Cybersecurity researchers have uncovered a new web-based malware campaign called JS#SMUGGLER, which uses hacked websites to secretly infect users with a powerful remote access trojan known as NetSupport RAT.
According to security analysts at Securonix, the attack works in multiple stealthy stages. First, attackers inject an obfuscated JavaScript loader into legitimate but compromised websites. Once a user visits the infected site, hidden scripts silently redirect the victim and load additional malicious components in the background.
One of the most dangerous parts of this attack is its device-aware behavior. The malware checks whether the visitor is using a mobile device or a desktop system and then delivers different payloads accordingly—helping attackers stay hidden while maximizing successful infections.
The infection chain eventually leads to the execution of a hidden PowerShell payload using mshta.exe, which then downloads and installs NetSupport RAT. Once active, this malware gives attackers full control of the victim’s system, including:
- Remote desktop access
- File manipulation
- Command execution
- Data theft
- Proxy usage
Researchers note that this campaign is highly sophisticated and uses layered evasion techniques, including encrypted scripts, in-memory execution, and automatic cleanup to avoid leaving digital footprints.
At this time, there is no confirmed link to a known threat group or country, suggesting this is a broad, enterprise-targeted operation.
Security experts recommend:
- Strong Content Security Policy (CSP)
- PowerShell logging
- Restricting
mshta.exe - Script behavior monitoring
- Advanced behavioral analytics
This discovery follows another recent multi-stage malware campaign called CHAMELEON#NET, which uses phishing emails to spread the Formbook keylogger through heavily obfuscated JavaScript and VB.NET loaders.
Lesson:
Even trusted websites can become attack vectors. Staying updated, avoiding suspicious redirects, and enforcing proper endpoint security controls are more important than ever.
Source Ref:
https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html
More Articles like this: https://johnojabo.com/it-wasnt-me-it-was-my-vendor-why-supply-chain-attacks-are-your-newest-headache/
https://johnojabo.com/the-new-face-of-scams-how-ai-is-supercharging-phishing/