Okendo Reviews Supply Chain Attack

On May 14, 2026, a supply chain attack was discovered targeting the Okendo Reviews widget, a customer review platform used by over 18,000 brands. The threat actor injected malicious JavaScript code into the legitimate widget, which is deployed on high-traffic e-commerce pages including storefronts and product pages. The compromised JavaScript acted as a staged loader, using obfuscation, localStorage tracking, User-Agent filtering, and XOR-based decoding to conceal next-stage infrastructure. The attack employed ClickFix-style social engineering to deceive users into executing malicious commands, ultimately delivering remote access trojans like NetSupport and Remcos, or information stealers such as StealC. Affected websites received hundreds of thousands to millions of monthly visitors, with nearly 15,000 blocks recorded in a single day.

Pulse ID: 6a3408141101549b20c17550
Pulse Link: https://otx.alienvault.com/pulse/6a3408141101549b20c17550
Pulse Author: AlienVault
Created: 2026-06-18 15:00:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Java #JavaScript #NetSupport #OTX #OpenThreatExchange #RCE #Remcos #RemoteAccessTrojan #SocialEngineering #Stealc #SupplyChain #Trojan #bot #AlienVault

Investigation of email-based attack delivering MediaFire ZIP file with execution chain analysis

An investigation revealed a malicious email campaign directing victims to download a ZIP file from MediaFire. The infection chain began with a Python setup executable (Setu.exe) that side-loaded a malicious 400 MB python37.dll containing repeated byte padding. The DLL performed process injection into dllhost.exe, establishing communication with a C2 server at 138.124.186.2:7000. The threat actor deployed three persistence mechanisms: a PowerShell-based path, a fake EdgeUpdate Python executable with scheduled task, and NetSupport RMM as a third access method. The analysis highlights the importance of comparing file timestamps during triage to identify malicious artifacts within compressed archives.

Pulse ID: 6a30df4495796498a192312a
Pulse Link: https://otx.alienvault.com/pulse/6a30df4495796498a192312a
Pulse Author: AlienVault
Created: 2026-06-16 05:29:40

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Edge #Email #InfoSec #NetSupport #OTX #OpenThreatExchange #PowerShell #Python #SMS #ZIP #bot #AlienVault

Unidentified RAT pushes NetSupport RAT

An unidentified RAT infection that spread through the SmartApeSG ClickFix campaign is being investigated by the SANS cyber-security centre, which monitors cybercrime on a wide range of websites.

Pulse ID: 6a1d9f0aa8899c955f3edd0f
Pulse Link: https://otx.alienvault.com/pulse/6a1d9f0aa8899c955f3edd0f
Pulse Author: CyberHunter_NL
Created: 2026-06-01 15:02:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberCrime #CyberSecurity #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #SmartApeSg #bot #CyberHunter_NL

2026-05-22 (Friday): #SmartApeSG --> Unidentified #RAT --> #NetSupport RAT

A #pcap of the traffic, associated files, and a list of IOCs are available at https://www.malware-traffic-analysis.net/2026/05/22/index.html

cc: @netresec this is the post that I promised earlier. I'm not able to get the infection chain in any sandbox.

Our latest TDR report on the #IClickFix framework:

📊 3,800+ WordPress sites compromised worldwide
⚙️ Multi-stage JavaScript loader
🚦 Abusing YOURLS as TDS
🖱️ Fake Cloudflare CAPTCHA and #ClickFix lure
🦠 #NetSupport RAT payload

https://infosec.exchange/@sekoia_io/115977607660963600

#TDR analysts deep dived into a widespread malicious JavaScript framework injected into 3,800+ WordPress sites to distribute #NetSupport RAT via the #ClickFix social engineering tactic.

https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/

2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

Details at www.malware-traffic-analysis.net/2025/12/29/index.html

Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.