NuriLab reports a Lazarus-attributed NetSupport RAT campaign that used fake CAPTCHA instructions to push victims into running a PowerShell command. The chain created C:/Users/Public/as, downloaded a ZIP from 147.45.xx.200, extracted NetSupport Manager components, and launched client32.exe with a client32.ini configured to connect to attacker C2. The lure reportedly impersonated Raiffeisen Bank International and targeted Ukrainians, combining social engineering with signed remote-access tooling to reduce suspicion.