Fake DocuSign Sites Spread RAT via PowerShell Attacks

A new cyber campaign is leveraging fake websites impersonating popular services like DocuSign and Gitcode to deploy NetSupport RAT malware through multi-stage PowerShell scripts, according to researchers from the DomainTools Investigations team. The operation uses deceptive domains to lure users into downloading malicious scripts that initiate the infection process.

The attack begins when a user visits one of the spoofed websites. These sites host PowerShell downloaders designed to execute in multiple stages, ultimately delivering the remote access trojan. Once installed, NetSupport RAT allows attackers to gain full control over the compromised system, enabling surveillance, data theft, and further malware deployment.

The use of legitimate brand names such as DocuSign and Gitcode adds a layer of credibility to the lures, increasing the chances of successful compromise. Security analysts are warning users and organizations to exercise caution when interacting with online services and to verify domain authenticity before downloading any files.