Beware of the evolving SmartApeSG campaign using the ClickFix technique to deploy NetSupport RAT via fake CAPTCHA prompts. Stay vigilant and educate users on these deceptive tactics. #CyberSecurity #ClickFix #NetSupportRAT Link: thedailytechfeed.com/smartapesg-u...
November 15, 2025 at 6:24 PM
Beware of the evolving SmartApeSG campaign using the ClickFix technique to deploy NetSupport RAT via fake CAPTCHA prompts. Stay vigilant and educate users on these deceptive tactics. #CyberSecurity #ClickFix #NetSupportRAT Link: thedailytechfeed.com/smartapesg-u...
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #NetSupportRAT https://isc.sans.edu/diary/32474
November 12, 2025 at 9:51 PM
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #NetSupportRAT https://isc.sans.edu/diary/32474
2025-09-22 (Monday) #SmartApeSG campaign using #FileFix style #ClickFix technique on its fake CAPTCHA page for #NetSupportRAT. Script sent to victim through #clipboardhijacking downloads MSI from founderevo[.]com/res/velvet when pasted into a File Manager window (www.virustotal.com/gui/file/958...)
September 22, 2025 at 7:20 PM
2025-09-22 (Monday) #SmartApeSG campaign using #FileFix style #ClickFix technique on its fake CAPTCHA page for #NetSupportRAT. Script sent to victim through #clipboardhijacking downloads MSI from founderevo[.]com/res/velvet when pasted into a File Manager window (www.virustotal.com/gui/file/958...)
6/ TAG-150 also deploys other malware families, including #SectopRAT, #WarmCookie, #HijackLoader, and #NetSupportRAT, as well as numerous stealers: #Stealc, #RedLine, #Rhadamanthys, #DeerStealer, #MonsterV2, and more.
September 4, 2025 at 3:05 PM
6/ TAG-150 also deploys other malware families, including #SectopRAT, #WarmCookie, #HijackLoader, and #NetSupportRAT, as well as numerous stealers: #Stealc, #RedLine, #Rhadamanthys, #DeerStealer, #MonsterV2, and more.
2025-08-20 (Wed): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2. Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/i...
August 20, 2025 at 11:21 PM
2025-08-20 (Wed): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2. Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/i...
2025-07-22 (Tuesday): Tracking the #SmartApeSG campaign using #ClickFix to push #NetSupportRAT. Details at: github.com/malware-traf...
July 22, 2025 at 6:58 PM
2025-07-22 (Tuesday): Tracking the #SmartApeSG campaign using #ClickFix to push #NetSupportRAT. Details at: github.com/malware-traf...
2025-07-17 (Thursday): Tracking the #SmartApeSG campaign for #ClickFix pages pushing #NetSupportRAT. Details at github.com/malware-traf...
July 17, 2025 at 2:09 PM
2025-07-17 (Thursday): Tracking the #SmartApeSG campaign for #ClickFix pages pushing #NetSupportRAT. Details at github.com/malware-traf...
2025-07-15 (Tuesday): Some different IOCs from the #SmartApeSG #ClickFix page today.
warpdrive[.]top <-- domain used for SmartAgeSG injected script and to display ClickFix page.
sos-atlanta[.]com <-- domain from script injected into clipboard and to retrieve #NetSupportRAT malware package
warpdrive[.]top <-- domain used for SmartAgeSG injected script and to display ClickFix page.
sos-atlanta[.]com <-- domain from script injected into clipboard and to retrieve #NetSupportRAT malware package
July 15, 2025 at 7:18 PM
2025-07-15 (Tuesday): Some different IOCs from the #SmartApeSG #ClickFix page today.
warpdrive[.]top <-- domain used for SmartAgeSG injected script and to display ClickFix page.
sos-atlanta[.]com <-- domain from script injected into clipboard and to retrieve #NetSupportRAT malware package
warpdrive[.]top <-- domain used for SmartAgeSG injected script and to display ClickFix page.
sos-atlanta[.]com <-- domain from script injected into clipboard and to retrieve #NetSupportRAT malware package
2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
July 14, 2025 at 11:22 PM
2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
Potatocriminals exploit compromised WordPress sites using the ClickFix technique to deploy NetSupport RAT, granting unauthorized remote access. Stay vigilant! #PotatoSecurity #NetSupportRAT #ClickFix Link: thedailytechfeed.com/potatocrimina...
July 8, 2025 at 5:20 PM
Potatocriminals exploit compromised WordPress sites using the ClickFix technique to deploy NetSupport RAT, granting unauthorized remote access. Stay vigilant! #PotatoSecurity #NetSupportRAT #ClickFix Link: thedailytechfeed.com/potatocrimina...
Cybercriminals exploit compromised WordPress sites using the ClickFix technique to deploy NetSupport RAT, granting unauthorized remote access. Stay vigilant! #CyberSecurity #NetSupportRAT #ClickFix Link: thedailytechfeed.com/cybercrimina...
July 8, 2025 at 4:29 PM
Cybercriminals exploit compromised WordPress sites using the ClickFix technique to deploy NetSupport RAT, granting unauthorized remote access. Stay vigilant! #CyberSecurity #NetSupportRAT #ClickFix Link: thedailytechfeed.com/cybercrimina...
2025-06-27 (Friday): #SmartApeSG script for #ClickFix page leads to #NetSupport #RAT
Details at: github.com/malware-traf...
#NetSupportRAT #ClipboardHijacking
Details at: github.com/malware-traf...
#NetSupportRAT #ClipboardHijacking
June 27, 2025 at 7:13 PM
2025-06-27 (Friday): #SmartApeSG script for #ClickFix page leads to #NetSupport #RAT
Details at: github.com/malware-traf...
#NetSupportRAT #ClipboardHijacking
Details at: github.com/malware-traf...
#NetSupportRAT #ClipboardHijacking
2025-06-18 (Wed): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2
A #pcap of the traffic, the malware/artifacts, and some IOCs are available at www.malware-traffic-analysis.net/2025/06/18/i....
Today's the 12th anniversary of my blog, so I made this post a bit more old school.
A #pcap of the traffic, the malware/artifacts, and some IOCs are available at www.malware-traffic-analysis.net/2025/06/18/i....
Today's the 12th anniversary of my blog, so I made this post a bit more old school.
June 19, 2025 at 4:23 AM
2025-06-18 (Wed): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2
A #pcap of the traffic, the malware/artifacts, and some IOCs are available at www.malware-traffic-analysis.net/2025/06/18/i....
Today's the 12th anniversary of my blog, so I made this post a bit more old school.
A #pcap of the traffic, the malware/artifacts, and some IOCs are available at www.malware-traffic-analysis.net/2025/06/18/i....
Today's the 12th anniversary of my blog, so I made this post a bit more old school.
Cybercriminals are using fake DocuSign and GitCode sites to deploy NetSupport RAT via multi-stage PowerShell attacks. Stay vigilant and verify sources before executing scripts. #CyberSecurity #Phishing #NetSupportRAT Link: thedailytechfeed.com/cybercrimina...
June 4, 2025 at 2:01 PM
Cybercriminals are using fake DocuSign and GitCode sites to deploy NetSupport RAT via multi-stage PowerShell attacks. Stay vigilant and verify sources before executing scripts. #CyberSecurity #Phishing #NetSupportRAT Link: thedailytechfeed.com/cybercrimina...
Fake DocuSign, Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack reconbee.com/fake-docusig...
#Docusign #gitcode #NetsupportRAT #powershellattack #cyberattack #cybersecurity #RAT
#Docusign #gitcode #NetsupportRAT #powershellattack #cyberattack #cybersecurity #RAT
Fake DocuSign Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack
installed on the compromised computers read more about Fake DocuSign Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack
reconbee.com
June 4, 2025 at 6:15 AM
Fake DocuSign, Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack reconbee.com/fake-docusig...
#Docusign #gitcode #NetsupportRAT #powershellattack #cyberattack #cybersecurity #RAT
#Docusign #gitcode #NetsupportRAT #powershellattack #cyberattack #cybersecurity #RAT
5 Active Malware Campaigns in Q1 2025
https://cybersonar.org/go/mbazdE
Posted at 12:00
#CybersecurityLapse #MalwareEvolving #NetSupportRAT
https://cybersonar.org/go/mbazdE
Posted at 12:00
#CybersecurityLapse #MalwareEvolving #NetSupportRAT
February 28, 2025 at 7:21 AM
5 Active Malware Campaigns in Q1 2025
https://cybersonar.org/go/mbazdE
Posted at 12:00
#CybersecurityLapse #MalwareEvolving #NetSupportRAT
https://cybersonar.org/go/mbazdE
Posted at 12:00
#CybersecurityLapse #MalwareEvolving #NetSupportRAT
Post I wrote for my employer on other social media:
2025-02-18 (Tues): Legit but compromised websites with injected script for #SmartApeSG lead to a fake browser update for #NetSupportRAT malware. During an infection run, we saw follow-up malware for #StealC. Details at github.com/PaloAltoNetw...
2025-02-18 (Tues): Legit but compromised websites with injected script for #SmartApeSG lead to a fake browser update for #NetSupportRAT malware. During an infection run, we saw follow-up malware for #StealC. Details at github.com/PaloAltoNetw...
February 19, 2025 at 4:01 PM
Post I wrote for my employer on other social media:
2025-02-18 (Tues): Legit but compromised websites with injected script for #SmartApeSG lead to a fake browser update for #NetSupportRAT malware. During an infection run, we saw follow-up malware for #StealC. Details at github.com/PaloAltoNetw...
2025-02-18 (Tues): Legit but compromised websites with injected script for #SmartApeSG lead to a fake browser update for #NetSupportRAT malware. During an infection run, we saw follow-up malware for #StealC. Details at github.com/PaloAltoNetw...
NetSupport RAT attacks surge via ClickFix distribution; criminals gain full system control. #Cybersecurity #NetSupportRAT #ClickFix
NetSupport RAT Use Surges via ClickFix Distribution
NetSupport RAT attacks surge via ClickFix distribution; criminals gain full system control. #Cybersecurity #NetSupportRAT #ClickFix
www.esentire.com
February 11, 2025 at 7:33 PM
NetSupport RAT attacks surge via ClickFix distribution; criminals gain full system control. #Cybersecurity #NetSupportRAT #ClickFix
BLOG POST: A write-up on some infrastructure we were tracking during 2024, connected to both SmartApeSG and NetSupportRAT activities. They do usually follow one another around but we've exposed direct links from a management and oversight perspective.
www.team-cymru.com/post/tracing...
www.team-cymru.com/post/tracing...
Uncovering Cyber Threat Networks: SmartApeSG & NetSupport RAT | Cymru
Explore how Internet telemetry analysis exposed hidden cyber threat connections between SmartApeSG, NetSupport RAT, Quasar RAT, and cryptocurrency scams. Request a demo!
www.team-cymru.com
February 4, 2025 at 1:29 PM
BLOG POST: A write-up on some infrastructure we were tracking during 2024, connected to both SmartApeSG and NetSupportRAT activities. They do usually follow one another around but we've exposed direct links from a management and oversight perspective.
www.team-cymru.com/post/tracing...
www.team-cymru.com/post/tracing...
The latest blog post from Team Cymru's S2 Research Team demonstrates how exploring internet telemetry data can uncover interconnected threats - in this case, the link between SmarApeSG and NetSupportRat. www.team-cymru.com/post/tracing...
February 4, 2025 at 10:38 AM
The latest blog post from Team Cymru's S2 Research Team demonstrates how exploring internet telemetry data can uncover interconnected threats - in this case, the link between SmarApeSG and NetSupportRat. www.team-cymru.com/post/tracing...
2024-12-17 (Tues): #SmartApeSG injected script leads to fake browser update page that leads to #NetSupport #RAT infection. A #pcap of the infection traffic, associated malware samples and more information is available at www.malware-traffic-analysis.net/2024/12/17/i...
#FakeUpdates #NetSupportRAT
#FakeUpdates #NetSupportRAT
![Traffic from an infection filtered in Wireshark showing the NetSupport RAT post-infection traffic to 194.180.191[.]64 over TCP port 443](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:v3kgm6hujff4gbxies5vwbnb/bafkreidlaoxf3jfflplxxuiqbtbefkshpgh6c5d5jyn5mfax43f77achvy@jpeg)
December 17, 2024 at 4:57 AM
2024-12-17 (Tues): #SmartApeSG injected script leads to fake browser update page that leads to #NetSupport #RAT infection. A #pcap of the infection traffic, associated malware samples and more information is available at www.malware-traffic-analysis.net/2024/12/17/i...
#FakeUpdates #NetSupportRAT
#FakeUpdates #NetSupportRAT
2024-12-13 (Friday): www.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT 2 injected scripts. jitcom[.]info and best-net[.]biz.
Pivoting on best-net[.]biz in URLscan show signs of six other compromised sites: urlscan.io/search/#best...
#NetSupportRAT
Pivoting on best-net[.]biz in URLscan show signs of six other compromised sites: urlscan.io/search/#best...
#NetSupportRAT
December 13, 2024 at 6:56 PM
2024-12-13 (Friday): www.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT 2 injected scripts. jitcom[.]info and best-net[.]biz.
Pivoting on best-net[.]biz in URLscan show signs of six other compromised sites: urlscan.io/search/#best...
#NetSupportRAT
Pivoting on best-net[.]biz in URLscan show signs of six other compromised sites: urlscan.io/search/#best...
#NetSupportRAT
2024-12-11 (Wednesday): Zip archive containing #NetSupport #RAT hosted at hxxps[:]//homeservicephiladelphia[.]info/work/yyy.zip
C2 for this NetSupport package is 194.180.191[.]64, which is a known NetSupport C2 active since 2024-11-22, per ThreatFox: threatfox.abuse.ch/ioc/1346763/
#NetSupportRAT
C2 for this NetSupport package is 194.180.191[.]64, which is a known NetSupport C2 active since 2024-11-22, per ThreatFox: threatfox.abuse.ch/ioc/1346763/
#NetSupportRAT
December 11, 2024 at 6:39 PM
2024-12-11 (Wednesday): Zip archive containing #NetSupport #RAT hosted at hxxps[:]//homeservicephiladelphia[.]info/work/yyy.zip
C2 for this NetSupport package is 194.180.191[.]64, which is a known NetSupport C2 active since 2024-11-22, per ThreatFox: threatfox.abuse.ch/ioc/1346763/
#NetSupportRAT
C2 for this NetSupport package is 194.180.191[.]64, which is a known NetSupport C2 active since 2024-11-22, per ThreatFox: threatfox.abuse.ch/ioc/1346763/
#NetSupportRAT