasingly leveraged by threat actors to deceive victims into executing malicious commands under the pretense of quick fixes for computer issues. This method exploits user trust and urgency, often presenting itself as an immediate solution to a technical problem. The campaigns utilizing ClickFix have been observed distributing a range of malware families, including NetSupport RAT (Remote Access Trojan), Latrodectus, and Lumma Stealer, which are capable of remote control, information theft, and persistence on infected systems. A notable technical aspect of ClickFix attacks is the use of clipboard hijacking, where the attacker manipulates the victim's clipboard content to insert malicious commands or URLs, thereby bypassing traditional detection mechanisms that focus on direct execution or file-based signatures. The attacks frequently employ scripting languages such as PowerShell and automation tools like AutoIt to execute payloads stealthily. The technique also involves typosquatting to lure victims into interacting with malicious domains or files. The referenced MITRE ATT&CK techniques include process injection (T1055), command and scripting interpreter usage (T1059.001, T1059.003), clipboard data manipulation (T1056.001), and user execution (T1204), among others, highlighting the multi-faceted nature of the attack chain. Detection and mitigation require a combination of user education to recognize social engineering cues and robust endpoint security controls capable of monitoring clipboard activity, script execution, and anomalous process behaviors. The article emphasizes proactive hunting strategies and case studies that illustrate the evolving sophistication of ClickFix campaigns.

Detailed information about Fix the Click: Preventing the ClickFix Attack Vector. Get real-time updates, technical details, and mitigation strategies.

Fix the Click: Preventing the ClickFix Attack Vector - Live Threat Intelligence - Threat Radar | OffSeq.com

Fix the Click: Preventing the ClickFix Attack Vector

Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.

The threat described involves a newly uncovered infrastructure linked to GrayAlpha, a threat actor associated with the financially motivated cybercrime group FIN7. The key technical components include a custom PowerShell loader named PowerNet, which is used to deploy the NetSupport Remote Access Trojan (RAT), and another loader called MaskBat. These loaders facilitate the covert installation and execution of malicious payloads on victim systems. The attackers employ three primary infection vectors: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. These vectors are designed to socially engineer victims into executing malicious code by masquerading as legitimate software updates or downloads. At the time of analysis, only the fake 7-Zip download sites remained active, indicating a possible shift in attacker tactics or operational focus.

The PowerNet loader leverages PowerShell, a legitimate Windows scripting environment, to evade detection and execute payloads in-memory, complicating traditional signature-based defenses. The NetSupport RAT deployed by PowerNet provides attackers with extensive remote control capabilities, including data exfiltration, credential theft, and lateral movement within networks. MaskBat likely serves as an additional loader or persistence mechanism, although specific technical details are limited. The use of multiple infection vectors and loaders demonstrates the adversary's sophistication and adaptability.

The TAG-124 traffic distribution system is a known infrastructure component used to manage and distribute malicious traffic, further indicating a well-resourced and organized campaign. The threat actor employs various MITRE ATT&CK techniques such as T1218.011 (signed binary proxy execution), T1204.002 (user execution via malicious file), T1583.001 (establishing infrastructure), T1055 (process injection), T1059.001 and T1059.003 (PowerShell and command-line interface), T1547.001 (registry run keys for persistence), T1102.002 (web service communication), T1071.001 (application layer protocol), T1204.001 (user execution via malicious link), T1569.002 (service execution), and T1584.001 (compromise infrastructure). This indicates a multi-faceted attack chain involving social engineering, code execution, persistence, and command and control.

The identification of a potential individual involved in GrayAlpha operations suggests ongoing intelligence efforts to attribute and disrupt this threat actor. Overall, this campaign highlights the need for layered security controls, including behavioral detection, application allow-listing, and continuous user awareness training to mitigate the risk posed by such advanced threats.

Detailed information about New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks. Get real-time updates, technical details, and mitigation st

New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks - Live Threat Intelligence - Threat Radar | OffSeq.com

New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks

A malicious campaign exploits user trust through deceptive websites, including spoofed Gitcodes and fake Docusign verification pages. Victims are tricked into running malicious PowerShell scripts on their Windows machines, leading to the installation of NetSupport RAT. The multi-stage attack uses clipboard poisoning and fake CAPTCHAs to deliver the malware. The campaign involves multiple domains, uses ROT13 encoding, and creates persistent infections. Similar techniques were observed in other spoofed content, including Okta and popular media apps. The attack capitalizes on user familiarity with common online interactions, emphasizing the need for vigilance and skepticism in online activities.

The described threat is a sophisticated social engineering and malware campaign that leverages human trust to infect Windows systems with the NetSupport Remote Access Trojan (RAT). The attack begins with threat actors setting up deceptive websites that mimic legitimate services such as Gitcodes and DocuSign verification pages. These spoofed sites employ fake CAPTCHA challenges and clipboard poisoning techniques to trick users into executing malicious PowerShell scripts. The use of ROT13 encoding and multiple domains adds obfuscation layers, complicating detection and analysis. The multi-stage infection chain involves initial user interaction to run scripts, which then download and install the NetSupport RAT, a well-known remote access tool often abused for unauthorized control and data exfiltration. The campaign also uses persistence mechanisms to maintain long-term access on compromised machines. Similar tactics have been observed targeting other widely used platforms like Okta and popular media applications, indicating a broad and adaptable attack methodology. The campaign exploits common user behaviors and trusted online interactions, making it particularly effective against less security-aware individuals. The attack techniques correspond to several MITRE ATT&CK tactics and techniques, including spearphishing via service (T1566.002), masquerading (T1036), PowerShell execution (T1059.001), persistence (T1547.001), and user execution (T1204.001), among others.

Detailed information about How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme. Get real-time updates, technical deta

How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme - Live Threat Intelligence - Threat Radar | OffSeq.com

How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme

Threat actors are exploiting user fatigue with anti-spam mechanisms through a technique called ClickFix. This method involves compromising websites and embedding fraudulent CAPTCHA images, which, when solved by unsuspecting users, lead to the execution of malicious code. The attack chain typically includes PowerShell commands and the use of legitimate Windows tools to download and execute additional payloads. Common malware delivered through this technique includes Lumma Stealer, NetSupport RAT, and SectopRAT. The success of ClickFix relies heavily on social engineering and user interaction, making user education and awareness crucial in mitigating these attacks. Recommendations include training users to recognize suspicious requests, restricting PowerShell execution, and deploying advanced EDR solutions.

The ClickFix threat represents a sophisticated social engineering attack that leverages user fatigue with CAPTCHA verification processes to deliver Remote Access Trojans (RATs) and infostealer malware. Attackers compromise legitimate websites and embed fraudulent CAPTCHA images designed to deceive users into solving them. Upon user interaction, these CAPTCHAs trigger the execution of malicious PowerShell commands, which utilize legitimate Windows tools to download and execute additional payloads. This technique exploits the trust users place in CAPTCHA challenges, weaponizing verification fatigue to bypass traditional security controls. The malware families commonly delivered through this attack chain include Lumma Stealer, NetSupport RAT, and SectopRAT, all of which are capable of stealing sensitive information and providing attackers with persistent remote access. The attack heavily relies on social engineering tactics, requiring user interaction to succeed. The use of PowerShell and living-off-the-land binaries (LOLBins) complicates detection, as these tools are legitimate system components often whitelisted in enterprise environments. The absence of known exploits in the wild suggests this is an emerging threat, but the complexity and stealth of the attack vector make it a significant concern. Mitigation strategies focus on user education to recognize suspicious CAPTCHA requests, restricting or monitoring PowerShell execution policies, and deploying advanced Endpoint Detection and Response (EDR) solutions capable of detecting anomalous script execution and network activity related to these malware families.

Detailed information about Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers. Get real-time updates, techni

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers - Live Threat Intelligence - Threat Radar | OffSeq.com

Title	Severity	Type	Source	Date

Threats Tagged 'netsupport rat'

Filter Threats

Scan a website for live threats in under a minute

Threats Tagged 'netsupport rat'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility