- A new cyber campaign called JS#SMUGGLER uses compromised websites to distribute NetSupport RAT, a remote access trojan.
- The attack involves obfuscated JavaScript loaders, HTML Applications (HTA), and PowerShell payloads to execute Malware stealthily.
- Device-aware delivery methods customize infection routes based on whether the victim uses a mobile or desktop device.
- Another campaign, CHAMELEON#NET, spreads Formbook malware through phishing emails targeting social security sector users.
- Both campaigns employ complex multi-stage loaders and evasion techniques to avoid detection and maintain persistence.
Cybersecurity researchers have identified a new malware campaign called JS#SMUGGLER that spreads the remote access trojan NetSupport RAT via compromised websites. The campaign uses several steps: embedding obfuscated JavaScript loaders into websites, deploying HTML Application (HTA) files executed with “mshta.exe,” and running encrypted PowerShell scripts that download and activate the main malware. These attacks have targeted enterprise users broadly but have not been attributed to any known threat actor or country.
This multi-stage attack employs hidden iframes and obfuscated scripts to mask its activity. The JavaScript loader, named “phone.js,” is downloaded silently and profiles the visitor’s device to decide between showing a full-screen iframe on mobile or loading a second-stage script on desktops. The loader also uses tracking to activate the malicious payload only once per visit, reducing the chance of detection. The invisible iframe redirects victims to malicious URLs, leading to the download and execution of an HTA payload. This payload runs a PowerShell stager in memory after decrypting it, deletes itself afterward, and helps deliver NetSupport RAT, which allows attackers to control victim machines remotely. According to Securonix, the use of layered evasion techniques suggests a professional malware operation and recommends measures like script monitoring and PowerShell logging to defend against this threat (source).
Weeks earlier, Securonix reported another multi-stage malware campaign named CHAMELEON#NET, which distributes Formbook malware—a keylogger and data stealer—through phishing emails. This campaign targets individuals in the social security sector, using fake webmail portals to trick victims into downloading a .BZ2 archive. The archive initiates a complex infection involving a heavily obfuscated JavaScript dropper that writes additional scripts and executable loaders to disk. A .NET loader decrypts and executes Formbook entirely in memory using reflection and a custom XOR cipher to avoid detection. Persistence is maintained by adding the malware to startup folders or modifying the Windows Registry (source).
Both campaigns demonstrate the use of sophisticated multi-layered attack chains, combining social engineering, obfuscation, and fileless execution techniques to compromise targeted systems and maintain stealth.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Morgan Stanley Downgrades Tesla to Equal-Weight Despite Price Boost
- US May Allow Nvidia to Export Older H200 AI Chips to China
- TRON Inc. and Strategy Stocks Plunge Over 50% Amid Struggles
- CRA Finds 40% of Canadian Crypto Users Evade Taxes, New Laws Pending
- PayPal’s PYUSD Stablecoin Soars 224% Amid DeFi Boom
