Deploying NetSupport RAT via WordPress & ClickFix

    Thursday, July 10, 2025 In: Threat Research Print

    Date: 07/10/2025

    Severity: High

    Summary

    In May 2025, threat actors were found hosting malicious WordPress sites to distribute tampered versions of the legitimate NetSupport Manager Remote Access Tool (RAT). This report examines the techniques and tools used to deploy the NetSupport RAT, with a focus on malicious JavaScript.  Attackers deliver links to these sites through phishing campaigns, including phishing emails, PDF attachments, and gaming websites. These methods aim to lure users into unknowingly downloading the malicious RAT payload.

    Indicators of Compromise (IOC) List 

    Domains\URLs: 

    pemptousia.com

    fmovies123.top

    badgervolleyball.org

    lang3666.top

    ace-project.org

    jakestrack.com

    christianlouboutin2017.top

    jaagnet.com

    islonline.org

    IP Address :

    94.158.245.104

    94.158.245.118

    94.158.245.131

    94.158.245.137

    172.67.70.20

    79.141.173.158

    209.17.116.165

    23.23.49.179

    193.111.208.110

    162.214.153.12

    50.87.146.66

    77.83.199.34

    107.180.0.222

    83.229.17.68

    Hash : 

    9c4349534c137e3e43fb2e2caf049f9d

    4f496bfde39ca83644265d8d1d9bc9da

    c05f8ec5afbabc36f1c1366549290ae6

    20ed4df3a9c734c1788bd2ca2658aedb

    ee75b57b9300aab96530503bfae8a2f2

    1768c9971cea4cc10c7dd45a5f8f022a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    domainname like "badgervolleyball.org" or url like "badgervolleyball.org" or siteurl like "badgervolleyball.org" or domainname like "islonline.org" or url like "islonline.org" or siteurl like "islonline.org" or domainname like "fmovies123.top" or url like "fmovies123.top" or siteurl like "fmovies123.top" or domainname like "jaagnet.com" or url like "jaagnet.com" or siteurl like "jaagnet.com" or domainname like "jakestrack.com" or url like "jakestrack.com" or siteurl like "jakestrack.com" or domainname like "pemptousia.com" or url like "pemptousia.com" or siteurl like "pemptousia.com" or domainname like "ace-project.org" or url like "ace-project.org" or siteurl like "ace-project.org" or domainname like "lang3666.top" or url like "lang3666.top" or siteurl like "lang3666.top" or domainname like "christianlouboutin2017.top" or url like "christianlouboutin2017.top" or siteurl like "christianlouboutin2017.top" 

    IP Address :

    dstipaddress IN ("107.180.0.222","94.158.245.131","94.158.245.137","77.83.199.34","50.87.146.66","94.158.245.118","172.67.70.20","162.214.153.12","83.229.17.68","23.23.49.179","94.158.245.104","209.17.116.165","79.141.173.158","193.111.208.110") or srcipaddress IN ("107.180.0.222","94.158.245.131","94.158.245.137","77.83.199.34","50.87.146.66","94.158.245.118","172.67.70.20","162.214.153.12","83.229.17.68","23.23.49.179","94.158.245.104","209.17.116.165","79.141.173.158","193.111.208.110")

    Hash 1 : 

    md5hash IN ("20ed4df3a9c734c1788bd2ca2658aedb","1768c9971cea4cc10c7dd45a5f8f022a","c05f8ec5afbabc36f1c1366549290ae6","ee75b57b9300aab96530503bfae8a2f2","9c4349534c137e3e43fb2e2caf049f9d","4f496bfde39ca83644265d8d1d9bc9da")

    Hash 2 : 

    sha256hash IN ("983f423da1c2ebbdc51abfdf4d71f8329956684fba72acf49bcd8eb3ae4c6ac5","fbbdd2581b33d9887bcb39550c20bf5f9aaf4d2340f9337ee9358f24459d7e5c")

    Reference:    

    https://www.cybereason.com/blog/net-support-rat-wordpress-clickfix


    Tags

    MalwareRATNetSupport RATPhishingWordPressClickFix

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.