Cyber Security News

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in ZIP archives with names like “Purchase request” or “Request for quote.” 

They enriched their phishing emails with authentic-looking documents like passports, tax registrations, and company cards, increasing their credibility and tricking victims into opening malicious attachments. 

The malicious script disguised as a PNG image downloads a decoy document from a remote server to deceive the user into believing it’s a legitimate file while potentially executing harmful actions in the background. 

Decoy document in PNG format

An attacker used a PNG image as a decoy to hide a payload, leveraging Windows 10’s built-in curl and bitsadmin utilities to download and execute a malicious BAT file, ultimately installing the main payload.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The BAT script downloads and installs modified NetSupport Manager components to the user’s AppData directory, potentially enabling remote access and control of the infected system. 

NetSupport RAT, often disguised as a browser update, infiltrates systems via malicious websites.

Once installed, it adds itself to the startup list and connects to a C&C server (xoomep1[.]com:1935 or xoomep2[.]com:1935) to enable remote control of the infected machine. 

Version A infection chain

The malicious JavaScript script, disguised as a legitimate Next.js file, downloads an intermediate script and then fetches a decoy TXT document and the NetSupport RAT installer, executing the latter to compromise the victim’s system.

By downloading NetSupport RAT components to the `%APPDATA%\EdgeCriticalUpdateService` directory, it executes the installer from a text document and uses the `EdgeCriticalUpdateService` autorun registry key for persistence. 

It disguised as a legitimate procurement request downloads and executes a malicious payload (BLD.exe) after obfuscating itself and the download link. It also downloads a decoy document to mask its malicious intent. 

Fully obfuscated version of the malicious script

A malicious NSIS installer disguised as a legitimate Silverlight update leverages DLL side-loading to execute a Remote Manipulator System (RMS) backdoor, stealing sensitive information and providing remote access to the compromised system.

Remote Management Software (RMS), also known as BurnsRAT, is a remote access tool that leverages RDP Wrapper to enable unauthorized remote access to Windows systems, allowing attackers to control infected devices, steal data, and execute malicious commands.

System information sent by the library

NetSupport RAT version D evolved from B, which uses a new link for the second script and fetches an intermediate PowerShell script to download and unpack the NetSupport RAT archive.

The NetSupport RAT delivery method has evolved, transitioning from external ZIP downloads to embedded archives within the script, whose size increased and the file header comment was altered. 

According to Secure List, a transition was made from text files to PDF documents for the bait files, and the RAT files were split up into two databases. 

The TA569 group launched a sustained campaign, initially using BurnsRAT and later transitioning to NetSupport RAT, delivered via a two-server infrastructure, with the goal being to gain unauthorized access to organizations, potentially leading to data theft, system damage, and ransomware attacks.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Kentico Xperience CMS Vulnerability Enables Remote Code Execution

In recent security research, vulnerabilities in the Kentico Xperience CMS have come to light, highlighting…

1 hour ago

Wazuh SIEM Vulnerability Enables Remote Malicious Code Execution

A critical vulnerability, identified as CVE-2025-24016, has been discovered in the Wazuh Security Information and…

1 hour ago

Espressif Systems Flaws Allow Hackers to Execute Arbitrary Code

A series of vulnerabilities has been discovered in Espressif Systems' ESP32 devices, specifically affecting the…

2 hours ago

AI Operator Agents Helping Hackers Generate Malicious Code

Symantec's Threat Hunter Team has demonstrated how AI agents like OpenAI's Operator can now perform…

2 hours ago

BlackLock Ransomware Strikes Over 40 Organizations in Just Two Months

In a concerning escalation of cyber threats, the BlackLock ransomware group has executed a series…

3 hours ago

Android Malware Disguised as DeepSeek Steals Users’ Login Credentials

A recent cybersecurity threat has emerged in the form of Android malware masquerading as the…

3 hours ago