Safety researchers have uncovered a complicated cyberattack marketing campaign leveraging compromised WordPress web sites to distribute the NetSupport Distant Entry Trojan via an progressive social engineering technique dubbed “ClickFix.”
The Cybereason International Safety Operations Heart (GSOC) found the marketing campaign in Might 2025, revealing how menace actors are weaponizing professional distant entry instruments to realize unauthorized management over sufferer computer systems.
The assault represents a major evolution in cybercriminal techniques, combining web site compromise with psychological manipulation to bypass fashionable safety defenses.
Multi-Stage Assault Chain
The marketing campaign begins with phishing emails, PDF attachments, or malicious hyperlinks posted on gaming web sites that redirect customers to compromised WordPress websites.
As soon as guests land on these contaminated pages, malicious JavaScript code hidden within the web site’s meta description routinely hundreds and executes a distant script known as “j.js” from the area islonline.org.
“The attackers are particularly focusing on Home windows customers and have in-built mechanisms to keep away from detection,” stated cybersecurity analysts aware of the investigation.
The malicious script first identifies the person’s working system and browser particulars, then checks in the event that they’ve visited the positioning earlier than utilizing native storage monitoring to attenuate publicity.
Assault Chain
Probably the most progressive side of the assault includes what researchers name the “ClickFix” method.
After the preliminary an infection, victims are offered with a pretend CAPTCHA verification web page that seems professional, full with fashionable styling utilizing React frameworks and TailwindCSS.
Nevertheless, as an alternative of verifying human interplay, the web page secretly copies a malicious PowerShell command to the person’s clipboard.
Clipboard Hijacking Deception
The pretend CAPTCHA then instructs customers to press Home windows + R and paste the “verification code” into the Run dialog field.
Believing they’re finishing a typical safety verify, victims unknowingly execute a command that downloads and installs the NetSupport Shopper software program.
“This system is especially insidious as a result of it exploits person familiarity with CAPTCHA challenges whereas bypassing browser safety controls,” defined safety researchers.
clickfix assault chain
“The person themselves carry out the ultimate execution step, evading automated detection methods.” As soon as put in, the NetSupport Shopper establishes a persistent connection to command-and-control servers situated in Moldova.
The malware creates registry entries for persistence and may survive system reboots, permitting attackers to keep up long-term entry to compromised methods.
Publish-An infection Actions
Inside hours of a profitable compromise, menace actors have been noticed conducting reconnaissance actions, together with querying Lively Listing for area computer systems and transferring information to public directories.
The attackers use NetSupport’s professional distant command immediate characteristic to execute instructions reminiscent of “web group /area ‘Area Computer systems’” to map the community infrastructure.
In line with menace intelligence information, NetSupport Supervisor ranked because the seventh most prevalent menace in 2024, with cybercriminals more and more favoring professional instruments to mix malicious actions with regular IT operations.
Safety consultants advocate quick isolation of affected methods, password resets for compromised accounts, and blocking of recognized malicious domains and IP addresses.
Organizations must also implement monitoring for uncommon PowerShell exercise and clipboard manipulation in browser contexts.
“The secret is recognizing that any instruction requiring customers to stick instructions into Home windows Run dialogs must be handled as extremely suspicious,” safety researchers emphasised.
Web site directors are suggested to recurrently audit WordPress themes and plugins for unauthorized script injections.
The marketing campaign highlights the evolving menace panorama the place attackers more and more depend on social engineering quite than technical exploits to attain their targets.
Unique Webinar Alert: Harnessing Intel® Processor Improvements for Superior API Safety – Register for Free
