The threat landscape in web security is more dynamic and dangerous than ever. A recent example underscores the urgency: The attack campaign known as "JS#SMUGGLER" demonstrates with insidious sophistication how cybercriminals spread malware via compromised websites – in this case, the widespread remote access trojan (RAT) "NetSupport". Companies that inadequately protect their websites, users, and systems risk not only the loss of sensitive data but also operational control and – in the worst-case scenario – their very existence.
From the perspective of the executive level – from CIO and CISO to CEO – this example demonstrates one thing: IT security is no longer just a matter for systems and networks, but a central strategic risk area for corporate management. What does the threat look like in detail, what are the effects, and how should one respond?
JS#SMUGGLER is not a random malware infection, but the result of a meticulously planned, multi-stage attack chain that uses compromised websites to spread malware as discreetly as possible. The attack begins with a seemingly harmless JavaScript snippet that is integrated into a website as a so-called "loader"—usually without the knowledge of the responsible operators. This manipulation is the entry point for a sophisticated chain reaction aimed at compromising end devices and granting attackers unrestricted remote access.
Particularly insidious is the fact that the loaded scripts analyze in the background which device is accessing the website – desktop or mobile – and adjust the subsequent course of the infection accordingly. On mobile devices, a full-screen iframe is loaded, while desktop users are redirected to further, externally hosted malicious code. This "device-awareness" behavior was deliberately implemented to circumvent security measures such as sandboxing and analysis in virtual environments.
What follows is an HTA file (HTML Application) that is started using Windows-external mechanisms such as "mshta.exe" and in turn initiates a PowerShell stager – an encrypted script temporarily stored in memory that downloads the actual malware and executes it unnoticed in the background.
The ultimate goal of the entire chain: NetSupport RAT – a remote access Trojan originally developed as a remote maintenance tool, but now primarily used in criminal contexts. With it, the attacker gains virtually unrestricted access to the infected system.
Perpetrators who operate almost invisibly to outsiders gain permanent access to workstation-based systems in this way – with potentially catastrophic consequences.
Crucially for managers, this campaign – like many modern attacks – does not target individuals, but primarily corporate systems. The goal is not simply to compromise individual computers. Rather, it opens the door to internal networks, sensitive databases, and connected systems.
Particularly at risk are:
The sophisticated design of the attack architecture significantly complicates conventional security measures. The JavaScript components are encrypted multiple times and, thanks to one-time execution triggers, leave virtually no forensic traces. Execution occurs in memory without creating traditional files – so-called "fileless attacks," which remain invisible to many antivirus solutions.
Furthermore, the HTA layer utilizes standard Windows tools such as mshta.exe and PowerShell – two tools that are not disabled in any company, but are often not adequately restricted either. Particularly dangerous is the fact that the entire process often occurs so quickly and silently that it is not reliably detected by firewalls or SIEM systems.
An attack via a seemingly trustworthy website, in which the operator itself becomes a victim, represents a particularly critical aspect. Why? The breach of trust has a twofold impact: firstly, towards the company's own visitors and customers, who are unknowingly infected with malware, and secondly, towards the company itself, which is unwittingly exploited as an accomplice in other attacks – for example, against partner companies or customers.
This is precisely where we enter the core area of white-collar crime. If an industrial website is affected, the malware can cause damage in downstream processes or supply networks and compromise subcontractors – with a direct impact on business relationships, contractual liabilities, and brand reputation.
Another aspect concerns the significant issue of industrial espionage. Once a NetSupport RAT has been successfully installed on a client system, there is a potential for monitoring processes, tracking mouse movements, gaining access to databases, and extracting code or blueprints. Companies with a high R&D density, development departments, and manufacturing industries with SAP or MES backends are particularly vulnerable. Web usage in these environments is often neglected – a serious mistake.
For CEOs, CFOs, CISOs, and CIOs, the question is no longer whether they will be attacked – but when. Companies that fail to secure their digital presence via websites with a holistic security approach are flying blind. Here's what you, as a leader, should take away from this:
As IT security specialists with a focus on industrial protection, vulnerability management, and incident readiness, we at ProSec offer proven and practical comprehensive protection for your company. Based on the current threat posed by JS#SMUGGLER, we recommend:
Our mission is clear: We help companies establish security as a permanent strategic capability – not as a reactive measure after an attack. We would be happy to have a no-obligation consultation.
