eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.

Server stats:

210
active users

#netsupportrat

0 posts0 participants0 posts today
Brad<p>2025-07-15 (Tuesday): Tracking <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmartApeSG</span></a> </p><p>The SmartApeSG script injected into page from compromised website leads to <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> style fake verification page. ClickFix-ing you way through this leads to a <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupportRAT</span></a> infection.</p><p>Compromised site (same as yesterday): </p><p>- medthermography[.]com</p><p>URLs for ClickFix style fake verification page:</p><p>- warpdrive[.]top/jjj/include.js<br>- warpdrive[.]top/jjj/index.php?W11WzmLj<br>- warpdrive[.]top/jjj/buffer.js?409a8bdbd9</p><p>Running the script for NetSupport RAT:</p><p>- sos-atlanta[.]com/lal.ps1<br>- sos-atlanta[.]com/lotu.zip?l=4773</p><p><a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> RAT server (same as yesterday):</p><p>- 185.163.45[.]87:443</p>
Brad<p>2025-06-18 (Wednesday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmartApeSG</span></a> --&gt; <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> lure --&gt; <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupportRAT</span></a> --&gt; <a href="https://infosec.exchange/tags/StealCv2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealCv2</span></a></p><p>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> of the traffic, the malware/artifacts, and some IOCs are available at <a href="https://www.malware-traffic-analysis.net/2025/06/18/index.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">025/06/18/index.html</span></a>.</p><p>Today's the 12th anniversary of my first blog post on malware-taffic-analysis.net, so I made this post a bit more old school.</p>
Paul Melson<p>What year is it?!<br>PowerShell dropper staged on Pastebin, payload is <a href="https://infosec.exchange/tags/netsupportrat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>netsupportrat</span></a>, C2 at PSINet. </p><p>hXXps://pastebin[.]com/raw/bhFVRquV<br>-&gt; hXXps://care4hygiene[.]com/kliapaza.zip<br>---&gt; 38[.]132[.]101[.]38:443</p>