Cybersecurity

Cybercriminals are increasingly utilizing a tactic known as “ClickFix” to deploy the NetSupport remote administration tool (RAT) for malicious activities.

According to a report from eSentire’s Threat Response Unit (TRU), threat actors have transitioned their primary delivery method from fake software updates to the ClickFix initial access vector throughout 2025. This strategy exploits a legitimate remote support service to deceive users into granting attackers control over their systems.

The attack employs social engineering techniques, directing victims to a ClickFix page where they are instructed to input a malicious command into their Windows Run Prompt. Executing this command initiates a multi-stage infection process, starting with a loader script that downloads and installs the NetSupport RAT, thereby granting attackers full remote control over the compromised machine.

Evolving Loader Tactics

TRU researchers have identified several distinct loader types used in these campaigns. The most prevalent is a PowerShell-based loader that retrieves a JSON file containing the NetSupport payloads encoded in Base64. The script decodes these payloads, writes them to a hidden directory, and establishes persistence by creating a shortcut in the Windows startup folder, ensuring the RAT runs automatically upon system reboot.

A more recent variant of the PowerShell loader attempts to cover its tracks by deleting registry values from the RunMRU key, effectively removing evidence of the initial command execution. A less common method involves using the legitimate Windows Installer service (msiexec.exe) to download and execute malicious MSI packages that ultimately deploy the RAT. These evolving tactics indicate that attackers are actively refining their methods to evade detection and analysis.

Tracking the Threat Actors

Analysis of the campaigns has enabled researchers to cluster the activity into three distinct threat groups based on their tools and infrastructure. The first group, referred to as the “EVALUSION” campaign, is highly active and employs a diverse array of loaders and infrastructure across multiple countries. The “FSHGDREE32/SGI” cluster primarily utilizes bulletproof hosting in Eastern Europe. A third, separate actor, known as “XMLCTL” or UAC-0050, utilizes different techniques, including MSI-based loaders and commercial US-based hosting, suggesting a different operational strategy.

To counter these threats, experts recommend organizations disable the Run prompt via Group Policy, block unauthorized remote management tools, and implement comprehensive security awareness training for employees.