Once installed, the NetSupport RAT establishes a persistent connection with command-and-control servers based in Moldova. It modifies registry entries to survive system reboots and allows the attackers to maintain long-term access. Post-infection activities include internal reconnaissance such as Active Directory queries to list domain computers and transferring files to public directories. The attackers use NetSupport’s legitimate command prompt feature to run commands like net group /domain "Domain Computers", effectively blending in with regular administrative behavior and avoiding immediate detection.

Given NetSupport’s increasing abuse ranking as the seventh most prevalent threat in 2024, security experts advise organizations to isolate infected systems immediately, reset credentials, and block known malicious domains and IPs. Monitoring for suspicious PowerShell executions and clipboard hijacking in browser environments is strongly recommended. Website administrators should regularly audit WordPress installations for unauthorized scripts. This campaign underscores a growing trend where attackers prioritize social engineering over technical exploits, manipulating users into executing malware themselves while bypassing traditional security mechanisms.

Impact

• Sensitive Data Theft
• Unauthorize Access
• Security Bypass

Indicators of Compromise

Domain Name

• pemptousia.com

• fmovies123.top

• badgervolleyball.org

• jakestrack.com

• jaagnet.com

IP

• 94.158.245.104
• 94.158.245.118
• 94.158.245.131
• 94.158.245.137
• 77.83.199.34

MD5

• 9c4349534c137e3e43fb2e2caf049f9d

• c05f8ec5afbabc36f1c1366549290ae6

• 20ed4df3a9c734c1788bd2ca2658aedb

• 1768c9971cea4cc10c7dd45a5f8f022a

SHA-256

• 983f423da1c2ebbdc51abfdf4d71f8329956684fba72acf49bcd8eb3ae4c6ac5
• 36d8bd55a52e140770b797b86f2185aa180f7d228c6c25460ec65e8cb8fe1aae
• 35ab9ebd4f80da4b4f315f7e8aab038687d681f86dd9015469c7806ad6ab638a
• 6558b3307215c4b73fc96dc552213427fb9b28c0cb282fe6c38324f1e68e87d6

SHA1

• bfbd71a95dcbd89580612953e8b9c38f36992aca
• 8c2108e7d96d6505fd1805696443ab9afb5fcb59
• ec54e200a791480fa3341ff5db4beb3662b885f1
• 3d199bee412cbac0a6d2c4c9fd5509ad12a667e7

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Isolate and determine if forensic analysis needs to be performed. If it does, a forensic image (preservation copy) should be created for analysis to determine the scope of potential data at risk and the extent of threat actor activity. If not, proceed with internal/existing IT processes to restore to "gold image" (baseline).
• Conduct a forensic analysis of the "at risk" data as identified within this article under Critical Takeaways section under "The extension accessed the following browser data:", which details specifically what data elements may be at risk and should be considered for inventorying, resetting, and for a potential follow-on investigation into unauthorized or unexpected activity.
• Reset credentials associated with affected user accounts, especially those with administrative access.
• Block-identified IOCs (domains, IPs, hashes) across endpoints, networks, and other security appliances.
• Reimage the infected system to ensure full eradication.
• Educate users on recognizing suspicious activity and phishing attempts to reduce the risk of reinfection.