08.12.2025
2 min
442
Cybersecurity researchers have uncovered a large-scale campaign dubbed JS#SMUGGLER, in which attackers leverage compromised websites to distribute the NetSupport Remote Access Trojan, granting full control over targeted corporate systems.
According to Securonix, the attack relies on a sophisticated multi-stage infection chain. It begins with a heavily obfuscated JavaScript loader injected into legitimate websites, followed by stealthy iframe-based redirections. The malicious flow adapts dynamically based on the victim’s device type.
On desktop systems, a malicious HTML Application (HTA) is launched via mshta.exe, executing encrypted PowerShell stagers. These stagers run directly in memory to evade detection and ultimately deploy NetSupport RAT. Once installed, the malware enables remote desktop access, file manipulation, command execution, data exfiltration, and proxy capabilities.
While researchers have not attributed the campaign to a known threat group or nation-state, its complexity suggests a professionally maintained malware infrastructure. The campaign primarily targets enterprise users and follows Securonix’s recent disclosure of CHAMELEON#NET, another multi-stage operation delivering the Formbook malware.
JS#SMUGGLER highlights how compromised websites remain a powerful delivery vector for modern malware. The combination of JavaScript obfuscation, HTA execution, and fileless PowerShell techniques presents a significant challenge to traditional security defenses.
