Cyber Hero MDR catches NetSupport RAT

ThreatLocker observed a ClickFix social-engineering campaign that tricks users into running a crafted Run dialog command which follows a TinyURL -> approveis.info redirect to an MSI file (masquerading as a .png). The MSI executes embedded PowerShell which downloads and runs a second-stage script (u3u3l.ps1) that drops 14 files including a signed NetSupport RAT (client32.exe), establishes persistence, and clears the RunMRU registry history to erase evidence; the report includes indicators and mitigation recommendations (block Run dialog access, detect msiexec network activity, and monitor RunMRU deletion).