home.social

#netsupport — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #netsupport, aggregated by home.social.

  1. 2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

    A #pcap of the traffic, associated files, and a list of IOCs are available at malware-traffic-analysis.net/2

    cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

  2. 2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

    A #pcap of the traffic, associated files, and a list of IOCs are available at malware-traffic-analysis.net/2

    cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

  3. 2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

    A #pcap of the traffic, associated files, and a list of IOCs are available at malware-traffic-analysis.net/2

    cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

  4. 2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

    A #pcap of the traffic, associated files, and a list of IOCs are available at malware-traffic-analysis.net/2

    cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

  5. 2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

    A #pcap of the traffic, associated files, and a list of IOCs are available at malware-traffic-analysis.net/2

    cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

  6. ClickFix Removes Your Background but Leaves the Malware

    BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

    Pulse ID: 69f36a0940fe2fa665ebe32e
    Pulse Link: otx.alienvault.com/pulse/69f36
    Pulse Author: AlienVault
    Created: 2026-04-30 14:41:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

  7. ClickFix Removes Your Background but Leaves the Malware

    BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

    Pulse ID: 69f36a0940fe2fa665ebe32e
    Pulse Link: otx.alienvault.com/pulse/69f36
    Pulse Author: AlienVault
    Created: 2026-04-30 14:41:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

  8. ClickFix Removes Your Background but Leaves the Malware

    BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

    Pulse ID: 69f36a0940fe2fa665ebe32e
    Pulse Link: otx.alienvault.com/pulse/69f36
    Pulse Author: AlienVault
    Created: 2026-04-30 14:41:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

  9. ClickFix Removes Your Background but Leaves the Malware

    BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

    Pulse ID: 69f36a0940fe2fa665ebe32e
    Pulse Link: otx.alienvault.com/pulse/69f36
    Pulse Author: AlienVault
    Created: 2026-04-30 14:41:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

  10. ClickFix Removes Your Background but Leaves the Malware

    BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

    Pulse ID: 69f36a0940fe2fa665ebe32e
    Pulse Link: otx.alienvault.com/pulse/69f36
    Pulse Author: AlienVault
    Created: 2026-04-30 14:41:13

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

  11. #TDR analysts deep dived into a widespread malicious JavaScript framework injected into 3,800+ WordPress sites to distribute #NetSupport RAT via the #ClickFix social engineering tactic.

    blog.sekoia.io/meet-iclickfix-

  12. 2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

    Details at www.malware-traffic-analysis.net/2025/12/29/index.html

    Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

    The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

  13. 2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

    Details at www.malware-traffic-analysis.net/2025/12/29/index.html

    Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

    The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

  14. 2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

    Details at www.malware-traffic-analysis.net/2025/12/29/index.html

    Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

    The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

  15. «Медвед» атакует: что мы узнали про фишинговую кампанию группировки, нацеленной на российские организации

    В октябре 2025 года мы, группа киберразведки департамента Threat Intelligence, зафиксировала продолжающуюся фишинговую активность хакерской группировки, которую мы назвали NetMedved. Обоснование выбора данного наименования будет рассмотрено в заключительной части статьи. Атаки хакеров ориентированы на российские организации; в качестве конечной полезной нагрузки используется вредоносная версия легитимного инструмента удалённого администрирования NetSupport Manager (далее — NetSupportRAT). В этой статье расскажем о специфике кампании и связи с нашими предыдущими находками.

    habr.com/ru/companies/pt/artic

    #киберразведка #расследование_инцидентов #кибератаки #хакерская_группировка #хакерские_инструменты #фишинговые_письма #вредоносное_программное_обеспечение #малварь #finger #netsupport

  16. «Медвед» атакует: что мы узнали про фишинговую кампанию группировки, нацеленной на российские организации

    В октябре 2025 года мы, группа киберразведки департамента Threat Intelligence, зафиксировала продолжающуюся фишинговую активность хакерской группировки, которую мы назвали NetMedved. Обоснование выбора данного наименования будет рассмотрено в заключительной части статьи. Атаки хакеров ориентированы на российские организации; в качестве конечной полезной нагрузки используется вредоносная версия легитимного инструмента удалённого администрирования NetSupport Manager (далее — NetSupportRAT). В этой статье расскажем о специфике кампании и связи с нашими предыдущими находками.

    habr.com/ru/companies/pt/artic

    #киберразведка #расследование_инцидентов #кибератаки #хакерская_группировка #хакерские_инструменты #фишинговые_письма #вредоносное_программное_обеспечение #малварь #finger #netsupport

  17. «Медвед» атакует: что мы узнали про фишинговую кампанию группировки, нацеленной на российские организации

    В октябре 2025 года мы, группа киберразведки департамента Threat Intelligence, зафиксировала продолжающуюся фишинговую активность хакерской группировки, которую мы назвали NetMedved. Обоснование выбора данного наименования будет рассмотрено в заключительной части статьи. Атаки хакеров ориентированы на российские организации; в качестве конечной полезной нагрузки используется вредоносная версия легитимного инструмента удалённого администрирования NetSupport Manager (далее — NetSupportRAT). В этой статье расскажем о специфике кампании и связи с нашими предыдущими находками.

    habr.com/ru/companies/pt/artic

    #киберразведка #расследование_инцидентов #кибератаки #хакерская_группировка #хакерские_инструменты #фишинговые_письма #вредоносное_программное_обеспечение #малварь #finger #netsupport

  18. «Медвед» атакует: что мы узнали про фишинговую кампанию группировки, нацеленной на российские организации

    В октябре 2025 года мы, группа киберразведки департамента Threat Intelligence, зафиксировала продолжающуюся фишинговую активность хакерской группировки, которую мы назвали NetMedved. Обоснование выбора данного наименования будет рассмотрено в заключительной части статьи. Атаки хакеров ориентированы на российские организации; в качестве конечной полезной нагрузки используется вредоносная версия легитимного инструмента удалённого администрирования NetSupport Manager (далее — NetSupportRAT). В этой статье расскажем о специфике кампании и связи с нашими предыдущими находками.

    habr.com/ru/companies/pt/artic

    #киберразведка #расследование_инцидентов #кибератаки #хакерская_группировка #хакерские_инструменты #фишинговые_письма #вредоносное_программное_обеспечение #малварь #finger #netsupport

  19. 2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)

    Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.

    Other sites have injected script that redirects to the URL for the fake CAPTCHA page.

    Direct example (compromised site --> script for CAPTCHA page):

    - hxxps[:]//mexicobusiness[.]news/
    - hxxps[:]//clouwave[.]net/ajax/pixi.min.js

    Recirect example (compromised site --> Redirect URL --> script for CAPTCHA page):

    - hxxps[:]//myvocabulary[.]com/
    - hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
    - hxxps[:]//clouwave[.]net/ajax/pixi.min.js

    Either way, you get the same CAPTCHA page.

    IOCs at github.com/malware-traffic/ind

    cc: @monitorsg

  20. 2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)

    Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.

    Other sites have injected script that redirects to the URL for the fake CAPTCHA page.

    Direct example (compromised site --> script for CAPTCHA page):

    - hxxps[:]//mexicobusiness[.]news/
    - hxxps[:]//clouwave[.]net/ajax/pixi.min.js

    Recirect example (compromised site --> Redirect URL --> script for CAPTCHA page):

    - hxxps[:]//myvocabulary[.]com/
    - hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
    - hxxps[:]//clouwave[.]net/ajax/pixi.min.js

    Either way, you get the same CAPTCHA page.

    IOCs at github.com/malware-traffic/ind

    cc: @monitorsg

  21. 2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)

    Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.

    Other sites have injected script that redirects to the URL for the fake CAPTCHA page.

    Direct example (compromised site --> script for CAPTCHA page):

    - hxxps[:]//mexicobusiness[.]news/
    - hxxps[:]//clouwave[.]net/ajax/pixi.min.js

    Recirect example (compromised site --> Redirect URL --> script for CAPTCHA page):

    - hxxps[:]//myvocabulary[.]com/
    - hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
    - hxxps[:]//clouwave[.]net/ajax/pixi.min.js

    Either way, you get the same CAPTCHA page.

    IOCs at github.com/malware-traffic/ind

    cc: @monitorsg

  22. 2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.

    Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html

  23. 2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.

    Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html

  24. 2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.

    Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html

  25. 2025-07-15 (Tuesday): Tracking #SmartApeSG

    The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

    Compromised site (same as yesterday):

    - medthermography[.]com

    URLs for ClickFix style fake verification page:

    - warpdrive[.]top/jjj/include.js
    - warpdrive[.]top/jjj/index.php?W11WzmLj
    - warpdrive[.]top/jjj/buffer.js?409a8bdbd9

    Running the script for NetSupport RAT:

    - sos-atlanta[.]com/lal.ps1
    - sos-atlanta[.]com/lotu.zip?l=4773

    #NetSupport RAT server (same as yesterday):

    - 185.163.45[.]87:443

  26. 2025-07-15 (Tuesday): Tracking #SmartApeSG

    The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

    Compromised site (same as yesterday):

    - medthermography[.]com

    URLs for ClickFix style fake verification page:

    - warpdrive[.]top/jjj/include.js
    - warpdrive[.]top/jjj/index.php?W11WzmLj
    - warpdrive[.]top/jjj/buffer.js?409a8bdbd9

    Running the script for NetSupport RAT:

    - sos-atlanta[.]com/lal.ps1
    - sos-atlanta[.]com/lotu.zip?l=4773

    #NetSupport RAT server (same as yesterday):

    - 185.163.45[.]87:443

  27. 2025-07-15 (Tuesday): Tracking #SmartApeSG

    The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

    Compromised site (same as yesterday):

    - medthermography[.]com

    URLs for ClickFix style fake verification page:

    - warpdrive[.]top/jjj/include.js
    - warpdrive[.]top/jjj/index.php?W11WzmLj
    - warpdrive[.]top/jjj/buffer.js?409a8bdbd9

    Running the script for NetSupport RAT:

    - sos-atlanta[.]com/lal.ps1
    - sos-atlanta[.]com/lotu.zip?l=4773

    #NetSupport RAT server (same as yesterday):

    - 185.163.45[.]87:443

  28. 2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

    Compromised site:

    - medthermography[.]com

    URLs for ClickFix style fake verification page:

    - lebensversicherungvergleich[.]top/jjj/include.js
    - lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
    - lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

    Running the script for NetSupport RAT:

    - affordableasphalt-paving[.]com/lal.ps1
    - affordableasphalt-paving[.]com/lotu.zip?l=3526

    #NetSupport RAT server:

    - 185.163.45[.]87:443

  29. 2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

    Compromised site:

    - medthermography[.]com

    URLs for ClickFix style fake verification page:

    - lebensversicherungvergleich[.]top/jjj/include.js
    - lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
    - lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

    Running the script for NetSupport RAT:

    - affordableasphalt-paving[.]com/lal.ps1
    - affordableasphalt-paving[.]com/lotu.zip?l=3526

    #NetSupport RAT server:

    - 185.163.45[.]87:443

  30. 2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

    Compromised site:

    - medthermography[.]com

    URLs for ClickFix style fake verification page:

    - lebensversicherungvergleich[.]top/jjj/include.js
    - lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
    - lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

    Running the script for NetSupport RAT:

    - affordableasphalt-paving[.]com/lal.ps1
    - affordableasphalt-paving[.]com/lotu.zip?l=3526

    #NetSupport RAT server:

    - 185.163.45[.]87:443

  31. 2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

    The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

    A #pcap from an infection, the associated #malware samples, and #IOCs are available at at malware-traffic-analysis.net/2

  32. 2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

    The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

    A #pcap from an infection, the associated #malware samples, and #IOCs are available at at malware-traffic-analysis.net/2

  33. Важко це визнавати, але рівень технічних спеціалістів серед провайдерів швидко падає.

    І це я пишу не про провайдерів домосєток. 😟

    #ukraine #netsupport

  34. #webshell #opendir #netsupport #rat at:

    https://appointedtimeagriculture\.com/wp-includes/blocks/post-content/

    GatewayAddress=95.179.158.213:443
    RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA

  35. #webshell #opendir #netsupport #rat at:

    https://appointedtimeagriculture\.com/wp-includes/blocks/post-content/

    GatewayAddress=95.179.158.213:443
    RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA

  36. 2024-12-24 (Tuesday)

    #SmartApeSG infection chain starting with we-careu[.]xyz/work/original.js from compromised site.

    Ends with #NetSupport #RAT using the same 194.180.191[.]64 C2 address we've seen since November.

  37. 2024-12-17 (Tuesday): #SmartApeSG injected script leads to fake browser update page, and that page leads to a #NetSupport #RAT infection.

    Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.

    A #pcap of the infection traffic, associated malware samples and more information is available at malware-traffic-analysis.net/2

    NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.

    #FakeUpdates #NetSupportRAT

  38. 2024-12-13 (Friday): ww.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT

    Saw 2 injected scripts, one for jitcom[.]info and best-net[.]biz.

    Pivoting on best-net[.]biz in URLscan show signs of six other possibly compromised sites: urlscan.io/search/#best-net.bi

    Those possibly compromised sites are:

    - destinationbedfordva[.]com
    - exceladept[.]com
    - thefilmverdict[.]com
    - thenapministry[.]com
    - www.estatesale-finder[.]com
    - www.freepetchipregistry[.]com

    I haven't tried them yet to confirm, but that's always been the case when I pivot on the SmartApeSG domains in URLscan.

    #NetSupportRAT C2 for this campaign since as early as 2024-11-22 has been 194.180.191[.]64

  39. 2024-12-11 (Wednesday): Zip archive containing #NetSupport #RAT (#NetSupportRAT) package hosted at hxxps[:]//homeservicephiladelphia[.]info/work/yyy.zip

    The C2 for this NetSupport package is 194.180.191[.]64, which is a known NetSupport C2 active since 2024-11-22, per ThreatFox: threatfox.abuse.ch/ioc/1346763

    Nothing new on the NetSupport side. I'm sure that hosting URL is part of an infection chain, but I don't know what's leading to it.

  40. The Russian cybercrime group FIN7 ran a network of fake AI undressing sites that delivered credential stealing malware to those who uploaded pictures. I gotta say, this is one group of cybercrime victims that I don't feel sorry for.

    silentpush.com/blog/fin7-malwa

    #FIN7 #Russia #Cybercrime #NetSupport #NetSupportRAT #RAT #Malware #CredentialTheft #AI #Deepfake #Deepfakes #DeepNude #DeepNueds #SilentPush

  41. Want to know the ins and outs of how we craft detection for our customers? Our new blog series covers the technical research that goes into each and every @snort rule, IP block and more. First up, we're covering the #NetSupport RAT blog.talosintelligence.com/det

  42. BattleRoyal's use of email and fake updates to deliver #DarkGate and #NetSupport is unique but aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied, and increasingly creative attack chains  to enable malware delivery.

  43. And here’s an example attack chain observed in late November, also leveraging Keitaro TDS to deliver #NetSupport.

  44. We just published details on a new  activity cluster we are temporarily calling #BattleRoyal. It started distributing #DarkGate using distinct GroupIDs from Sept - Nov, then switched to #NetSupport. Delivery methods include email and fake update lures proofpoint.com/us/blog/threat-

  45. Thanks for hosting a great event featuring innovation, collaboration and networking Edutech Europe! 🐧🍎

    Read Linux Professional Institute (LPI) Team Member Massimiliano Roveri‘s recap to learn more about the role of , , and in : lpi.org/qy7y