Ethical Hacking News
A new malware campaign has been uncovered that uses compromised websites to deploy a remote access trojan (RAT) named NetSupport RAT. The attack chain involves an obfuscated JavaScript loader, an HTML Application (HTA) that runs encrypted PowerShell stagers using "mshta.exe," and a PowerShell payload designed to download and execute the main malware. Experts warn of the importance of deploying strong defenses against such attacks.
A new campaign of malware, dubbed JS#SMUGGLER, has emerged using compromised websites to deploy a remote access trojan (RAT) named NetSupport RAT. The attack chain involves three main moving parts: an obfuscated JavaScript loader, an HTML Application (HTA), and a PowerShell payload. The attackers use hidden iframes, obfuscated loaders, and layered script execution to distribute their malware. The primary goal of the decrypted PowerShell payload is to retrieve and deploy NetSupport RAT, granting the attacker complete control over the compromised host.
A new campaign of malware has emerged, dubbed JS#SMUGGLER, which leverages compromised websites to deploy a remote access trojan (RAT) named NetSupport RAT. According to cybersecurity researchers at Securonix, this attack chain involves three main moving parts: an obfuscated JavaScript loader injected into a website, an HTML Application (HTA) that runs encrypted PowerShell stagers using "mshta.exe," and a PowerShell payload designed to download and execute the main malware.
The attackers use compromised websites as a distribution vector for their malware, employing advanced techniques such as hidden iframes, obfuscated loaders, and layered script execution. The silent redirects embedded into the infected websites act as a conduit for the heavily scrambled JavaScript loader ("phone.js") retrieved from an external domain. This loader profiles the device to determine whether to serve a full-screen iframe (when visiting from a mobile phone) or load another remote second-stage script (when visiting from a desktop).
The invisible iframe directs the victim to a malicious URL, which in turn downloads a remote script that lays the foundation for constructing at runtime a URL from which an HTA payload is downloaded and executed using "mshta.exe." The HTA payload is another loader for a temporary PowerShell stager, written to disk, decrypted, and executed directly in memory to evade detection.
Furthermore, the HTA file is run stealthily by disabling all visible window elements and minimizing the application at startup. Once the decrypted payload is executed, it also takes steps to remove the PowerShell stager from disk and terminates itself to avoid leaving as much forensic trail as possible.
The primary goal of the decrypted PowerShell payload is to retrieve and deploy NetSupport RAT, granting the attacker complete control over the compromised host. The sophistication and layered evasion techniques used in this campaign strongly indicate an actively maintained, professional-grade malware framework.
According to experts, defenders should deploy strong CSP enforcement, script monitoring, PowerShell logging, mshta.exe restrictions, and behavioral analytics to detect such attacks effectively. This malicious campaign highlights the importance of vigilance when it comes to online security and the need for robust defenses against malware attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Malware-Campaign-Exposes-the-Dark-Side-of-Compromised-Websites-ehn.shtml
https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html
https://cybermaterial.com/netsupport-rat-trojan-malware/
https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html
Published: Mon Dec 8 13:09:09 2025 by llama3.2 3B Q4_K_M
