Hackers Use ClickFix Technique to Deploy NetSupport RAT Loaders

Cybercriminals are increasingly using a technique known as “ClickFix” to deploy the NetSupport remote administration tool (RAT) for malicious purposes.

According to a new report from eSentire’s Threat Response Unit (TRU), threat actors have shifted their primary delivery strategy from fake software updates to the ClickFix initial access vector throughout 2025.

This method abuses a legitimate remote support service to trick users into granting attackers control over their systems.

The attack leverages social engineering, where victims are lured to a ClickFix page and instructed to paste a malicious command into their Windows Run Prompt.

Executing this command triggers a multi-stage infection process, starting with a loader script that downloads and installs the NetSupport RAT, giving attackers full remote control over the compromised machine.

Evolving Loader Tactics

TRU researchers have identified several distinct loader types used in these campaigns. The most prevalent is ...