Deploying NetSupport RAT via WordPress & ClickFix

Cybereason GSOC reports an active May 2025 campaign where attackers compromise websites and inject JavaScript to load a fake CAPTCHA that uses clipboard trickery to get Windows users to execute a command, which downloads and runs a staged NetSupport Client (client32.exe) with persistence and remote-control capabilities; the analysis includes technical details of the multi-stage chain, observed post-exploitation reconnaissance, IOCs (IPs, domains, hashes), and remediation recommendations.