Feb

JS#SMUGGLER Campaign Uses Compromised Websites to Deploy NetSupport RAT

DECEMBER 5, 2025 • CYBERSECURITY

Cybersecurity researchers have identified a sophisticated new malware campaign that weaponizes compromised websites to distribute NetSupport RAT, a remote-access tool capable of giving attackers full control of infected systems.

he ongoing operation, tracked as JS#SMUGGLER, employs a highly layered infection chain designed to evade detection and selectively target enterprise victims. The findings, published by analysts at Securonix, reveal a complex web-based attack sequence built around obfuscated JavaScript loaders, stealthy HTA files, encrypted PowerShell stagers, and multi-stage payload delivery mechanisms.

The campaign represents a significant evolution in web-based malware distribution techniques, leveraging legitimate compromised sites to reach potential victims.

The level of sophistication in this campaign is concerning. JS#SMUGGLER demonstrates advanced evasion techniques, including device profiling, single-execution tracking, and multi-stage payload delivery that makes detection and analysis particularly challenging.

What Is JS#SMUGGLER?

The campaign begins when victims unknowingly visit a compromised website. Hidden malicious code triggers a silent redirect, fetching a scrambled JavaScript file known as "phone.js". This script immediately profiles the victim's device and serves different payloads depending on whether the user is on mobile or desktop.

Device-aware targeting:

Mobile visitors receive a full-screen malicious iframe
Desktop visitors are served a second-stage remote script designed for malware deployment

This adaptive branching helps attackers tailor their infection path and avoid unnecessary exposure in environments that might detect suspicious activity. Researchers note that the loader only activates once per victim, using built-in tracking to reduce forensic traces and avoid repeat detections.

How the Attack Chain Works

JS#SMUGGLER is a sophisticated web‑based malware campaign that doesn't deliver its payload all at once. Instead, it unfolds through a series of carefully chained steps, each designed to evade detection and quietly install a powerful remote access trojan (RAT) called NetSupport RAT on victim systems:

Compromised Website → Malicious JavaScript Loader

The victim's browser is silently redirected to an external domain hosting the obfuscated loader.

Loader → Device Profiling

The script determines the environment (mobile vs. desktop) and selects the appropriate payload path.

JavaScript → Constructed URL → HTA Payload

A remote script dynamically builds a URL and downloads an HTA (HTML Application) file, executed through the Windows utility mshta.exe.

HTA → PowerShell Stager

The HTA file loads and decrypts an in-memory PowerShell stager designed to evade antivirus tools.

PowerShell → NetSupport RAT Deployment

The final stage retrieves and installs NetSupport RAT, giving attackers remote access capabilities.

After execution, the malware removes evidence of the PowerShell stager and terminates itself to limit the forensic footprint. NetSupport RAT provides attackers with:

Remote desktop access and control
File system read/write capabilities
Command execution and process manipulation
Data theft and exfiltration
Proxy tunneling for network access
Screen capture and keylogging

"This is not just another drive-by download," explained Shikha Sangwan, a senior threat researcher at Securonix. "JS#SMUGGLER represents a professional-grade malware delivery framework with multiple layers of obfuscation, device-aware targeting, and post-exploitation cleanup. The attackers clearly understand how to evade traditional security measures."

A Professional-Grade Malware Framework

Researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee say the level of obfuscation and modular design indicates an actively maintained, highly professional malware operation rather than amateur threat activity.

So far, analysts have found no conclusive evidence linking JS#SMUGGLER to any known nation-state or cybercrime group. The broad targeting pattern suggests attackers are pursuing general enterprise environments rather than specific industries.

Securonix recommends defenders deploy multiple layers of protection including strict Content Security Policy (CSP) rules, JavaScript and script-execution monitoring, enhanced PowerShell logging, restrictions on mshta.exe usage, and behavioral analytics to detect anomalies.

Related Campaign: CHAMELEON#NET Delivering Formbook

The discovery comes shortly after Securonix detailed another advanced malware operation dubbed CHAMELEON#NET, which uses phishing emails to distribute Formbook, a notorious information-stealing RAT.

How CHAMELEON#NET works:

Victims receive phishing emails spoofing National Social Security Sector portals
They are prompted to download a .BZ2 archive, which contains a heavily obfuscated JavaScript dropper
The dropper executes a complex VB.NET loader
The loader uses reflection and a custom XOR cipher to decrypt and run Formbook RAT entirely in memory

This memory-only execution technique allows Formbook to bypass traditional antivirus tools and maintain persistence without leaving obvious traces on disk.

"Both JS#SMUGGLER and CHAMELEON#NET demonstrate the increasing sophistication of modern malware campaigns," said Aaron Beardslee, threat intelligence lead at Securonix. "Attackers are leveraging legitimate infrastructure, advanced obfuscation techniques, and multi-stage delivery chains to evade detection and maximize their success rates against enterprise targets."

Conclusion: The Evolution of Web-Based Threats

The JS#SMUGGLER and CHAMELEON#NET campaigns highlight a troubling trend: Attackers are increasingly using multi-stage, stealthy web-based infection chains to deliver remote-access malware through compromised, legitimate websites.

With layered obfuscation, device-aware targeting, in-memory execution, and evasive PowerShell techniques, these campaigns reflect the rising sophistication of modern malware operations targeting enterprise environments.

Security experts recommend organizations:

Implement strong web filtering and content security policies
Monitor for suspicious JavaScript execution patterns
Enable advanced PowerShell logging and auditing
Restrict execution of HTA files and other script-based executables
Deploy behavioral analytics to detect anomalous system activities
Regularly patch and update all web-facing applications

As malware campaigns continue to evolve in complexity, defenders must adopt multi-layered security approaches that go beyond traditional signature-based detection to effectively combat these advanced threats.

Tags: Cybersecurity, Malware, JS#SMUGGLER, NetSupport RAT, JavaScript Malware, Web Threats, PowerShell Attacks, Enterprise Security, Malware Analysis, RAT, Cyber Threats

Investigative Reporter - Published posts: 12

John Doe

Joe Doe is a seasoned investigative reporter focusing on corporate transparency, financial crimes, and environmental policies. With years of experience, Joe brings in-depth insights into the challenges faced by businesses and governments in these areas.

HAPPY LIFE

WHAT NEWS?