Hackers associated with the group SmartApeSG, also known as ZPHP or HANEYMANEY, have been observed using fake browser update notifications to spread the NetSupport RAT and StealC malware.
This campaign leverages malicious scripts injected into compromised websites to deceive users into downloading and executing harmful files.
The attack chain demonstrates a high level of sophistication, combining social engineering with technical exploitation.
The campaign begins with traffic being directed to a malicious website, cinaweine[.]shop, where users are prompted to download a fake browser update.
The site hosts various resources, including JavaScript files, images, and CSS files, all designed to mimic legitimate browser update pages.
One such script, identified by its SHA256 hash (47f59d61beabd8f1dcbbdd190483271c7f596a277ecbe9fd227238a7ff74cbfc), acts as an installer for the NetSupport RAT.
Once executed, this script downloads a ZIP archive (lol.zip) containing the RAT from poormet[.]com.
NetSupport RAT Deployment and Post-Infection Activity
The downloaded ZIP file, verified by its hash (b71f07964071f20aaeb5575d7273e2941853973defa6cb22160e126484d4a5d3), contains the NetSupport RAT payload.
After installation, the RAT initiates communication with its command-and-control (C2) server at geo.netsupportsoftware[.]com and another IP address (194.180.191[.]229) over HTTPS.
These communications include HTTP POST requests to URLs such as /fakeurl.htm, enabling attackers to maintain control over the infected system.
StealC Malware Delivered Through Side-Loading
In a subsequent stage of the attack, the NetSupport RAT is used to deliver the StealC malware via C2 traffic.
A ZIP archive (misk.zip) containing both legitimate and malicious files is downloaded to the victim’s system.
Among these files is mfpmp.exe, a legitimate Windows executable used for Media Foundation tasks.
However, attackers exploit this file for DLL side-loading by pairing it with a malicious DLL (rtworkq.dll), which is significantly inflated in size (725 MB) to evade detection.
Once loaded, StealC establishes communication with its own C2 server at 62.164.130[.]69.
It uses multiple HTTP POST requests for data exfiltration and downloads legitimate third-party DLLs required for its operation, such as sqlite3.dll, nss3.dll, and vcruntime140.dll.
This campaign highlights the persistent threat posed by SmartApeSG and their evolving tactics.
By exploiting legitimate tools and blending malicious payloads with authentic files, the attackers aim to bypass traditional security measures.
Organizations are advised to implement robust endpoint protection, monitor network traffic for suspicious activity, and educate users about phishing tactics involving fake software updates.
The discovery underscores the importance of proactive threat intelligence in identifying and mitigating advanced cyber threats targeting Windows systems globally.
