Sophisticated Multi-Stage JS#SMUGGLER Attack Installs ‘NetSupport RAT’ to Seize Complete System Control

A new multi‑stage web‑based malware campaign uncovered by the Securonix Threat Research team demonstrates remarkable stealth and complexity, leveraging layered scripts, encrypted payloads, and trusted Windows components to deliver NetSupport RAT, a remote‑access tool repurposed for malicious control of victim systems.

Obfuscated JavaScript Loader and Hidden HTA Execution

The infection chain begins when victims visit compromised websites that host an obfuscated JavaScript loader (phone.js) retrieved from attacker‑controlled domains such as boriver[.]com.

The loader runs only once per user session, using localStorage tracking to avoid multiple activations, an uncommon stealth feature for such scripts.

Heavily camouflaged with filler content and numeric index‑based decoding, the loader dynamically profiles the user’s device.

Mobile users receive a full-screen iframe redirect, while desktop users trigger a remote script injection that fetches the next stage from domains like stoneandjon[.]com.

De‑obfuscation with tools such as CyberChef revealed rotating string tables and nested IIFEs, concealing URLs, DOM actions, and encryption keys from static analysis.

Stage 2, a malicious HTML Application (HTA), runs through mshta.exe, a Microsoft‑signed binary frequently abused under the LOLBAS model.

The HTA silently executes in a hidden state, deploying a fileless PowerShell stager that decrypts its payload using AES‑256‑ECB, Base64, and GZIP routines.

The decrypted script is executed directly in memory with the ExecutionPolicy Bypass, avoiding disk artifacts and traditional antivirus scanning. The loader then deletes temporary files to erase forensic traces.

Decrypted PowerShell Payload Delivers NetSupport RAT

Stage 3 reveals the fully decrypted PowerShell payload that downloads and installs NetSupport RAT, a legitimate remote‑administration tool turned malware.

The script retrieves a ZIP archive (qazx.zip) from kindstki[.]com, extracts it into C:\ProgramData\CommunicationLayer\, and launches the client executable (client32.exe) via wscript.exe using a concealed JScript launcher (run.js).

Persistence is achieved by creating a disguised shortcut named WindowsUpdate.lnk, ensuring the RAT runs automatically on reboot.

Once active, NetSupport RAT grants attackers complete remote control, including desktop manipulation, file transfer, command execution, and proxying.

Its behavior matches known RAT deployments used by financially motivated threat actors and access‑broker groups.

Researchers traced the infrastructure to multiple domains, including border [.]com, stoneandjon[.]com, kindstki[.]com, and others linked to IP addresses in Europe and the United States.

Associated file hashes and PowerShell traces confirm a JS#SMUGGLER‑style modular framework engineered for persistence, stealth, and multi‑device targeting.

Defenders are urged to block mshta.exe misuse, enforce strict script‑execution policies, enable PowerShell logging, and monitor Startup folder changes, given the campaign’s heavy reliance on fileless PowerShell execution and staged loaders.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates