top of page
Search

JS#SMUGGLER Campaign Exploits Compromised Websites to Distribute NetSupport RAT

  • Dec 8, 2025
  • 2 min read

Key Findings


  • Securonix researchers discovered a new malware campaign dubbed JS#SMUGGLER that delivers the powerful NetSupport RAT through compromised websites.

  • The attack is designed in three stages to evade detection, starting with an obfuscated JavaScript loader, followed by a hidden HTML Application (HTA) and a final PowerShell payload that downloads and executes the NetSupport RAT.

  • The multi-layered tactics, including encryption, compression, and in-memory execution, indicate a highly sophisticated and actively maintained malware framework.

  • The campaign targets enterprise users through compromised websites, suggesting a broad-strokes effort to infect a wide range of victims.


Background


The JS#SMUGGLER campaign is the latest in a series of advanced malware operations analyzed by the Securonix Threat Research team, which includes analysts Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee. The researchers have also recently uncovered another multi-stage malspam campaign dubbed CHAMELEON#NET that delivers the Formbook information stealer.


Infection Chain


The JS#SMUGGLER attack is designed in three stages:


1. Obfuscated JavaScript Loader: The campaign starts with an obfuscated JavaScript script, typically loaded from sites like boriver.com, which checks the user's device and proceeds with the full infection if it detects a desktop.


2. Hidden HTML Application (HTA): The second stage involves a secret HTA file that runs completely unseen using the standard Windows program mshta.exe. This HTA contains heavily protected code with multiple layers of encryption and compression to avoid detection.


3. NetSupport RAT Deployment: The final stage downloads and executes the main payload: the NetSupport RAT. The PowerShell code in this stage pulls a compressed file from a domain like kindstki.com and extracts it into a normal-looking folder to ensure persistence through a fake Startup shortcut.


Impact and Capabilities


The NetSupport RAT enables the attackers to gain full remote control over the victim's computer, including remote desktop access, file operations, command execution, data theft, and proxy capabilities. The sophisticated evasion techniques and the professional-grade nature of the malware framework strongly suggest this is an active and well-maintained operation.


Recommendations


To protect against such threats, users should carefully validate all software downloads and strengthen their endpoint defences to detect suspicious script activity and unauthorized process execution. Security teams should deploy strong Content Security Policy (CSP) enforcement, script monitoring, PowerShell logging, mshta.exe restrictions, and behavioral analytics to effectively detect and mitigate such advanced attacks.


Sources


  • https://hackread.com/jssmuggler-netsupport-rat-infected-sites/

  • https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page