DustyMay 22, 2024
New #ZPHP / #SmartApeSG Chain:
hxxps[://]awakentoyoga[.]com/cdn-vs/original[.]js
hxxps[://]awakentoyoga[.]com/cdn-vs/cache[.]php
hxxps[://]awakentoyoga[.]com/cdn-vs/2per[.]php
hxxp[://]lucabet68[.]online/data[.]php?6321
DustyApr 15, 2024

New #zphp / #smartapesg request chain (looks like going back to Friday evening)

hxxps[://]jhansgansowen[.]com/cdn-vs/cache[.]php
hxxps[://]jhansgansowen[.]com/help/zewmrgqnw[.]php?reqtime=
hxxps[://]jhansgansowen[.]com/help/per[.]php
hxxps[://]gitkonus[.]com/data[.]php?11037

DustyApr 8, 2024

#zphp / #smartapesg changed their payload this morning (still ends up with NetSupport RAT). It is less obfuscated, but is running a few host fingerprinting commands and then sending that data via a POST request to their server. The response to that is either an empty 200 response (if filtered), or the next step b64 encoded.

hxxps[://]fairfurryfriends[.]com/cdn-vs/cache[.]php
hxxps[://]fairfurryfriends[.]com/help/zewmrgqnw[.]php?reqtime=1712586874009
hxxps[://]ipinfo[.]io/json
hxxps[://]fairfurryfriends[.]com/help/per[.]php
hxxps[://]mtlaikins[.]com/data[.]php?11920

Netsupport C2: 185.216.70[.]123:443

DustyMar 4, 2024
New #zphp / #SmartApeSG domain
briefscala[.]com
DustyFeb 29, 2024
New #zphp / #SmartApeSG domains:
africanbeatmaker[.]com
aiifolrida[.]com
amarod[.]com
auburnartwalk[.]com
DustyFeb 27, 2024
New #zphp / #SmartApeSG domain:
bazar50[.]com
DustyFeb 26, 2024
More new #zphp / #SmartApeSG domains:
aljannatquranteach[.]com
bbsupplyandsalon[.]com
betsmovepiyango47[.]com
bigcuda[.]com
eduvationgroup[.]com
eoskinec[.]com
ezwhatsappp[.]com
growcalm[.]com
grupodistribuidora[.]com
DustyFeb 12, 2024

New #SmartApeSG / #ZPHP domain:

hxxps[://]casinovipclubs[.]com/cdn-vs/cache[.]php
casinovipclubs[.]com

DustyJan 31, 2024
New #SmartApeSG / #ZPHP Domains:
gigeconomycase[.]com
pngairservices[.]com
Show threadJacobJan 15, 2024
New #ZPHP #SmartApeSG infection chain, two new domains:
Victim site
->
scorelineupdate[.]com/cdn-vs/cache.php (injected)
->
scorelineupdate[.]com/cache/ewmrgqnaww.php?reqtime=1705345940012 (fakeupdate)
->
scorelineupdate[.]com/cache/letter.php?2482 (update.js with powershell script)
->
phinetik[.]com/data.php?10602 (base64 zip)
->
5[.]181.156.235:443 (NetSupport, HANEYMANEY C2)