Lmst

How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme

A malicious campaign exploits user trust through deceptive websites, including spoofed Gitcodes and fake Docusign verification pages. Victims are tricked into running malicious PowerShell scripts on their Windows machines, leading to the installation of NetSupport RAT. The multi-stage attack uses clipboard poisoning and fake CAPTCHAs to deliver the malware. The campaign involves multiple domains, uses ROT13 encoding, and creates persistent infections. Similar techniques were observed in other spoofed content, including Okta and popular media apps. The attack capitalizes on user familiarity with common online interactions, emphasizing the need for vigilance and skepticism in online activities.

Pulse ID: 684209ff0c889eabbed70e8b
Pulse Link: https://otx.alienvault.com/pulse/684209ff0c889eabbed70e8b
Pulse Author: AlienVault
Created: 2025-06-05 21:19:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CAPTCHA #Clipboard #CyberSecurity #InfoSec #Mac #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #PowerShell #RAT #Rust #Windows #bot #AlienVault

A New Campaign Distributing NetSupport RAT via Malicious PowerShell Scripts

Hashes ( SHA-256) - here is the full list of key information:-1.0xpaste, 1.4m-2.5m.1m, 2.3m

Pulse ID: 683faa1dd35a0d3e4ad9d227
Pulse Link: https://otx.alienvault.com/pulse/683faa1dd35a0d3e4ad9d227
Pulse Author: cryptocti
Created: 2025-06-04 02:06:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #PowerShell #RAT #bot #cryptocti

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Threat actors are exploiting user fatigue with anti-spam mechanisms through a technique called ClickFix. This method involves compromising websites and embedding fraudulent CAPTCHA images, which, when solved by unsuspecting users, lead to the execution of malicious code. The attack chain typically includes PowerShell commands and the use of legitimate Windows tools to download and execute additional payloads. Common malware delivered through this technique includes Lumma Stealer, NetSupport RAT, and SectopRAT. The success of ClickFix relies heavily on social engineering and user interaction, making user education and awareness crucial in mitigating these attacks. Recommendations include training users to recognize suspicious requests, restricting PowerShell execution, and deploying advanced EDR solutions.

Pulse ID: 682f9d00cee548c073778038
Pulse Link: https://otx.alienvault.com/pulse/682f9d00cee548c073778038
Pulse Author: AlienVault
Created: 2025-05-22 21:54:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CAPTCHA #CyberSecurity #EDR #Education #InfoSec #InfoStealer #LummaStealer #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #PowerShell #RAT #SMS #SocialEngineering #Spam #Windows #bot #AlienVault

2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

Compromised website showing SmartApeSG page for fake browser update.

Traffic from an infection filtered in Wireshark.

NetSupport RAT persistent on an infected Windows host.

Zip archive and extracted files for follow-up StealC malware.

Social media post I wrote for my employer at https://www.linkedin.com/posts/unit42_smartapesg-netsupportrat-stealc-activity-7297994624814432256-HOrX/
and https://x.com/Unit42_Intel/status/1892229005702471868

2025-02-18 (Tuesday): Legitimate but compromised websites with an injected script for #SmartApeSG lead to a fake browser update page that distributes #NetSupportRAT malware. During an infection run, we saw follow-up malware for #StealC. More info at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt

A #pcap from the infection traffic, the associated malware, and other info are available at https://malware-traffic-analysis.net/2025/02/18/index.html

2024-12-17 (Tuesday): #SmartApeSG injected script leads to fake browser update page, and that page leads to a #NetSupport #RAT infection.

Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.

A #pcap of the infection traffic, associated malware samples and more information is available at https://www.malware-traffic-analysis.net/2024/12/17/index.html

NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.

#FakeUpdates #NetSupportRAT

Screenshot of the browser window for a fake update page after visiting a compromised website at banks-canada[.]com.

Example of SmartApeSG injected script highlighted in orange in HTML code from a page from the compromised site. The URL from this injected script is hxxps[:]//depostsolo[.]biz/work/original.js

Traffic from an infection filtered in Wireshark showing the NetSupport RAT post-infection traffic to 194.180.191[.]64 over TCP port 443. All of the SmartApeSG and fake browser update page traffic prior to the NetSupport RAT activity is over HTTPS.

$The NetSupport RAT installation persistent on an infected Windows host. Shows the Windows registry entry for persistence and the associated NetSupport RAT files. The file are located in a hidden directory at C:\ProgramData\cvkfkmt\ with the NetSupport RAT executable client32.exe using client32.ini for its configuration to use the malicious C2 server at 194.180.191[.]64.$

2024-12-13 (Friday): ww.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT

Saw 2 injected scripts, one for jitcom[.]info and best-net[.]biz.

Pivoting on best-net[.]biz in URLscan show signs of six other possibly compromised sites: https://urlscan.io/search/#best-net.biz

Those possibly compromised sites are:

- destinationbedfordva[.]com
- exceladept[.]com
- thefilmverdict[.]com
- thenapministry[.]com
- www.estatesale-finder[.]com
- www.freepetchipregistry[.]com

I haven't tried them yet to confirm, but that's always been the case when I pivot on the SmartApeSG domains in URLscan.

#NetSupportRAT C2 for this campaign since as early as 2024-11-22 has been 194.180.191[.]64

2024-12-11 (Wednesday): Zip archive containing #NetSupport #RAT (#NetSupportRAT) package hosted at hxxps[:]//homeservicephiladelphia[.]info/work/yyy.zip

The C2 for this NetSupport package is 194.180.191[.]64, which is a known NetSupport C2 active since 2024-11-22, per ThreatFox: https://threatfox.abuse.ch/ioc/1346763/

Nothing new on the NetSupport side. I'm sure that hosting URL is part of an infection chain, but I don't know what's leading to it.

Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT
#NetSupportRAT #TA569 #BurnsRAT
https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/

7-Zip #FakeApp observed serving #NetSupportRat

https[:]//7zlp2024[.]shop

0511file24.msix (b3a95ec7b1e7e73ba59d3e7005950784d2651fcd2b0e8f24fa665f89a7404a56)

MGJFFRT466
NSM301071

62.76.234[.]49:443

The Russian cybercrime group FIN7 ran a network of fake AI undressing sites that delivered credential stealing malware to those who uploaded pictures. I gotta say, this is one group of cybercrime victims that I don't feel sorry for.

https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/

#FIN7 #Russia #Cybercrime #NetSupport #NetSupportRAT #RAT #Malware #CredentialTheft #AI #Deepfake #Deepfakes #DeepNude #DeepNueds #SilentPush

There's Something About CryptBot: Yet Another Silly Stealer (YASS)
#MustardSandwich #YetAnotherSillyStealer #IDATLoader #NetSupportRAT
https://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/

#SmartApeSG dropping #NetSupportRAT

SmartApeSG:
hxxps[://]luxurycaborental[.]com/cdn-vs/original.js
hxxps[://]luxurycaborental[.]com/cdn-vs/cache.php?

PowerShell:
hxxp[://]dfwreds[.]com/data.php

NetSupportRAT
hxxp[://]94[.]158[.]245[.]103/fakeurl.htm

#threatintel

🚨 Ahoy, cyber sailors! The NetSupport RAT be lurkin' in digital depths. 🏴‍☠️💻 Dive into our #CyberSecurity blog for tales of this deceptive foe. Be ready to parry its tricks! 🛡️⚔️ #NetSupportRAT #CyberThreat #InfoSec #PirateTalk #CyberAware