Lmst

2025-07-15 (Tuesday): Tracking #SmartApeSG

The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site (same as yesterday):

- medthermography[.]com

URLs for ClickFix style fake verification page:

- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9

Running the script for NetSupport RAT:

- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773

#NetSupport RAT server (same as yesterday):

- 185.163.45[.]87:443

Traffic from an infection filtered in Wireshark and HTTPS URLs shown in Fiddler.

2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site:

- medthermography[.]com

URLs for ClickFix style fake verification page:

- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

Running the script for NetSupport RAT:

- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526

#NetSupport RAT server:

- 185.163.45[.]87:443

Screenshot of ClickFix-style fake verification page with text for the script injected into the viewer's hijacked clipboard.

Traffic from an infection filtered in Wireshark.

NetSupport RAT persistent on an infected Windows host through a Windows registry update.

Deploying NetSupport RAT via WordPress & ClickFix

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.

Pulse ID: 6870355e6a5f2386068698a0
Pulse Link: https://otx.alienvault.com/pulse/6870355e6a5f2386068698a0
Pulse Author: AlienVault
Created: 2025-07-10 21:49:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CAPTCHA #CyberSecurity #InfoSec #Java #JavaScript #Malware #NetSupport #NetSupportManager #NetSupportRAT #OTX #OpenThreatExchange #Phishing #RAT #RDP #Word #Wordpress #bot #AlienVault

Fix the Click: Preventing the ClickFix Attack Vector

This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetSupport RAT, Latrodectus, and Lumma Stealer. ClickFix lures often use clipboard hijacking and can bypass standard detection controls. The article provides case studies of recent campaigns, hunting tips for detecting ClickFix infections, and recommendations for proactive defense measures. It emphasizes the importance of user education and implementing robust security controls to mitigate this evolving threat.

Pulse ID: 686ffe0f30bfbdfa037e4168
Pulse Link: https://otx.alienvault.com/pulse/686ffe0f30bfbdfa037e4168
Pulse Author: AlienVault
Created: 2025-07-10 17:53:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Clipboard #CyberSecurity #Education #InfoSec #LummaStealer #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #SocialEngineering #bot #AlienVault

Example 1: #RunFix

As of 2025-07-03, the #SmartApeSG campaign is using RunFix style #ClickFix pages to distribute #NetSupportRAT

Screenshot of a "RunFix" style ClickFix page from the SmartAgeSG campaign.

Details of network traffic from a NetSupport RAT infection via "RunFix" style ClickFix.

2025-06-27 (Friday): #SmartApeSG infection chain leading to #ClickFix lure leading to #NetSupportRAT

URL sequence leading to ClickFix:

- palcomp3[.]top/sss/buf.js
- palcomp3[.]top/sss/index.php?GQX1KqUM
- palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfa

URL sequence after running ClickFix script:

- camplively[.]com/all.php
- camplively[.]com/smks.zip?lap=3928

SHA256 hash for smks.zip archive containing NetSupport RAT package:

3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5

NetSupportRAT C2: 185.163.45[.]30:443

cc: @monitorsg

Injected SmartApeSG script in page from legitimate but compromised website. This injected script leads to the ClickFix page.

Example of the ClickFix page and script injected into a victim's clipboard (clipboard hijacking) that the victim is asked to paste into Run window and run.

URL sequence for the ClickFix page and the URLs for NetSupport RAT.

Traffic from the infection filtered in Wireshark, showing the NetSupport RAT C2 traffic.

👾 Top threats in June 2025.
#BRAODO Stealer abusing GitHub, obfuscated scripts dropping #Remcos, and BAT files delivering #NetSupportRAT.

See detailed breakdown of these attacks and gather threat intel for proactive defense ⬇️
https://any.run/cybersecurity-blog/cyber-attacks-june-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=cyber_attacks_june_25&utm_term=250625&utm_content=linktoblog

2025-06-18 (Wednesday): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2

A #pcap of the traffic, the malware/artifacts, and some IOCs are available at https://www.malware-traffic-analysis.net/2025/06/18/index.html.

Today's the 12th anniversary of my first blog post on malware-traffic-analysis.net, so I made this post a bit more old school.

HTML source of page from legitimate but compromised site showing SmartApeSG injected script.

Traffic from an infection filtered in Wireshark. This shows the NetSupport RAT C2 traffic and StealC v2 traffic.

New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks

Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.

Pulse ID: 684c90509889eb77ff43d758
Pulse Link: https://otx.alienvault.com/pulse/684c90509889eb77ff43d758
Pulse Author: AlienVault
Created: 2025-06-13 20:55:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #FakeBrowser #ICS #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #PowerShell #RAT #ZIP #bot #AlienVault

What year is it?!
PowerShell dropper staged on Pastebin, payload is #netsupportrat, C2 at PSINet.

hXXps://pastebin[.]com/raw/bhFVRquV
-> hXXps://care4hygiene[.]com/kliapaza.zip
---> 38[.]132[.]101[.]38:443

2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

Compromised website showing SmartApeSG page for fake browser update.

NetSupport RAT persistent on an infected Windows host.

Zip archive and extracted files for follow-up StealC malware.

Social media post I wrote for my employer at https://www.linkedin.com/posts/unit42_smartapesg-netsupportrat-stealc-activity-7297994624814432256-HOrX/
and https://x.com/Unit42_Intel/status/1892229005702471868

2025-02-18 (Tuesday): Legitimate but compromised websites with an injected script for #SmartApeSG lead to a fake browser update page that distributes #NetSupportRAT malware. During an infection run, we saw follow-up malware for #StealC. More info at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt

A #pcap from the infection traffic, the associated malware, and other info are available at https://malware-traffic-analysis.net/2025/02/18/index.html

2024-12-17 (Tuesday): #SmartApeSG injected script leads to fake browser update page, and that page leads to a #NetSupport #RAT infection.

Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.

A #pcap of the infection traffic, associated malware samples and more information is available at https://www.malware-traffic-analysis.net/2024/12/17/index.html

NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.

#FakeUpdates #NetSupportRAT

Screenshot of the browser window for a fake update page after visiting a compromised website at banks-canada[.]com.

Example of SmartApeSG injected script highlighted in orange in HTML code from a page from the compromised site. The URL from this injected script is hxxps[:]//depostsolo[.]biz/work/original.js

Traffic from an infection filtered in Wireshark showing the NetSupport RAT post-infection traffic to 194.180.191[.]64 over TCP port 443. All of the SmartApeSG and fake browser update page traffic prior to the NetSupport RAT activity is over HTTPS.

$The NetSupport RAT installation persistent on an infected Windows host. Shows the Windows registry entry for persistence and the associated NetSupport RAT files. The file are located in a hidden directory at C:\ProgramData\cvkfkmt\ with the NetSupport RAT executable client32.exe using client32.ini for its configuration to use the malicious C2 server at 194.180.191[.]64.$

2024-12-13 (Friday): ww.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT

Saw 2 injected scripts, one for jitcom[.]info and best-net[.]biz.

Pivoting on best-net[.]biz in URLscan show signs of six other possibly compromised sites: https://urlscan.io/search/#best-net.biz

Those possibly compromised sites are:

- destinationbedfordva[.]com
- exceladept[.]com
- thefilmverdict[.]com
- thenapministry[.]com
- www.estatesale-finder[.]com
- www.freepetchipregistry[.]com

I haven't tried them yet to confirm, but that's always been the case when I pivot on the SmartApeSG domains in URLscan.

#NetSupportRAT C2 for this campaign since as early as 2024-11-22 has been 194.180.191[.]64

2024-12-11 (Wednesday): Zip archive containing #NetSupport #RAT (#NetSupportRAT) package hosted at hxxps[:]//homeservicephiladelphia[.]info/work/yyy.zip

The C2 for this NetSupport package is 194.180.191[.]64, which is a known NetSupport C2 active since 2024-11-22, per ThreatFox: https://threatfox.abuse.ch/ioc/1346763/

Nothing new on the NetSupport side. I'm sure that hosting URL is part of an infection chain, but I don't know what's leading to it.

Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT
#NetSupportRAT #TA569 #BurnsRAT
https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/

7-Zip #FakeApp observed serving #NetSupportRat

https[:]//7zlp2024[.]shop

0511file24.msix (b3a95ec7b1e7e73ba59d3e7005950784d2651fcd2b0e8f24fa665f89a7404a56)

MGJFFRT466
NSM301071

62.76.234[.]49:443

The Russian cybercrime group FIN7 ran a network of fake AI undressing sites that delivered credential stealing malware to those who uploaded pictures. I gotta say, this is one group of cybercrime victims that I don't feel sorry for.

https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/

#FIN7 #Russia #Cybercrime #NetSupport #NetSupportRAT #RAT #Malware #CredentialTheft #AI #Deepfake #Deepfakes #DeepNude #DeepNueds #SilentPush