#zphp / #smartapesg changed their payload this morning (still ends up with NetSupport RAT). It is less obfuscated, but is running a few host fingerprinting commands and then sending that data via a POST request to their server. The response to that is either an empty 200 response (if filtered), or the next step b64 encoded.

hxxps[://]fairfurryfriends[.]com/cdn-vs/cache[.]php
hxxps[://]fairfurryfriends[.]com/help/zewmrgqnw[.]php?reqtime=1712586874009
hxxps[://]ipinfo[.]io/json
hxxps[://]fairfurryfriends[.]com/help/per[.]php
hxxps[://]mtlaikins[.]com/data[.]php?11920

Netsupport C2: 185.216.70[.]123:443

Found a new? fake browser update that has a currently broken click location. I don't know how long it has been around, but it is not one of the currently tracked clusters.

Example Triage https://tria.ge/231004-ll7kpsce52/behavioral1