Tuesday, May 6, 2025
Homecyber securityBeware of SmartApeSG Campaigns that Deliver NetSupport RAT

Beware of SmartApeSG Campaigns that Deliver NetSupport RAT

Published on

SIEM as a Service

Follow Us on Google News

SmartApeSG, a FakeUpdate cyber threat, has emerged as a significant vector for delivering NetSupport RAT, a maliciously exploited remote administration tool.

The campaign ensnares victims by tricking them into downloading fake browser updates, ultimately enabling attackers to gain unauthorized access to infected systems.

A Web of Connections

Recent investigations examined SmartApeSG’s command-and-control (C2) infrastructure, revealing alarming cross-connections to NetSupport RAT servers, cryptocurrency scams, and other illicit activities.

- Advertisement - Google News

Three C2 management nodes hosted in Moldova, powered by Stark Industries’ infrastructure and later transitioned to other providers, played a vital role in these campaigns.

These nodes leveraged control panel software like ISPManager for automation and management, exploiting free trials to minimize operational costs.

NetSupport RAT
ISPManager login page

Analysis extended beyond initial servers to uncover additional malicious infrastructure.

Notably, old NetSupport RAT servers from 2023 were still actively communicating with victims.

Strong overlaps in observed X.509 certificate characteristics tied SmartApeSG’s C2s to this RAT infrastructure, hinting at a shared threat actor or a tightly linked network of operations.

Pivoting Through Threat Actor Operations

Expanding the scope, telemetry data exposed numerous connections between SmartApeSG, NetSupport RAT, and even Quasar RAT, a separate remote administration tool.

Moldovan IPs linked to SmartApeSG were observed routing activity through proxies to conceal operations.

One management server also communicated with cryptocurrency-related services and Quasar RAT C2 nodes.

These intersections suggest organized, multifaceted threat actor campaigns targeting diverse systems for financial gain or extended control.

Further, active NetSupport RAT C2 servers showed consistent malicious activities months after earlier public disclosures, often associated with Russian-language darknet forums.

Some hosts exhibited atypical behavior, including using encrypted messaging platforms like Telegram or Jabber and accessing cryptocurrency scam-related websites.

NetSupport RAT
Fake UBSWebsite

The SmartApeSG and NetSupport RAT campaigns highlight the persistence and adaptability of modern cybercriminal operations.

According to Team Cymru Report, by reusing aged infrastructure and distributing their operations across a global network, these campaigns evade detection and remain operational even after takedown efforts.

Importantly, cybersecurity teams should frequently revisit “aged-out” indicators of compromise (IoCs) to identify reused infrastructure, emphasizing the importance of thorough investigation and proactive defense strategies.

While authorities have worked to dismantle components of the SmartApeSG and NetSupport RAT infrastructures, the threat actors behind these campaigns continue to evolve their tactics.

Users and organizations are advised to remain vigilant, especially against unexpected browser update prompts and phishing schemes.

Organizations can bolster defenses by implementing endpoint detection tools and monitoring telemetry for signs of potential RAT infections.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

New ClickFix Attack Imitates Ministry of Defence Website to Target Windows & Linux Systems

A newly identified cyberattack campaign has surfaced, leveraging the recognizable branding of India's Ministry...

Threat Actor Evades SentinelOne EDR to Deploy Babuk Ransomware

Aon’s Stroz Friedberg Incident Response Services has uncovered a method used by a threat...

Samsung MagicINFO 9 Server Vulnerability Actively Exploited in the Wild

A critical security vulnerability in the Samsung MagicINFO 9 Server has come under active...

UK Retail Chains Targeted by Ransomware Attackers Claiming Data Theft

Major ransomware campaign targeting UK retailers has escalated as hackers provided BBC News with...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New ClickFix Attack Imitates Ministry of Defence Website to Target Windows & Linux Systems

A newly identified cyberattack campaign has surfaced, leveraging the recognizable branding of India's Ministry...

Threat Actor Evades SentinelOne EDR to Deploy Babuk Ransomware

Aon’s Stroz Friedberg Incident Response Services has uncovered a method used by a threat...

Samsung MagicINFO 9 Server Vulnerability Actively Exploited in the Wild

A critical security vulnerability in the Samsung MagicINFO 9 Server has come under active...