highPhishing

Campaign #39: NetSupport RAT Weaponized via ClickFix Social Engineering at Scale

PublishedMarch 12, 2026

Threat Actors:ProfileAssessmentTimeline

phishingsocial-engineeringc2iotaptspearphishing

TL;DR: A weaponized NetSupport Manager v14.10 RAT is being distributed through ClickFix social engineering -- a technique where victims are tricked into copying and executing PowerShell commands via fake CAPTCHA or verification pages. Delivered as SPAM.zip targeting Italian users, the package contains a legitimate Authenticode-signed NetSupport binary configured for fully silent remote access with a pirated license supporting 5,000 concurrent victims. Infrastructure analysis revealed 3 C2 domains converging on a single IP at Data Campus Limited (Hong Kong), 9+ delivery and landing page domains across 5 hosting providers including known bulletproof hosts OMEGATECH and DEDIK Services, and a unified registration pattern through NiceNIC registrar. An OPSEC failure in the configuration file -- a build path containing Desktop\39\ -- indicates this is at minimum the operator's 39th campaign iteration, suggesting a prolific and experienced threat actor running a high-volume remote access operation.

Key Findings

Legitimate Software, Malicious Purpose

The core of this campaign is not custom malware -- it is a legitimate, unmodified NetSupport Manager v14.10 client binary. The executable is Authenticode-signed by NetSupport Ltd via a GlobalSign EV CodeSigning certificate. The .text section is only 194 bytes; the binary is a thin stub that loads all RAT functionality from PCICL32.dll.

This is a textbook Living-off-the-Land Binary (LOLBin) deployment:

The EV code signature passes Windows SmartScreen verification
Most antivirus solutions will not flag a legitimately signed binary
Application whitelisting that relies solely on code signatures will allow execution
The malicious behavior comes entirely from the configuration file, not the executable

The ClickFix technique represents an evolution in social engineering. Rather than attaching malware to emails or hosting drive-by downloads, the attacker presents a fake CAPTCHA or verification page that instructs the victim to:

Press Win+R to open the Run dialog
Press Ctrl+V to paste a pre-loaded PowerShell command
Press Enter to execute

The PowerShell command has been silently copied to the clipboard via JavaScript on the landing page. The victim believes they are completing a verification step; instead, they are executing a download-and-run command that fetches the RAT package.

Three ClickFix landing page domains were identified, all resolving to the same IP in Kharkiv, Ukraine:

secureverlfication[.]com (note the typosquat: "verlf" instead of "verif")
verificatlonhost[.]com (note the typosquat: "atlon" instead of "ation")
onlineverifyportal[.]us

All three share the same Cloudflare nameserver pair (connie/pete), confirming they are managed by the same Cloudflare account.

Campaign Scale: 39+ Iterations, 5,000 Victim License

Two indicators reveal the scale of this operation:

Build path: The client32.ini [_Info] section contains Filename=C:\Users\Administrator\Desktop\39\client32.ini. The folder name 39 strongly suggests this is the operator's 39th campaign iteration -- meaning 38 prior campaigns were run using similar infrastructure.
Pirated license: The NSM.LIC file contains serial NSM165348 licensed to "EVALUSION" with a maximum of 5,000 simultaneous slave connections. This is a cracked evaluation license commonly shared on cybercrime forums, and the 5,000-victim capacity indicates the operator expects high-volume deployments.

Infrastructure Convergence

All three C2 domains resolve to the same IP address, creating a single point of failure -- but also simplifying the operator's infrastructure management:

Domain	IP	Registrar	Status
plixolabsaf[.]com	193[.]24[.]211[.]242	NiceNIC	LIVE
PlixoWorks[.]com	193[.]24[.]211[.]242	Hello Internet Corp	LIVE
zevoroz[.]com	193[.]24[.]211[.]242	NiceNIC	LIVE

The discovery of zevoroz[.]com as a third C2 domain was a new finding -- it was not present in prior ThreatFox reporting, which only covered plixolabsaf and PlixoWorks.

Attack Chain

Phase 1: Email Delivery
  Spam email targeting Italian users
  Contains link to ClickFix landing page
      |
      v
Phase 2: ClickFix Landing Page
  Fake CAPTCHA/verification page
  Hosted on secureverlfication[.]com / verificatlonhost[.]com / onlineverifyportal[.]us
  JavaScript copies PowerShell command to victim's clipboard
      |
      v
Phase 3: Victim Execution
  Victim follows "verification" instructions:
    Win+R -> Ctrl+V -> Enter
  PowerShell downloads SPAM.zip or .MSI from delivery servers
  Sources: kernsjewe[.]com / 193[.]111[.]117[.]21 / 144[.]31[.]207[.]34
      |
      v
Phase 4: RAT Installation
  Archive extracts: Client.exe + client32.ini + NSM.LIC + PCICL32.dll
  Client.exe is legitimate Authenticode-signed NetSupport Manager v14.10
  Loads PCICL32.dll (RAT engine), reads client32.ini (C2 config)
      |
      v
Phase 5: C2 Communication
  Connects to gateway: plixolabsaf[.]com:443 (primary)
  Failover: PlixoWorks[.]com:443
  Uses port 443 WITHOUT TLS (SSL=0) -- cleartext on HTTPS port
  Beacon interval: 60 seconds
      |
      v
Phase 6: Remote Access
  Operator gains full control:
    - Screen viewing and capture
    - File transfer (upload/download)
    - Command execution
    - Keyboard/mouse control
  All invisible to victim (silent=1, SysTray=0, HideWhenIdle=1)

Configuration Deep Dive

The client32.ini file reveals the operator's full configuration choices:

Setting	Value	Significance
GatewayAddress	plixolabsaf[.]com:443	Primary C2 gateway
SecondaryGateway	PlixoWorks[.]com:443	Automatic failover
SSL	0	No TLS encryption on C2 traffic
CMPI	60	Beacon every 60 seconds
GSK	GM;N@BDHHLPACFE:J?LDP:CIBMFN	Gateway authentication key
silent	1	No visible UI on victim machine
SysTray	0	No system tray icon
ShowUIOnConnect	0	Invisible when operator connects
HideWhenIdle	1	Hides when not actively controlled
DisableControl	1	Victim cannot regain control
Usernames	*	Wildcard -- ANY operator can connect
RoomSpec	Eval	Session room identifier
Protocols	3	Both TCP and HTTP enabled

The SSL=0 setting is noteworthy. The operator chose to use port 443 (the standard HTTPS port) but without actual TLS encryption. This is a blending technique -- network monitoring that only checks destination ports will see traffic on 443 and may classify it as HTTPS without deeper inspection. However, any TLS inspection appliance or DPI solution will immediately flag the cleartext traffic on this port, making this a detection opportunity.

The Usernames=* wildcard is an operational security risk for the attacker -- it means anyone who discovers the gateway address and security key can connect to any compromised machine. This suggests either a solo operator who does not need access controls, or a shared-access model common in cybercrime-as-a-service operations.

Infrastructure Analysis

C2 Gateway Network

All C2 domains resolve to 193[.]24[.]211[.]242 hosted by Data Campus Limited in Hong Kong (AS215929). Port scanning and neighboring IP analysis revealed:

193.24.211.0/24 (Data Campus Ltd, Hong Kong, AS215929)
  |
  +-- .242 = NetSupport RAT C2 gateway
  |         Port 99: nginx reverse proxy
  |         Port 443: NetSupport Manager gateway (cleartext)
  |
  +-- .245 = Suspected standby server
  |         Identical nginx 1.29.4 version
  |         Possible failover or staging
  |
  +-- .241 = Reverse shell server
  |         Port 4444 open (classic Meterpreter port)
  |         Directly adjacent to C2
  |
  +-- .235/.240/.246 = Windows RDP servers
          Exposed Remote Desktop Protocol

The presence of a port 4444 (Meterpreter) server at .241 -- directly adjacent to the C2 at .242 -- suggests the operator maintains additional capabilities beyond NetSupport RAT, potentially for more targeted operations or as a secondary access channel.

Delivery and Landing Infrastructure

The delivery infrastructure spans five hosting providers across four countries:

OMEGATECH (Seychelles) -- Known Bulletproof Host:

178.16.53.0/24
  +-- .137 = captioto[.]com (ClickFix JavaScript injection)
  |         Hostname: alianzeg.shop
  +-- .70  = Payload delivery server (Apache 2.4.52)

Skayvin ISP (Kharkiv, Ukraine):

94.154.32.0/21
  +-- .35.161 = Landing pages (secureverlfication, verificatlonhost, onlineverifyportal)
  |            + ErrTraffic domains (polygon-cnd-stats, mcdns-imager, llc-image-ico)
  |            + 2fa-cp[.]click phishing panel
  +-- .35.153 = ErrTraffic domain (nero-ns-cdns[.]sbs)

QWINS Ltd (UK/Sweden):

89.125.37.0/24
  +-- .33 = kernsjewe[.]com (MSI payload delivery)

DEDIK Services (UK/Poland):

193.111.117.0/24
  +-- .21 = Payload delivery (.GRE file extension)
         Hostname: 5629593582-04-02-2026.pl.dedik.io
         Notable: Port 1337 open (backdoor)
         Mail ports: 25, 465, 587, 993, 995

The DEDIK server hostname (5629593582-04-02-2026.pl.dedik.io) contains what appears to be a date (April 2, 2026), possibly indicating a planned infrastructure rotation or expiration date.

ErrTraffic Domains

Four domains were identified as part of an "ErrTraffic" JavaScript loading system:

polygon-cnd-stats[.]sbs
mcdns-imager[.]click
llc-image-ico[.]click
nero-ns-cdns[.]sbs

These domains serve JavaScript that redirects or tracks traffic through the ClickFix funnel. The naming pattern mimics CDN and image hosting services to appear legitimate in proxy logs.

Registrar Fingerprint

Nearly all .com domains in this campaign were registered through NiceNIC (IANA 3765):

Domain	Registrar
plixolabsaf[.]com	NiceNIC
zevoroz[.]com	NiceNIC
kernsjewe[.]com	NiceNIC
secureverlfication[.]com	NiceNIC
verificatlonhost[.]com	NiceNIC
captioto[.]com	NiceNIC

The only exception is PlixoWorks[.]com (Hello Internet Corp) and onlineverifyportal[.]us (WebNic.cc). This registrar monopoly is a strong operator fingerprint -- future domains registered via NiceNIC with similar naming patterns should be treated with high suspicion.

Detection

YARA Detection Summary

Detection rules target:

NetSupport Manager client32.ini configuration artifacts (GatewayAddress, SecondaryGateway, GSK values)
Campaign-specific identifiers: license serial NSM165348, licensee "EVALUSION", room "Eval"
Build path artifact: Desktop\39\
PCICL32.dll import from stub executable with minimal .text section
client32.ini + NSM.LIC + Client.exe co-location in the same directory

Suricata Detection Summary

Network rules cover:

DNS queries for all C2 and delivery domains
NetSupport Manager gateway traffic on port 443 without TLS (cleartext protocol on HTTPS port)
Beacon pattern: 60-second interval connections to known C2 IPs
Gateway security key in cleartext traffic
PowerShell download cradles from ClickFix execution
.GRE file extension downloads from delivery servers
ErrTraffic JavaScript loader domain resolution

IOCs (Defanged)

Network Indicators

C2 Domains:

plixolabsaf[.]com
PlixoWorks[.]com
zevoroz[.]com

Delivery/Landing Domains:

kernsjewe[.]com
secureverlfication[.]com
verificatlonhost[.]com
onlineverifyportal[.]us
captioto[.]com

ErrTraffic Domains:

polygon-cnd-stats[.]sbs
mcdns-imager[.]click
llc-image-ico[.]click
nero-ns-cdns[.]sbs

C2 IP:

193[.]24[.]211[.]242    # Data Campus (HK) - Primary NetSupport C2
193[.]24[.]211[.]245    # Data Campus (HK) - Suspected standby
193[.]24[.]211[.]241    # Data Campus (HK) - Port 4444 Meterpreter

Delivery IPs:

89[.]125[.]37[.]33      # QWINS (SE/GB) - MSI payload delivery
178[.]16[.]53[.]137     # OMEGATECH (NL/SC) - ClickFix JS [BPH]
178[.]16[.]53[.]70      # OMEGATECH (NL/SC) - Payload delivery [BPH]
94[.]154[.]35[.]161     # Skayvin (UA) - Landing pages + ErrTraffic
94[.]154[.]35[.]153     # Skayvin (UA) - ErrTraffic
193[.]111[.]117[.]21    # DEDIK (GB/PL) - Payload delivery (.GRE)
144[.]31[.]207[.]34     # Unknown - Payload delivery (.GRE)

File Hashes

SPAM.zip (delivery archive):

SHA-256: d07cf999261a59290db66ad63a960f67aaf198a0bd40c07dd5694753835e53d9
MD5:     79d57ffdb9a72a87e249377854a679eb
SHA-1:   c0f3a95b774046610b32cdc62de750f570f19ea7

Client.exe (legitimate NetSupport binary):

SHA-256: bc020b95fc01fae40e13f429eaddeac6c08755399d96d06e9dbea22114eb595c
MD5:     21b42720a156c1ce18019010ecec2a39
SHA-1:   1e9bf68e5879a42119c41e99593c800e4efb9fa8

Configuration files:

NSM.LIC SHA-256:      ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54
client32.ini SHA-256:  a10d47ea3d83154f225f26e238d485a74e4641b2061a96c48062024c7819b59b

Behavioral Indicators

PDB Path:     E:\nsmsrc\nsm\1410\1410\client32\release_unicode\client32.pdb
Build Path:   C:\Users\Administrator\Desktop\39\client32.ini
License:      NSM165348 / EVALUSION / 5000 slaves
Gateway Key:  GM;N@BDHHL<PACFE:J?LDP:C>IBMFN
Beacon:       60-second interval
Room:         Eval
NS Provider:  ns3/ns4.my-ndns.com
Registrar:    NiceNIC (IANA 3765)

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Phishing: Spearphishing Link	T1566.002	Spam email with ClickFix landing page link
Execution	User Execution: Malicious File	T1204.002	Victim runs downloaded SPAM.zip contents
Execution	Command and Scripting: PowerShell	T1059.001	ClickFix clipboard PowerShell execution
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	Legitimate signed NetSupport Manager binary
Defense Evasion	Hide Artifacts: Hidden Window	T1564.001	Silent mode, no tray icon, hidden when idle
Defense Evasion	Signed Binary Proxy Execution	T1218	EV-signed binary bypasses SmartScreen/AV
Command and Control	Application Layer Protocol: Web	T1071.001	HTTP/TCP gateway communication
Command and Control	Non-Standard Port	T1571	Cleartext protocol on port 443
Command and Control	Ingress Tool Transfer	T1105	File transfer capability via NetSupport
Command and Control	Fallback Channels	T1008	Primary + secondary gateway configuration
Collection	Screen Capture	T1113	NetSupport remote viewing capability
Collection	Input Capture	T1056	Keyboard/mouse monitoring

Actor Timeline

Date	Event	Evidence
2026-01-15	Earliest infrastructure cert issued (captioto.com)	crt.sh
2026-02-06	C2 domains registered (plixolabsaf.com, PlixoWorks.com)	WHOIS
2026-02-09	2fa-cp[.]click phishing panel cert issued	crt.sh
2026-02-13	Delivery domain cert issued (kernsjewe.com)	crt.sh
2026-02-27	captioto.com cert renewed (infrastructure maintenance)	crt.sh
2026-03-05	C2 domains first reported to ThreatFox	ThreatFox
2026-03-09	SPAM.zip submitted to MalwareBazaar (Italy)	MalwareBazaar
2026-03-09	New delivery domain wave registered	WHOIS
2026-03-10	All infrastructure confirmed LIVE	This investigation

The two-month gap between infrastructure registration (early February) and campaign execution (early March) suggests a preparation and testing phase. The certificate renewal for captioto.com on February 27 indicates active infrastructure maintenance during this period.

Defensive Recommendations

Why This Campaign Is Dangerous

Signed binary: The EV code signature means this RAT will pass SmartScreen, most AV solutions, and signature-based application whitelisting.
ClickFix bypasses email security: The malicious payload is not in the email -- the email only contains a link to a landing page. The actual execution happens when the victim manually runs a PowerShell command.
Port 443 blending: Traffic on port 443 may be assumed to be HTTPS by network monitoring tools that do not perform deep packet inspection.
Scale: A 5,000-victim license and 39+ campaign iterations indicate an experienced, high-volume operator.

Detection Priorities

PowerShell Script Block Logging: Enable to detect ClickFix command execution
Deep packet inspection on port 443: Flag cleartext (non-TLS) traffic on HTTPS ports
Behavioral detection: Monitor for NetSupport Manager artifacts (PCICL32.dll, client32.ini) in non-standard locations
Network beaconing: Detect 60-second interval connections to known C2 IPs
Application control: Verify both code signature AND expected installation path -- NetSupport Manager running from %TEMP% or user-writable directories is suspicious regardless of signature validity

Published by Breakglass Intelligence -- Automated threat intelligence. Zero analyst fatigue.

Investigation conducted March 10, 2026. Infrastructure status reflects point-in-time observations.