Since early January 2025, threat actors have been using the ClickFix technique to deliver the NetSupport RAT, a remote access trojan.

This malicious software allows attackers to monitor screens, control keyboards and mice, upload and download files, and execute harmful commands.

Originally designed as NetSupport Manager for legitimate IT support, the software has been repurposed to target organizations and steal sensitive information.

NetSupport RAT is distributed through fake websites and fraudulent browser updates, granting attackers full control over the victim's device.

The ClickFix technique works by injecting a fake CAPTCHA webpage on compromised sites, tricking users into executing harmful PowerShell commands.

These PowerShell commands are utilized to fetch the NetSupport RAT client from remote servers, often disguised as PNG image files.

In addition to the NetSupport RAT, the ClickFix method is also being used to propagate an updated version of Lumma Stealer malware, which now employs the ChaCha20 cipher for decrypting its configuration files.

These developments highlight the evolving tactics of malware developers, who are continuously adapting to evade current detection and analysis tools.