Cybercriminals Leverage ClickFix to Deploy NetSupport RAT in Sophisticated Attacks

Understanding the ClickFix Exploit

Cybercriminals are continuously evolving their attack techniques, and one of the latest tactics observed in 2025 is the ClickFix exploit. This method has been leveraged to deploy the NetSupport RAT (Remote Access Trojan), a tool originally designed for legitimate IT support but now repurposed by malicious actors to gain complete control over compromised systems.

ClickFix is a deceptive technique where attackers inject fake CAPTCHA webpages into compromised websites. Unsuspecting users are prompted to complete verification steps, which, in reality, trick them into executing malicious PowerShell commands. These commands then download and execute the NetSupport RAT client, allowing attackers to monitor activity, control peripherals, exfiltrate sensitive data, and execute arbitrary commands.

How NetSupport RAT Works

Once executed, NetSupport RAT enables cybercriminals to:

• Remotely control the victim’s system, including keyboard and mouse inputs.
• Capture screenshots and record audio/video.
• Upload, download, and execute files.
• Manipulate system processes and network configurations.

Originally developed as NetSupport Manager, this software was designed for IT administration and remote troubleshooting. However, in the hands of hackers, it has become a powerful surveillance tool used to steal credentials, manipulate data, and infiltrate corporate networks.

The Growing Threat: ClickFix and Lumma Stealer

Security researchers have identified that ClickFix is not just limited to NetSupport RAT deployments. The same exploit is now being used to spread an updated version of Lumma Stealer, a malware that utilizes the ChaCha20 cipher to decrypt configuration files containing a list of command-and-control (C2) servers. This evolution in attack methodologies highlights the increasing sophistication of cyber threats and the need for businesses to adopt robust cybersecurity defences.

How to Protect Against ClickFix and NetSupport RAT Attacks

1. Educate Employees and Raise Awareness

• Train employees to recognize fake CAPTCHA prompts and phishing attempts.
• Encourage cyber hygiene best practices, such as verifying website authenticity.

2. Implement Advanced Endpoint Security

• Deploy Endpoint Detection and Response (EDR) solutions to identify and block suspicious activities.
• Use behaviour-based threat detection to flag anomalous PowerShell executions.

3. Restrict PowerShell Execution

• Configure PowerShell policies to restrict script execution.
• Monitor logs for unusual command executions that could indicate a compromise.

4. Keep Systems Updated

• Regularly update software and operating systems to patch known vulnerabilities.
• Deploy multi-layered security defences to minimize risk exposure.

5. Utilize Network Traffic Monitoring

• Inspect outbound traffic for suspicious connections to unknown C2 servers.
• Implement firewall and network segmentation strategies to limit attacker movement.

How Indian Cyber Security Solutions (ICSS) Protects Businesses

At Indian Cyber Security Solutions (ICSS), we help businesses safeguard their digital assets through advanced security solutions and expert guidance. Our cutting-edge approach ensures that organizations remain resilient against evolving cyber threats, preventing breaches before they occur. By leveraging innovative technologies and proactive defense strategies, we provide businesses with the confidence to operate securely in an increasingly digital world.

Businesses must stay proactive in today's cyber landscape. Protect your organization with ICSS, your trusted cybersecurity partner. Learn more at Indian Cyber Security Solutions.

Stay Secure. Stay Ahead.