2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

Details at www.malware-traffic-analysis.net/2025/12/29/index.html

Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

JS SMUGGLER Multi Stage Hidden iframes Obfuscated JavaScript Silent Redirectors NetSupport RAT Delivery

Pulse ID: 6939016e326fd6a1b64a4ad6
Pulse Link: https://otx.alienvault.com/pulse/6939016e326fd6a1b64a4ad6
Pulse Author: Tr1sa111
Created: 2025-12-10 05:13:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Java #JavaScript #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #bot #Tr1sa111

Campaign uses ClickFix page to push NetSupport RAT

The SmartApeSG campaign, also known as ZPHP or HANEYMANEY, has evolved from using fake browser update pages to employing ClickFix-style fake CAPTCHA pages. This campaign distributes malicious NetSupport RAT packages as its initial infection vector. The attack chain begins with an injected script on compromised websites, which, under certain conditions, displays a fake CAPTCHA page. When users interact with this page, malicious content is injected into the Windows clipboard, prompting users to paste and execute it. This leads to the download and installation of NetSupport RAT, which maintains persistence through a Start Menu shortcut. The campaign frequently changes domains, packages, and C2 servers to evade detection.

Pulse ID: 69370db0cd2bc81cbbe13d51
Pulse Link: https://otx.alienvault.com/pulse/69370db0cd2bc81cbbe13d51
Pulse Author: AlienVault
Created: 2025-12-08 17:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #Clipboard #CyberSecurity #FakeBrowser #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #PHP #RAT #SmartApeSg #Windows #bot #AlienVault

JS#SMUGGLER Deploying NetSupport RAT via Compromised Websites

JS#SMUGGLER is a web-based malware campaign that uses compromised
websites to deliver the NetSupport RAT

Pulse ID: 6937559768d29b8bfdeb42c9
Pulse Link: https://otx.alienvault.com/pulse/6937559768d29b8bfdeb42c9
Pulse Author: cryptocti
Created: 2025-12-08 22:47:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #bot #cryptocti

New JS#SMUGGLER malware campaign delivers #NetSupportRAT through compromised websites – hackers get full remote control of Windows machines.

Read: https://hackread.com/jssmuggler-netsupport-rat-infected-sites/

#JSsmuggler #Malware #Cybersecurity #Windows

SmartApeSG campaign uses ClickFix page to push NetSupport RAT

Pulse ID: 6936a7709dd0d1b331e8ad64
Pulse Link: https://otx.alienvault.com/pulse/6936a7709dd0d1b331e8ad64
Pulse Author: CyberHunter_NL
Created: 2025-12-08 10:24:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #SmartApeSg #bot #CyberHunter_NL

Technical Analysis of Matanbuchus 3.0

Matanbuchus, a C++ malicious downloader offered as Malware-as-a-Service since 2020, has evolved to version 3.0. It comprises a downloader and main module, utilizing obfuscation techniques like junk code, encrypted strings, and API hashing. The malware implements anti-analysis features, including an expiration date and persistence via scheduled tasks. It communicates using encrypted Protobufs over HTTP(S), supporting various commands for payload execution, data collection, and system manipulation. Matanbuchus has been associated with ransomware operations and used to distribute other malware like Rhadamanthys and NetSupport RAT.

Pulse ID: 692ff91584de642b1a8cbd3b
Pulse Link: https://otx.alienvault.com/pulse/692ff91584de642b1a8cbd3b
Pulse Author: AlienVault
Created: 2025-12-03 08:47:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #HTTP #InfoSec #Malware #MalwareAsAService #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #RansomWare #Rhadamanthys #bot #AlienVault

Researchers are tracking a new ClickFix campaign called EVALUSION, delivering Amatera Stealer and NetSupport RAT.

The chain begins with Run-dialog execution during fake CAPTCHA checks, followed by mshta.exe → PowerShell → PureCrypter → DLL injection into MSBuild.exe.

Amatera includes advanced evasion and broad data-harvesting features. NetSupport RAT is deployed only when valuable data is detected.
Related phishing activity involves XWorm, Cephas kits, SmartApeSG, and Tycoon 2FA.

Thoughts on this growing reliance on execution through supposedly “trusted” system tools?

💬 Share your perspective
👍 Follow us for more clear, unbiased threat reporting

#Infosec #CyberSecurity #ClickFix #AmateraStealer #NetSupportRAT #MalwareAnalysis #ThreatIntel #MaaS #PhishingKits #SecurityResearch

Neue EVALUSION‑ClickFix‑Kampagne:
Amatera‑Stealer und NetSupport‑RAT werden verbreitet

Cyber‑Security‑Forscher von eSentire haben eine EVALUSION genannte Malware‑Kampagne entdeckt, die das mittlerweile weit verbreitete ClickFix‑Social‑Engineering‑Muster nutzt, um den Amatera Stealer und das NetSupport RAT zu installieren.

Mehr: https://maniabel.work/archiv/265

#ClickFix #AmateraStealer #NetSupportRAT, infosec #infosecnews #BeDiS