#zphp / #smartapesg changed their payload this morning (still ends up with NetSupport RAT). It is less obfuscated, but is running a few host fingerprinting commands and then sending that data via a POST request to their server. The response to that is either an empty 200 response (if filtered), or the next step b64 encoded.

hxxps[://]fairfurryfriends[.]com/cdn-vs/cache[.]php
hxxps[://]fairfurryfriends[.]com/help/zewmrgqnw[.]php?reqtime=1712586874009
hxxps[://]ipinfo[.]io/json
hxxps[://]fairfurryfriends[.]com/help/per[.]php
hxxps[://]mtlaikins[.]com/data[.]php?11920

Netsupport C2: 185.216.70[.]123:443