Friday, May 9, 2025
HomeBrowserHackers Drop NetSupport RAT & StealC Malware on Your Windows Via Fake...

Hackers Drop NetSupport RAT & StealC Malware on Your Windows Via Fake Browser Updates

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the threat actor group SmartApeSG, also known as ZPHP or HANEYMANEY.

This campaign exploits fake browser update notifications to deliver two potent malware strains: NetSupport RAT and StealC.

The operation leverages malicious scripts injected into compromised websites, redirecting victims to fraudulent pages designed to mimic legitimate browser update alerts.

- Advertisement - Google News

The malicious activity originates from a script hosted on the domain cinaweine[.]shop, which serves various files, including JavaScript and images, to create a convincing fake browser update interface.

Victims are tricked into downloading a malicious JavaScript file named “Update 7673.js,” which acts as an installer for the NetSupport RAT.

The script downloads a ZIP archive containing the RAT from poormet[.]com.

Once extracted and executed, the RAT establishes communication with command-and-control (C2) servers, enabling attackers to remotely control infected systems.

NetSupport RAT and StealC: A Dual Threat

NetSupport RAT is a remote access tool that provides attackers with extensive control over compromised devices.

Post-infection traffic from the RAT includes communication with domains like geo.netsupportsoftware[.]com and IP addresses such as 194.180.191[.]229 over HTTPS.

The RAT is also used as a delivery mechanism for the StealC malware, which is sent via C2 traffic in a ZIP archive named “misk.zip.”

StealC employs DLL side-loading techniques to evade detection. It uses a legitimate Windows executable (mfpmp.exe) to load a malicious DLL (rtworkq.dll) that contains the inflated StealC payload.

This technique exploits trust in legitimate system files to bypass security measures.

Once operational, StealC communicates with its own C2 infrastructure, hosted on 62.164.130[.]69, for data exfiltration and additional payload delivery.

Technical Details of Malicious Files and Traffic

The malicious files involved in this campaign include:

  • The installer script for NetSupport RAT (47f59d61beabd8f1dcbbdd190483271c7f596a277ecbe9fd227238a7ff74cbfc)
  • A ZIP archive containing the RAT (b71f07964071f20aaeb5575d7273e2941853973defa6cb22160e126484d4a5d3)
  • The StealC ZIP archive (e9eb934dad3f87ee581df72af265183f86fdfad87018eed358fb4d7f669e5b7d)

StealC further downloads legitimate third-party DLLs (e.g., sqlite3.dll, nss3.dll) from its C2 server to facilitate its operation.

These files are used during the infection process but are not inherently malicious.

This campaign highlights the evolving tactics of cybercriminals who exploit trust in software updates and legitimate files to deliver malware.

Users are advised to avoid downloading updates from unverified sources and ensure their systems are protected with updated security solutions.

Organizations should monitor network traffic for suspicious activity, such as communication with known malicious domains or IP addresses, and implement robust endpoint detection mechanisms to mitigate risks associated with these threats.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

FBI Warns Hackers Are Using End-of-Life Routers to Mask Their Tracks

The Federal Bureau of Investigation (FBI) has issued a stark warning to businesses and...

Azure Storage Utility Vulnerability Allows Privilege Escalation to Root Access

A critical vulnerability discovered by Varonis Threat Labs has exposed users of Microsoft Azure’s...

Critical Vulnerability in Ubiquiti UniFi Protect Camera Allows Remote Code Execution by Attackers

Critical security vulnerabilities in Ubiquiti’s UniFi Protect surveillance ecosystem-one rated the maximum severity score...

IXON VPN Client Vulnerability Allows Privilege Escalation for Attackers

A critical security vulnerability in IXON’s widely used VPN client has exposed Windows, Linux,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

FBI Warns Hackers Are Using End-of-Life Routers to Mask Their Tracks

The Federal Bureau of Investigation (FBI) has issued a stark warning to businesses and...

Azure Storage Utility Vulnerability Allows Privilege Escalation to Root Access

A critical vulnerability discovered by Varonis Threat Labs has exposed users of Microsoft Azure’s...

Critical Vulnerability in Ubiquiti UniFi Protect Camera Allows Remote Code Execution by Attackers

Critical security vulnerabilities in Ubiquiti’s UniFi Protect surveillance ecosystem-one rated the maximum severity score...