{
	"id": "4c19eb36-6f17-44ff-b5c8-fcecd067b7fb",
	"created_at": "2026-04-06T00:11:09.167726Z",
	"updated_at": "2026-04-10T13:12:28.083817Z",
	"deleted_at": null,
	"sha1_hash": "45eb2ab742207b95ac680ffdf34afb835a190e5d",
	"title": "SmartApeSG Delivering NetSupport RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1692671,
	"plain_text": "SmartApeSG Delivering NetSupport RAT\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 20:06:01 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nEarly in January 2024, our machine-learning-powered PowerShell classifier, BlueSteel, detected malicious\r\nPowerShell script execution. Upon further investigation the eSentire Threat Response Unit (TRU) associated the\r\nthreat to SmartApeSG, a threat actor that relies on fake browser updates to distribute NetSupport RAT.\r\nThe execution was traced to the end-user visiting a compromised webpage which served a fake browser update\r\nZIP containing Update_browser_17.6436.js. We could not retrieve the files or the compromised website, but we\r\nfound similar samples here and here.\r\nThe initial JavaScript file included legitimate code sections to conceal the malicious code (Figure 1).\r\nFigure 1. Contents of the JS file\r\nThe code retrieves malicious script from jennifergalvin[.]com/cache/news.php?37668, as shown in Figure 2.\r\nhttps://www.esentire.com/blog/smartapesg-delivering-netsupport-rat\r\nPage 1 of 7\n\nFigure 2: Deobfuscated JS content\r\nThe retrieved JavaScript file contains the PowerShell command shown in Figure 3.\r\nFigure 3: Retrieved JS file containing the PowerShell command\r\nThe script does the following:\r\n$bvQQOQYGOGdiqHsdLSvR is set to a URL (jesusanaya.com/GetData[.]php?10864).\r\n$vxjoBVCFtQyMhM downloads the content from the above URL.\r\n$AcusblBKewkwXkdlGOMKgqQcFhnA converts the downloaded content from Base64 encoding.\r\nA random number is generated, and a new directory path is created under the Application Data folder,\r\nappended with the random number.\r\nThe Base64 decoded data from the retrieved content is saved as a rtrs.zip file. The zip file is then extracted\r\nto the created directory.\r\nThe script checks for an executable client32.exe in the extracted directory. If found, it executes\r\nclient32.exe.\r\nA new registry item is created under the HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run path\r\nto ensure client32.exe runs on startup (T1547.001).\r\nThe Base64-encoded content mentioned above decodes to a ZIP archive (Figure 4). The archive contains\r\nNetSupport components, including the client (Figure 5).\r\nhttps://www.esentire.com/blog/smartapesg-delivering-netsupport-rat\r\nPage 2 of 7\n\nFigure 4: Base64-encoded content that eventually decodes to a ZIP archive\r\nFigure 5: NetSupport configuration file\r\nDetection Rules\r\nYou can access the Yara rules for SmartApeSG here.\r\nWhat did we do?\r\nWe investigated the threat and confirmed the activity is malicious.\r\nUsing eSentire MDR for Endpoint, our team of 24/7 SOC Cyber Analysts isolated the affected host,\r\ncontained the threat, and notified the customer of suspicious activities.\r\nhttps://www.esentire.com/blog/smartapesg-delivering-netsupport-rat\r\nPage 3 of 7\n\nWhat can you learn from this TRU Positive?\r\nSmartApeSG's use of fake browser updates to distribute the NetSupport RAT showcases a common social\r\nengineering technique, in which attackers often disguise malware as legitimate updates or software to trick\r\nusers into downloading harmful files.\r\nThe compromised webpage serving a JavaScript file within a ZIP archive underlines the need for web\r\nsecurity and caution when downloading files from websites, especially those that prompt unexpected\r\nupdates or downloads.\r\nThe inclusion of legitimate code sections in the initial JavaScript file to hide malicious content is a classic\r\nobfuscation technique.\r\nThe PowerShell script's operations, including downloading content, creating directories, extracting ZIP\r\nfiles, executing executables, and modifying registry items, provide insights into typical NetSupport\r\ndeployment strategies. This knowledge is crucial for developing robust detection and response\r\nmechanisms.\r\nThe decoding of Base64 content to reveal a ZIP archive containing NetSupport components highlights the\r\nmulti-layered nature of malware deployment.\r\nRecommendations from our Threat Response Unit (TRU) Team:\r\nTrain users to identify and report potentially malicious content using Phishing and Security Awareness\r\nTraining (PSAT) programs.\r\nIdentify file types that are commonly associated with security risks, such as executable files (.exe, .bat,\r\n.cmd), script files (.js, .vbs, .ps1), and certain document types that support macros (.docm, .xlsm). Then\r\nselect a file type that is inherently safer and does not support executable code or active content (i.e., a plain\r\ntext format like .txt).\r\nEnsure employees have access to a dedicated software center to download corporate-approved software.\r\nProtect endpoints against malware by:\r\nEnsuring antivirus signatures are up-to-date.\r\nUsing a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and\r\ncontain threats.\r\nIndicators of Compromise\r\nYou can access Indicators of Compromise here.\r\nReferences\r\nhttps://medium.com/walmartglobaltech/smartapesg-4605157a5b80\r\nhttps://bazaar.abuse.ch/sample/45b46c432bb3857ff98a2f67f3480b85f8fb37f5df55941e875e2d70f87ca24e/\r\nhttps://app.any.run/tasks/fd5f0212-761f-43e0-9b60-3762f2eb2074/\r\nhttps://attack.mitre.org/techniques/T1547/001/\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/smartapesg-delivering-netsupport-rat\r\nPage 4 of 7\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/smartapesg-delivering-netsupport-rat\r\nPage 5 of 7\n\nBack to blog\r\nTake Your Cybersecurity Program to the Next Level with eSentire MDR.\r\nBUILD A QUOTE\r\nin this blog\r\nWhat did we find?Detection RulesWhat did we do?What can you learn from this TRU Positive?Recommendations\r\nfrom our Threat Response Unit (TRU) Team:\r\nhttps://www.esentire.com/blog/smartapesg-delivering-netsupport-rat\r\nPage 6 of 7\n\nSource: https://www.esentire.com/blog/smartapesg-delivering-netsupport-rat\r\nhttps://www.esentire.com/blog/smartapesg-delivering-netsupport-rat\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.esentire.com/blog/smartapesg-delivering-netsupport-rat"
	],
	"report_names": [
		"smartapesg-delivering-netsupport-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434269,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45eb2ab742207b95ac680ffdf34afb835a190e5d.pdf",
		"text": "https://archive.orkl.eu/45eb2ab742207b95ac680ffdf34afb835a190e5d.txt",
		"img": "https://archive.orkl.eu/45eb2ab742207b95ac680ffdf34afb835a190e5d.jpg"
	}
}