/tags/clickfix/Recent content in ClickFix onHugoen-usSun, 17 May 2026 00:00:00 +0000/posts/netsupportrat/Sun, 17 May 2026 00:00:00 +0000/posts/netsupportrat/<ul> <li>Reading time : &ldquo;10 min&rdquo;</li> </ul> <h1 id="clickfix-phishing-campaign-delivering-netsupport-rat">ClickFix Phishing Campaign Delivering NetSupport RAT</h1> <p>A multi-stage attack chain leveraging fake property review portals, ClickFix social engineering, and a custom MSI dropper to establish persistent remote access via NetSupport Manager.</p> <h2 id="executive-summary">Executive Summary</h2> <p>A threat actor is operating a sophisticated phishing campaign impersonating Booking.com, directing victims to fraudulent property review portals. A ClickFix lure tricks users into executing a malicious msiexec command that downloads and installs a custom MSI dropper from attacker-controlled IP addresses. The dropper deploys a VBScript installer that extracts password-protected archives, establishes persistence via the Windows Startup folder, and launches a silently configured NetSupport Manager client, granting the attacker full remote access to compromised machines. All staging files are deleted upon completion to impede forensic investigation. Two C2 domains masquerade as CDN infrastructure to blend into normal network traffic.</p>