{"id":13282,"date":"2026-06-01T04:03:47","date_gmt":"2026-06-01T04:03:47","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/01\/33034\/"},"modified":"2026-06-01T04:03:47","modified_gmt":"2026-06-01T04:03:47","slug":"33034","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/01\/33034\/","title":{"rendered":"Unidentified RAT pushes NetSupport RAT, (Mon, Jun 1st)"},"content":{"rendered":"<p>    Unidentified RAT pushes NetSupport RAT, (Mon, Jun 1st)<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p><em><strong>Introduction<\/strong><\/em><\/p>\n<p>This diary provides indicators from an unidentified RAT infection on Wednesday 2026-05-27 that was followed by a malicious NetSupport Manager RAT package. This originated from the SmartApeSG ClickFix campaign. I still don&#8217;t know the name of the initial RAT, but it has consistently been generating encoded (not HTTPS\/SSL\/TLS) traffic to a command and control (C2) server at\u00a0<span style=\"font-family:Courier New,Courier,monospace;\">89.110.110[.]119<\/span> over TCP port 443 since I first noticed it sometime in April 2026.<\/p>\n<p><em><strong>Images from the infection<\/strong><\/em><\/p>\n<p><a href=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-06-01-ISC-diary-image-01a.png?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-06-01-ISC-diary-image-01.png?ssl=1\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: Fake verification page with ClickFix instructions from the SmartApeSG campaign.<\/em><\/p>\n<p><a href=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-06-01-ISC-diary-image-02a.png?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-06-01-ISC-diary-image-02.png?ssl=1\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: Initial RAT malware on an infected Windows host.<\/em><\/p>\n<p><a href=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-06-01-ISC-diary-image-03a.png?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-06-01-ISC-diary-image-03.png?ssl=1\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: Follow-up files for NetSupport RAT sent through the initial RAT C2 traffic.<\/em><\/p>\n<p><a href=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-06-01-ISC-diary-image-04a.png?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-06-01-ISC-diary-image-04.png?ssl=1\" style=\"border-width: 2px; border-style: solid;\"><\/a><br \/>\n<em>Shown above: NetSupport RAT C2 traffic.<\/em><\/p>\n<p><em><strong>Indicators of Compromise<\/strong><\/em><\/p>\n<p>Example of SmartApeSG URLs seen on Wednesday 2026-05-27:<\/p>\n<ul style=\"margin-left: 40px;\">\n<li><span style=\"font-family:Courier New,Courier,monospace;\">hxxps[:]\/\/hiddenplanetlab[.]top\/signin\/secure-util.js<\/span><\/li>\n<li><span style=\"font-family:Courier New,Courier,monospace;\">hxxps[:]\/\/hiddenplanetlab[.]top\/signin\/private-template?c66kjD5i<\/span><\/li>\n<li><span style=\"font-family:Courier New,Courier,monospace;\">hxxps[:]\/\/hiddenplanetlab[.]top\/signin\/legacy-worker.js?18b3825af007e53d<\/span><\/li>\n<\/ul>\n<p>Example of traffic generated by running the associated ClickFix script:<\/p>\n<ul style=\"margin-left: 40px;\">\n<li><span style=\"font-family:Courier New,Courier,monospace;\">hxxp[:]\/\/178.156.165[.]82\/<\/span><\/li>\n<li><span style=\"font-family:Courier New,Courier,monospace;\">hxxp[:]\/\/178.156.173[.]194\/<\/span><\/li>\n<li><span style=\"font-family:Courier New,Courier,monospace;\">hxxps[:]\/\/silverharvestnetwork[.]com\/check<\/span><\/li>\n<\/ul>\n<p>Initial RAT C2 traffic:<\/p>\n<ul style=\"margin-left: 40px;\">\n<li><span style=\"font-family:Courier New,Courier,monospace;\">tcp[:]\/\/89.110.110[.]119:443\/<\/span><\/li>\n<\/ul>\n<p>IP address for NetSupport RAT C2 server:<\/p>\n<ul style=\"margin-left: 40px;\">\n<li><span style=\"font-family:Courier New,Courier,monospace;\">hxxp[:]\/\/185.163.47[.]217:443<\/span><\/li>\n<\/ul>\n<p>Files from the infection:<\/p>\n<p>SHA256 hash: <a href=\"https:\/\/www.virustotal.com\/gui\/file\/1514b1268e9dc6d2f37137aa38c756cb4bf8186ac9235d6863b78e7f8bbbe976\"><span style=\"font-family:Courier New,Courier,monospace;\">1514b1268e9dc6d2f37137aa38c756cb4bf8186ac9235d6863b78e7f8bbbe976<\/span><\/a><\/p>\n<ul style=\"margin-left: 40px;\">\n<li>File size: 26,555,757 bytes<\/li>\n<li>File type: Zip archive data, at least v2.0 to extract<\/li>\n<li>File location: <span style=\"font-family:Courier New,Courier,monospace;\">hxxps[:]\/\/silverharvestnetwork[.]com\/check<\/span>\n<\/li>\n<li>File description: Zip archive containing software package for the initial RAT.<\/li>\n<\/ul>\n<p>SHA256 hash: <a href=\"https:\/\/www.virustotal.com\/gui\/file\/469bac8e10f50263e8ff0806e6ba126bb4cc660799129a8653eab3f8ec7201e5\"><span style=\"font-family:Courier New,Courier,monospace;\">469bac8e10f50263e8ff0806e6ba126bb4cc660799129a8653eab3f8ec7201e5<\/span><\/a><\/p>\n<ul style=\"margin-left: 40px;\">\n<li>File size: 109 bytes<\/li>\n<li>File type: ASCII text<\/li>\n<li>File location: <span style=\"font-family:Courier New,Courier,monospace;\">C:ProgramDataprocessor.vbs<\/span>\n<\/li>\n<li>File description: Initial script that runs token.bat<\/li>\n<\/ul>\n<p>SHA256 hash: <a href=\"https:\/\/www.virustotal.com\/gui\/file\/9c7eda2c4d3aaa8746495741bef57a07de180f0409409faf0f91658e88ba33f5\"><span style=\"font-family:Courier New,Courier,monospace;\">9c7eda2c4d3aaa8746495741bef57a07de180f0409409faf0f91658e88ba33f5<\/span><\/a><\/p>\n<ul style=\"margin-left: 40px;\">\n<li>File size: 8,262 bytes<\/li>\n<li>File type: DOS batch file text, ASCII text, with very long lines<\/li>\n<li>File location: <span style=\"font-family:Courier New,Courier,monospace;\">C:ProgramDatatoken.bat<\/span>\n<\/li>\n<li>File description: Batch scrip that extracts, runs, and makes persistent NetSupport RAT from setub.cab<\/li>\n<\/ul>\n<p>SHA256 hash: <a href=\"https:\/\/www.virustotal.com\/gui\/file\/7ba5481c873bb3081442561f749f590badd72ef249fddfe993e30b28dc0c2112\"><span style=\"font-family:Courier New,Courier,monospace;\">7ba5481c873bb3081442561f749f590badd72ef249fddfe993e30b28dc0c2112<\/span><\/a><\/p>\n<ul style=\"margin-left: 40px;\">\n<li>File size: 17,275,805 bytes<\/li>\n<li>File type: Microsoft Cabinet archive data<\/li>\n<li>File location: <span style=\"font-family:Courier New,Courier,monospace;\">C:ProgramDatasetup.cab<\/span>\n<\/li>\n<li>File description: CAB file containing malicious NetSupport RAT package<\/li>\n<li>Contents of this CAB file extracted to:\u00a0<span style=\"font-family:Courier New,Courier,monospace;\">C:ProgramDataUpdateInstaller<\/span>\n<\/li>\n<\/ul>\n<p>Note 1: The files <span style=\"font-family:Courier New,Courier,monospace;\">processor.vbs<\/span>, <span style=\"font-family:Courier New,Courier,monospace;\">token.bat<\/span>, and\u00a0<span style=\"font-family:Courier New,Courier,monospace;\">setup.cab<\/span> are all deleted by the\u00a0<span style=\"font-family:Courier New,Courier,monospace;\">token.bat<\/span> script after it installs the malicious NetSupport RAT package and makes it persistent on the infected Windows host.<\/p>\n<p>Note 2: The indicators for this activity (domains, file hashes, etc.) change on a daily basis. For more up-to-date indicators on SmartApeSG and similar campaigns, see the <a href=\"https:\/\/infosec.exchange\/@monitorsg\">@monitorsg feed<\/a> on Mastodon.<\/p>\n<p>&#8212;<br \/>\nBradley Duncan<br \/>\nbrad [at] malware-traffic-analysis.net<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/33034\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unidentified RAT pushes NetSupport RAT, (Mon, Jun 1st) Introduction This diary provides indicators from an unidentified RAT infection on Wednesday 2026-05-27 that was followed by a malicious NetSupport Manager RAT package. This originated from the SmartApeSG ClickFix campaign. I still don&#8217;t know the name of the initial RAT, but it has consistently been generating encoded [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-13282","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13282"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13282"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13282\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}