mastodon.ie

Brad2025-07-15 (Tuesday): Tracking <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> The SmartApeSG script injected into page from compromised website leads to <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#ClickFix</a> style fake verification page. ClickFix-ing you way through this leads to a <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> infection.Compromised site (same as yesterday): - medthermography[.]comURLs for ClickFix style fake verification page:- warpdrive[.]top/jjj/include.js - warpdrive[.]top/jjj/index.php?W11WzmLj - warpdrive[.]top/jjj/buffer.js?409a8bdbd9Running the script for NetSupport RAT:- sos-atlanta[.]com/lal.ps1 - sos-atlanta[.]com/lotu.zip?l=4773<a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupport</a> RAT server (same as yesterday):- 185.163.45[.]87:443

Brad2025-07-14 (Monday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> script injected into page from compromised website leads to <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#ClickFix</a> style fake verification page. ClickFix-ing you way through this leads to a <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> infection.Compromised site: - medthermography[.]comURLs for ClickFix style fake verification page:- lebensversicherungvergleich[.]top/jjj/include.js - lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX - lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971Running the script for NetSupport RAT:- affordableasphalt-paving[.]com/lal.ps1 - affordableasphalt-paving[.]com/lotu.zip?l=3526<a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupport</a> RAT server:- 185.163.45[.]87:443

OTX BotDeploying NetSupport RAT via WordPress & ClickFixA threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.Pulse ID: 6870355e6a5f2386068698a0 Pulse Link: <a href="https://otx.alienvault.com/pulse/6870355e6a5f2386068698a0" rel="nofollow noopener" translate="no" target="_blank">https://otx.alienvault.com/pulse/6870355e6a5f2386068698a0</a> Pulse Author: AlienVault Created: 2025-07-10 21:49:18Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/CAPTCHA" class="mention hashtag" rel="nofollow noopener" target="_blank">#CAPTCHA</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Java" class="mention hashtag" rel="nofollow noopener" target="_blank">#Java</a> <a href="https://social.raytec.co/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#JavaScript</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupport</a> <a href="https://social.raytec.co/tags/NetSupportManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportManager</a> <a href="https://social.raytec.co/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a> <a href="https://social.raytec.co/tags/RDP" class="mention hashtag" rel="nofollow noopener" target="_blank">#RDP</a> <a href="https://social.raytec.co/tags/Word" class="mention hashtag" rel="nofollow noopener" target="_blank">#Word</a> <a href="https://social.raytec.co/tags/Wordpress" class="mention hashtag" rel="nofollow noopener" target="_blank">#Wordpress</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener" target="_blank">#AlienVault</a>

OTX BotFix the Click: Preventing the ClickFix Attack VectorThis article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetSupport RAT, Latrodectus, and Lumma Stealer. ClickFix lures often use clipboard hijacking and can bypass standard detection controls. The article provides case studies of recent campaigns, hunting tips for detecting ClickFix infections, and recommendations for proactive defense measures. It emphasizes the importance of user education and implementing robust security controls to mitigate this evolving threat.Pulse ID: 686ffe0f30bfbdfa037e4168 Pulse Link: <a href="https://otx.alienvault.com/pulse/686ffe0f30bfbdfa037e4168" rel="nofollow noopener" translate="no" target="_blank">https://otx.alienvault.com/pulse/686ffe0f30bfbdfa037e4168</a> Pulse Author: AlienVault Created: 2025-07-10 17:53:19Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/Clipboard" class="mention hashtag" rel="nofollow noopener" target="_blank">#Clipboard</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/Education" class="mention hashtag" rel="nofollow noopener" target="_blank">#Education</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#LummaStealer</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupport</a> <a href="https://social.raytec.co/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a> <a href="https://social.raytec.co/tags/SocialEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#SocialEngineering</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener" target="_blank">#AlienVault</a>

BradExample 1: <a href="https://infosec.exchange/tags/RunFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#RunFix</a>As of 2025-07-03, the <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> campaign is using RunFix style <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#ClickFix</a> pages to distribute <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a>

Brad2025-06-27 (Friday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> infection chain leading to <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#ClickFix</a> lure leading to <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a>URL sequence leading to ClickFix:- palcomp3[.]top/sss/buf.js - palcomp3[.]top/sss/index.php?GQX1KqUM - palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfaURL sequence after running ClickFix script:- camplively[.]com/all.php - camplively[.]com/smks.zip?lap=3928SHA256 hash for smks.zip archive containing NetSupport RAT package:3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5NetSupportRAT C2: 185.163.45[.]30:443cc: <a href="https://infosec.exchange/@monitorsg" class="u-url mention" rel="nofollow noopener" target="_blank">@monitorsg</a>

Brad2025-06-18 (Wednesday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> --> <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#ClickFix</a> lure --> <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> --> <a href="https://infosec.exchange/tags/StealCv2" class="mention hashtag" rel="nofollow noopener" target="_blank">#StealCv2</a>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> of the traffic, the malware/artifacts, and some IOCs are available at <a href="https://www.malware-traffic-analysis.net/2025/06/18/index.html" rel="nofollow noopener" translate="no" target="_blank">https://www.malware-traffic-analysis.net/2025/06/18/index.html</a>.Today's the 12th anniversary of my first blog post on malware-traffic-analysis.net, so I made this post a bit more old school.

Paul MelsonWhat year is it?! PowerShell dropper staged on Pastebin, payload is <a href="https://infosec.exchange/tags/netsupportrat" class="mention hashtag" rel="nofollow noopener" target="_blank">#netsupportrat</a>, C2 at PSINet. hXXps://pastebin[.]com/raw/bhFVRquV -> hXXps://care4hygiene[.]com/kliapaza.zip ---> 38[.]132[.]101[.]38:443

Pyrzout :vm:GrayAlpha Operation Detection: The Fin7-Affiliated Group Spreads PowerNet Loader, NetSupport RAT, and MaskBat Loader – Source: socprime.com <a href="https://ciso2ciso.com/grayalpha-operation-detection-the-fin7-affiliated-group-spreads-powernet-loader-netsupport-rat-and-maskbat-loader-source-socprime-com/" rel="nofollow noopener" translate="no" target="_blank">https://ciso2ciso.com/grayalpha-operation-detection-the-fin7-affiliated-group-spreads-powernet-loader-netsupport-rat-and-maskbat-loader-source-socprime-com/</a> <a href="https://social.skynetcloud.site/tags/rssfeedpostgeneratorecho" class="mention hashtag" rel="nofollow noopener" target="_blank">#rssfeedpostgeneratorecho</a> <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurityNews</a> <a href="https://social.skynetcloud.site/tags/PowerNetLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#PowerNetLoader</a> <a href="https://social.skynetcloud.site/tags/Latestthreats" class="mention hashtag" rel="nofollow noopener" target="_blank">#Latestthreats</a> <a href="https://social.skynetcloud.site/tags/MaskBatLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#MaskBatLoader</a> <a href="https://social.skynetcloud.site/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> <a href="https://social.skynetcloud.site/tags/socprimecom" class="mention hashtag" rel="nofollow noopener" target="_blank">#socprimecom</a> <a href="https://social.skynetcloud.site/tags/GrayAlpha" class="mention hashtag" rel="nofollow noopener" target="_blank">#GrayAlpha</a> <a href="https://social.skynetcloud.site/tags/socprime" class="mention hashtag" rel="nofollow noopener" target="_blank">#socprime</a> <a href="https://social.skynetcloud.site/tags/Blog" class="mention hashtag" rel="nofollow noopener" target="_blank">#Blog</a> <a href="https://social.skynetcloud.site/tags/FIN7" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIN7</a> <a href="https://social.skynetcloud.site/tags/RaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#RaaS</a>

Brad2025-03-26 (Wednesday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> traffic for a fake browser update page leads to a <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupport</a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a> infection. A zip archive for <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#StealC</a> sent over the <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> C2 traffic.The <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#StealC</a> infection uses DLL side-loading by a legitimate EXE to <a href="https://infosec.exchange/tags/sideload" class="mention hashtag" rel="nofollow noopener" target="_blank">#sideload</a> the malicious DLL.A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> from an infection, the associated <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> samples, and <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener" target="_blank">#IOCs</a> are available at at <a href="https://www.malware-traffic-analysis.net/2025/03/26/index.html" rel="nofollow noopener" translate="no" target="_blank">https://www.malware-traffic-analysis.net/2025/03/26/index.html</a>

BradSocial media post I wrote for my employer at <a href="https://www.linkedin.com/posts/unit42_smartapesg-netsupportrat-stealc-activity-7297994624814432256-HOrX/" rel="nofollow noopener" translate="no" target="_blank">https://www.linkedin.com/posts/unit42_smartapesg-netsupportrat-stealc-activity-7297994624814432256-HOrX/</a> and <a href="https://x.com/Unit42_Intel/status/1892229005702471868" rel="nofollow noopener" translate="no" target="_blank">https://x.com/Unit42_Intel/status/1892229005702471868</a>2025-02-18 (Tuesday): Legitimate but compromised websites with an injected script for <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> lead to a fake browser update page that distributes <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> malware. During an infection run, we saw follow-up malware for <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#StealC</a>. More info at <a href="https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt" rel="nofollow noopener" translate="no" target="_blank">https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt</a>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> from the infection traffic, the associated malware, and other info are available at <a href="https://malware-traffic-analysis.net/2025/02/18/index.html" rel="nofollow noopener" translate="no" target="_blank">https://malware-traffic-analysis.net/2025/02/18/index.html</a>

Brad2024-12-17 (Tuesday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> injected script leads to fake browser update page, and that page leads to a <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupport</a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a> infection. Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> of the infection traffic, associated malware samples and more information is available at <a href="https://www.malware-traffic-analysis.net/2024/12/17/index.html" rel="nofollow noopener" translate="no" target="_blank">https://www.malware-traffic-analysis.net/2024/12/17/index.html</a>NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.<a href="https://infosec.exchange/tags/FakeUpdates" class="mention hashtag" rel="nofollow noopener" target="_blank">#FakeUpdates</a> <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a>

Brad2024-12-13 (Friday): ww.anceltech[.]com compromised with <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> leading to <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupport</a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a>Saw 2 injected scripts, one for jitcom[.]info and best-net[.]biz.Pivoting on best-net[.]biz in URLscan show signs of six other possibly compromised sites: <a href="https://urlscan.io/search/#best-net.biz" rel="nofollow noopener" translate="no" target="_blank">https://urlscan.io/search/#best-net.biz</a>Those possibly compromised sites are:- destinationbedfordva[.]com - exceladept[.]com - thefilmverdict[.]com - thenapministry[.]com - www.estatesale-finder[.]com - www.freepetchipregistry[.]comI haven't tried them yet to confirm, but that's always been the case when I pivot on the SmartApeSG domains in URLscan.<a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> C2 for this campaign since as early as 2024-11-22 has been 194.180.191[.]64

Brad2024-12-11 (Wednesday): Zip archive containing <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupport</a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a> (<a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a>) package hosted at hxxps[:]//homeservicephiladelphia[.]info/work/yyy.zipThe C2 for this NetSupport package is 194.180.191[.]64, which is a known NetSupport C2 active since 2024-11-22, per ThreatFox: <a href="https://threatfox.abuse.ch/ioc/1346763/" rel="nofollow noopener" translate="no" target="_blank">https://threatfox.abuse.ch/ioc/1346763/</a>Nothing new on the NetSupport side. I'm sure that hosting URL is part of an infection chain, but I don't know what's leading to it.

MalasadaTech7-Zip <a href="https://infosec.exchange/tags/FakeApp" class="mention hashtag" rel="nofollow noopener" target="_blank">#FakeApp</a> observed serving <a href="https://infosec.exchange/tags/NetSupportRat" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRat</a>https[:]//7zlp2024[.]shop >> 0511file24.msix (b3a95ec7b1e7e73ba59d3e7005950784d2651fcd2b0e8f24fa665f89a7404a56)MGJFFRT466 NSM30107162.76.234[.]49:443

Sean Whalen 👨🏼‍🦼🏳️‍🌈🇺🇦🕊️The Russian cybercrime group FIN7 ran a network of fake AI undressing sites that delivered credential stealing malware to those who uploaded pictures. I gotta say, this is one group of cybercrime victims that I don't feel sorry for.<a href="https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/" rel="nofollow noopener" translate="no" target="_blank">https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/</a><a href="https://infosec.exchange/tags/FIN7" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIN7</a> <a href="https://infosec.exchange/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#Russia</a> <a href="https://infosec.exchange/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybercrime</a> <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupport</a> <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a> <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malware</a> <a href="https://infosec.exchange/tags/CredentialTheft" class="mention hashtag" rel="nofollow noopener" target="_blank">#CredentialTheft</a> <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> <a href="https://infosec.exchange/tags/Deepfake" class="mention hashtag" rel="nofollow noopener" target="_blank">#Deepfake</a> <a href="https://infosec.exchange/tags/Deepfakes" class="mention hashtag" rel="nofollow noopener" target="_blank">#Deepfakes</a> <a href="https://infosec.exchange/tags/DeepNude" class="mention hashtag" rel="nofollow noopener" target="_blank">#DeepNude</a> <a href="https://infosec.exchange/tags/DeepNueds" class="mention hashtag" rel="nofollow noopener" target="_blank">#DeepNueds</a> <a href="https://infosec.exchange/tags/SilentPush" class="mention hashtag" rel="nofollow noopener" target="_blank">#SilentPush</a>

Jérôme Segura<a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmartApeSG</a> dropping <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> SmartApeSG: hxxps[://]luxurycaborental[.]com/cdn-vs/original.js hxxps[://]luxurycaborental[.]com/cdn-vs/cache.php?PowerShell: hxxp[://]dfwreds[.]com/data.phpNetSupportRAT hxxp[://]94[.]158[.]245[.]103/fakeurl.htm<a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a>

Jérôme Segura<a href="https://infosec.exchange/tags/FakeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#FakeSG</a> / <a href="https://infosec.exchange/tags/RogueRaticate" class="mention hashtag" rel="nofollow noopener" target="_blank">#RogueRaticate</a> leading to <a href="https://infosec.exchange/tags/netsupportrat" class="mention hashtag" rel="nofollow noopener" target="_blank">#netsupportrat</a> ebodyfit[.]com/wp-content/uploads/ultimatemember/58/downloading-(114.0.522735.199%20(Official%20Build).urlebodyfit[.]com/wp-content/uploads/ultimatemember/57/consciousnessx.htaebodyfit[.]com/wp-content/uploads/ultimatemember/56/housealba.zipebodyfit[.]com/wp-content/uploads/ultimatemember/56/clients32.exe<a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener" target="_blank">#IOCs</a>

invoke-ericThe registrant "genafontc" appears to be shared by some <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetSupportRAT</a> <a href="https://infosec.exchange/tags/c2" class="mention hashtag" rel="nofollow noopener" target="_blank">#c2</a> domains like manigiajabae32[.]com ktalarisa18[.]com aonukanand11[.]com

Recent searches

Search options

Administered by:

Server stats:

#netsupportrat