← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme
WHITE AlienVault 2025-06-05 Modified: 2025-07-05
73
IOCs
HIGH VOLUME
A malicious campaign exploits user trust through deceptive websites, including spoofed Gitcodes and fake Docusign verification pages. Victims are tricked into running malicious PowerShell scripts on their Windows machines, leading to the installation of NetSupport RAT. The multi-stage attack uses clipboard poisoning and fake CAPTCHAs to deliver the malware. The campaign involves multiple domains, uses ROT13 encoding, and creates persistent infections. Similar techniques were observed in other spoofed content, including Okta and popular media apps. The attack capitalizes on user familiarity with common online interactions, emphasizing the need for vigilance and skepticism in online activities.
netsupport ratclipboard poisoninggitcodessocial engineering
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
NetSupport RAT
Indicators of Compromise (18 / 73 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 07576e1db7e7bd0f7d2c54b6749fdd73c72dba8c2ba8ab110b305cfc10c93c80 2025-06-05
FileHash-SHA256 1a128f6748d71d02c72ba51268be181143405830a4e48dfa53bf3d6ed3391211 2025-06-05
FileHash-SHA256 431b0b19239fc5e0eeaee70cd6e807868142e8cd0b2b6b1bd4a7a2cc8eb57d15 2025-06-05
FileHash-SHA256 58874c0dc26a78cdc058f84af9967f31b3c43173edc7515fa400e6ef8386205f 2025-06-05
FileHash-SHA256 80b274871e5024dfa9e513219fe3df82cc8fe4255010bd5d04d23d5833962c10 2025-06-05
FileHash-SHA256 89043d2817d1bb4cb57ed939823dca0af9ae412655a6c75c694cb13d088efe5a 2025-06-05
FileHash-SHA256 8ffacc942d1c3f45e797369a1f4cbd5dcd84372abf979b06220236d5a5cea649 2025-06-05
FileHash-SHA256 ab8fdde9fb9b88c400c737d460dcbf559648dc2768981bdd68f55e1f98292c2a 2025-06-05
FileHash-SHA256 b258de3b7ef42b4f4bfb0fb5ffe7c55df6aef01cc591abe34a70d1ff82130cd5 2025-06-05
FileHash-SHA256 b2daa2b5afb389828e088ec8b27c0636bdad94b2ef71dcf8034ee601cb60d8d6 2025-06-05
FileHash-SHA256 b3e879b5952988fb0c656240365db8f01198f9d83cd2a3ec0e2a8ee172e20a11 2025-06-05
FileHash-SHA256 c6907acabf2edf0be959c64a434e101963f7c18dcf79f116e0ce6b5ced5dd08c 2025-06-05
FileHash-SHA256 d7fadf7ef45c475bd9a759a771d99ccf95edfa8a0c101ce2439a07b66c2e5c72 2025-06-05
FileHash-SHA256 e9fe19455642673b14c77d18a1e7ed925f23906bf11237dfafd7fb2cba1f666d 2025-06-05
FileHash-SHA256 f9a241a768397efb4b43924fbd32186fcb1c88716fff3085d3ddcdd322d3404f 2025-06-05
FileHash-SHA256 254732635529a0567babf4f78973ad3af5633fd29734ea831e5792292bbf16cd 2025-06-05
FileHash-SHA256 3acc40334ef86fd0422fb386ca4fb8836c4fa0e722a5fcfa0086b9182127c1d7 2025-06-05
FileHash-SHA256 a8b4797b7e82709d835f1e24a0118e83d76c69be8338e340c7b850c20f07034d 2025-06-05
References (2)
↗ https://dti.domaintools.com/how-threat-actors-exploit-human-trust ↗ https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv