Malware, Security Operations

JS#SMUGGLER campaign delivers NetSupport RAT via multi-stage attack

Plain code with the word "cyberattack" in red.

As reported by HackRead, a sophisticated malware campaign dubbed JS#SMUGGLER has been identified, capable of delivering the potent NetSupport RAT to gain covert control over victim computers. Security analytics platform Securonix detailed the three-stage infection process designed to evade detection.

The JS#SMUGGLER campaign begins when a user visits a compromised website, triggering an obfuscated JavaScript loader. This script checks for desktop users and runs only once to avoid suspicion before fetching the next stage. The second stage involves a hidden HTML Application (HTA) executed via mshta.exe. This HTA contains heavily encrypted code, layered with AES-256-ECB, Base64, and GZIP, ensuring it decodes only in memory and avoids writing malicious files to disk. The final stage deploys NetSupport RAT, a legitimate IT tool repurposed by attackers for malicious remote access. Once installed, the RAT allows hackers to take full control of desktops, steal files, execute commands, and conduct surveillance. The malware is made persistent through a fake startup shortcut, such as one named WindowsUpdate.lnk, ensuring it launches automatically upon login.

The multi-layered tactics employed by JS#SMUGGLER highlight the evolving sophistication of cyber threats. This campaign underscores the critical need for enhanced endpoint defenses capable of detecting suspicious script activity and unauthorized process execution. Users are advised to exercise extreme caution with software downloads and to maintain vigilance against advanced persistent threats that leverage legitimate tools for malicious purposes.

Source: HackRead

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds