Unidentified RAT Pushes NetSupport RAT
Unidentified RAT Pushes NetSupport RAT 🚨
This diary provides indicators from an unidentified RAT infection on Wednesday, May 27, 2026, that was followed by a malicious NetSupport Manager RAT package. This originated from the SmartApeSG ClickFix campaign. The name of the initial RAT is still unknown, but it has consistently been generating encoded (not HTTPS/SSL/TLS) traffic to a command and control (C2) server at 89.110.110.119 over TCP port 443 since it was first noticed sometime in April 2026.
The infection chain involved a Zip archive containing software for the initial RAT, located at hxxps://silverharvestnetwork.com/check (SHA256 hash: 1514b1268e9dc6d2f37137aa38c756cb4bf8186ac9235d6863b78e7f8bbbe976). An initial script, C:\ProgramData\processor.vbs (SHA256 hash: 469bac8e10f50263e8ff0806e6ba126bb4cc660799129a8653eab3f8ec7201e5), runs token.bat. The batch script C:\ProgramData\token.bat (SHA256 hash: 9c7eda2c4d3aaa8746495741bef57a07de180f0409409faf0f91658e88ba33f5) extracts, runs, and makes persistent the NetSupport RAT from setub.cab. This CAB file, C:\ProgramData\setup.cab (SHA256 hash: 7ba5481c873bb3081442561f749f590badd72ef249fddfe993e30b28dc0c2112), contains the malicious NetSupport RAT package, which is extracted to C:\ProgramData\UpdateInstaller. Notably, the files processor.vbs, token.bat, and setup.cab are all deleted by the token.bat script after it installs the malicious NetSupport RAT package and makes it persistent on the infected Windows host.
Indicators of Compromise 🔍
Indicators of Compromise observed on Wednesday, May 27, 2026, include SmartApeSG URLs such as hxxps://hiddenplanetlab.top/signin/secure-util.js, hxxps://hiddenplanetlab.top/signin/private-template?c66kjD5i, and hxxps://hiddenplanetlab.top/signin/legacy-worker.js?18b3825af007e53d. Traffic generated by running the associated ClickFix script was seen communicating with hxxp://178.156.165.82/, hxxp://178.156.173.194/, and hxxps://silverharvestnetwork.com/check. The initial RAT communicates with a C2 server at tcp://89.110.110.119:443/. The IP address for the NetSupport RAT C2 server is hxxp://185.163.47.217:443. It is important to note that the indicators for this activity (domains, file hashes, etc.) change on a daily basis. For more up-to-date indicators on SmartApeSG and similar campaigns, see the @monitorsg feed on Mastodon.