The Oasis BBSMar 3
SPAG 8 Walkaround: Retro32 Tours the Stamford Peterborough Amiga Group Meet
#Amiga #CommodoreAmiga #RetroComputing #AmigaCommunity #UserGroup #SPAG #ClassicComputing #Retrogaming #DemoScene #NetSupport
https://theoasisbbs.com/spag-8-walkaround-retro32-tours-the-stamford-peterborough-amiga-group-meet/?fsp_sid=3280
Ben RothkeMar 1
How NetSupport RAT abuses a legitimate remote admin tool. #NetSupport RAT is a malicious repurposing of the legitimate remote administration tool, NetSupport Manager, which has been available for over 30 years. https://cybersec.picussecurity.com/s/how-netsupport-rat-abuses-legitimate-remote-admin-tool-25607
How NetSupport RAT Abuses Legitimate Remote Admin Tool

Analyze NetSupport RAT malware: fake update vectors like ClickFix, persistence mechanisms, and surveillance. See how Picus simulates it.

OTX BotFeb 24

GrayCharlie Hijacks WordPress to Deploy NetSupport RAT

GrayCharlie is a threat actor compromising WordPress sites to deliver
NetSupport RAT.

Pulse ID: 699e1a3549ab2f017a665928
Pulse Link: https://otx.alienvault.com/pulse/699e1a3549ab2f017a665928
Pulse Author: cryptocti
Created: 2026-02-24 21:37:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #RDP #Word #Wordpress #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
crep1xJan 29

Our latest TDR report on the #IClickFix framework:

📊 3,800+ WordPress sites compromised worldwide
⚙️ Multi-stage JavaScript loader
🚦 Abusing YOURLS as TDS
🖱️ Fake Cloudflare CAPTCHA and #ClickFix lure
🦠 #NetSupport RAT payload

https://infosec.exchange/@sekoia_io/115977607660963600

Sekoia.ioJan 29

#TDR analysts deep dived into a widespread malicious JavaScript framework injected into 3,800+ WordPress sites to distribute #NetSupport RAT via the #ClickFix social engineering tactic.

https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/

BradDec 29

2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

Details at www.malware-traffic-analysis.net/2025/12/29/index.html

Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

HabrNov 21

«Медвед» атакует: что мы узнали про фишинговую кампанию группировки, нацеленной на российские организации

В октябре 2025 года мы, группа киберразведки департамента Threat Intelligence, зафиксировала продолжающуюся фишинговую активность хакерской группировки, которую мы назвали NetMedved. Обоснование выбора данного наименования будет рассмотрено в заключительной части статьи. Атаки хакеров ориентированы на российские организации; в качестве конечной полезной нагрузки используется вредоносная версия легитимного инструмента удалённого администрирования NetSupport Manager (далее — NetSupportRAT). В этой статье расскажем о специфике кампании и связи с нашими предыдущими находками.

https://habr.com/ru/companies/pt/articles/968572/

#киберразведка #расследование_инцидентов #кибератаки #хакерская_группировка #хакерские_инструменты #фишинговые_письма #вредоносное_программное_обеспечение #малварь #finger #netsupport

«Медвед» атакует: что мы узнали про фишинговую кампанию группировки, нацеленной на российские организации

В октябре 2025 года наша команда киберразведки департамента Threat Intelligence зафиксировала продолжающуюся фишинговую активность хакерской группировки, которую мы назвали NetMedved. Обоснование...

Хабр
Offensive SequenceAug 31, 2025
⚠️ CVE-2025-34164: HIGH-severity heap overflow in NetSupport Manager 14.x (<14.12.0000) lets remote attackers cause DoS or run code—no auth needed. Restrict access & prep to patch! https://radar.offseq.com/threat/cve-2025-34164-cwe-122-heap-based-buffer-overflow--7fdd6f7b #OffSeq #NetSupport #Vulnerability #Cybersecurity
Offensive SequenceAug 31, 2025
⚠️ CVE-2025-34165: NetSupport Manager 14.x (pre-14.12.0000) HIGH severity stack-based buffer overflow allows remote, unauthenticated DoS or memory leak. Restrict access, monitor for attacks, prep for patching. https://radar.offseq.com/threat/cve-2025-34165-cwe-121-stack-based-buffer-overflow-e4ea3e1b #OffSeq #NetSupport #Vuln #BlueTeam
BradAug 22, 2025

2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)

Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.

Other sites have injected script that redirects to the URL for the fake CAPTCHA page.

Direct example (compromised site --> script for CAPTCHA page):

- hxxps[:]//mexicobusiness[.]news/
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Recirect example (compromised site --> Redirect URL --> script for CAPTCHA page):

- hxxps[:]//myvocabulary[.]com/
- hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Either way, you get the same CAPTCHA page.

IOCs at https://github.com/malware-traffic/indicators/blob/main/2025-08-22-IOCs-for-SmartApeSG-activity.txt

cc: @monitorsg