{
	"id": "f1e7ba3e-e4df-479b-aa23-e7b4d79a58a5",
	"created_at": "2026-04-06T00:07:18.99531Z",
	"updated_at": "2026-04-10T13:11:31.039221Z",
	"deleted_at": null,
	"sha1_hash": "4f0e8fce607584e2e2301a4b0b18a1d15c470166",
	"title": "Tracing the Path From SmartApeSG to NetSupport RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2694496,
	"plain_text": "Tracing the Path From SmartApeSG to NetSupport RAT\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 19:11:03 UTC\r\nThis investigation began with the analysis of SmartApeSG, a FakeUpdate threat that delivers NetSupport RAT to\r\nvictims. Initial efforts to track its Command and Control (C2) infrastructure led to unexpected discoveries through\r\nanalysis of Internet telemetry data.\r\nBy pivoting from one connection to the next, we uncovered related C2 management hosts, active NetSupport RAT\r\nservers, and cross-connections to suspicious infrastructure, including RATs, cryptocurrency services, and\r\nplatforms linked to illicit activity.\r\nThis write-up details these findings and demonstrates how exploring Internet telemetry data can uncover\r\ninterconnected threats.\r\nKey Findings\r\n-       Management Hosts: Identified three Moldovan IPs (assigned to MivoCloud) likely used for C2\r\nmanagement—two tied to SmartApeSG and one to the NetSupport RAT cluster\r\n-       Active NetSupport RAT Cluster: Found an active NetSupport RAT cluster, including several old C2s\r\nreported nearly a year ago, which were still receiving victim communication.\r\n-       Link Between Infrastructures: Observations suggest a connection between the SmartApeSG and\r\nNetSupport RAT clusters, including shared characteristics in management activity and overlapping components\r\nsuch as X.509 certificates.\r\n-       Recent Infrastructure Updates: The old NetSupport RAT infrastructure was recently replaced with new IPs\r\nand domains, with some of the same domains now pointing to these new IPs.\r\n-       Quasar RAT Connection: Observed communication between a NetSupport RAT C2 and a Quasar RAT C2,\r\nalong with several unusual hosts. It is unclear if this activity is directly related to the threat actor's infrastructure or\r\nrepresents unrelated compromise.\r\nTracking SmartApeSG Infrastructure\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 1 of 17\n\nA brief background: SmartApeSG is a type of FakeUpdate threat first observed in the wild in June 2023. Like\r\nother FakeUpdate threats like SocGholish, LandUpdate808, and ClearFake, SmartApeSG deceives users into\r\ninstalling a fake browser update after visiting a compromised website. In most cases, this results in the\r\ndeployment of NetSupport RAT on the victim's machine.\r\nNetSupport RAT refers to the malicious use of NetSupport Manager, a legitimate remote administration tool.\r\nWhen abused, it can be used to control systems, steal data, or install malware. It is often delivered through\r\nphishing or fake update campaigns such as SmartApeSG or SocGholish.\r\nOur analysis began by examining the Internet telemetry data of SmartApeSG C2 servers and searching for outlier\r\nIPs that communicated with multiple C2s. Such activity can indicate related backend infrastructure or threat actor\r\noperations. At the time, the C2 infrastructure was hosted on Stark Industries, however this is no longer the case\r\nfollowing takedown action by the hosting provider.\r\nWhile there was no significant outbound activity originating from the SmartApeSG C2s, two hosts were\r\nconsistently observed connecting to them over TCP/1500. This behavior persisted for periods ranging from a few\r\ndays to a week.\r\nVisiting one of the C2s on port 1500 in a browser revealed an ISPManager login page.\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 2 of 17\n\nISPManager is a widely used control panel software, particularly popular among Russian-speaking users.\r\nAccording to their website, it is \"a Linux-based control panel for managing dedicated, game, and VPS web\r\nservers, as well as selling shared hosting.\" Conveniently for the threat actors, the platform offers a two-week free\r\ntrial per server—longer than the typical lifespan of these C2s.\r\nThe service includes an API that enables site management without requiring manual login to the panel. The default\r\nport for API authentication calls is the same as the one used by these C2s: port 1500. We suspect these two hosts\r\nwere used to manage the C2s, connecting through the API to perform automated tasks, monitor activity, pull\r\nstatistics, etc..\r\nFirst Pivot: Exploring Moldovan C2 Management Hosts\r\nThe next step was to pivot to the two IPs identified as potentially being used for C2 management. Both IPs were\r\ngeolocated in Moldova and hosted by MivoCloud, but their profiles differed in terms of observed open ports and\r\nhosted X.509 certificates.\r\n5.181.156.16\r\nThe server hosted on 5.181.156.16 had a service listening on TCP/3389 (the common port for RDP traffic) at the\r\ntime of the observed outbound connections to the SmartApeSG C2 servers (via TCP/1500). Immediately\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 3 of 17\n\nfollowing this time period, we also identified a service listening on TCP/5986, however it is unclear whether the\r\nIP was still associated with the threat actors at this point.\r\nThe X.509 certificate hosted on TCP/3389 had both its subject and issuer set to CN=55554rac.\r\n5.181.157.69\r\nThe server hosted on 5.181.157.69 had services listening on TCP/137, TCP/3389, and TCP/5985 at the time of the\r\nobserved outbound connections to the SmartApeSG C2 servers\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 4 of 17\n\nThe X.509 certificate hosted on TCP/3389 listed both its subject and issuer as CN=MATRACHEDICIDGA.\r\nInternet telemetry analysis of these two hosts revealed additional C2s they were communicating with. Most of the\r\nobserved Internet telemetry data was related to TCP/1500 activity associated with C2 management, with\r\n5.181.156.16 interacting with SmartApeSG C2s more frequently than 5.181.157.69. It is possible that the threat\r\nactor operates from a single upstream host and uses these two Moldovan IPs as proxies to route their activity to\r\nthe C2s. However, this potential upstream host was not identified in the data available for analysis.\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 5 of 17\n\nInterestingly, for one day, 5.181.157.69 established a connection to 95.164.37.152:443, which was reported as a\r\nNetSupport RAT C2 in 2023. Time to pivot again!\r\nSecond Pivot: Uncovering NetSupport RAT Connections\r\nAnalysis of Internet telemetry data for this NetSupport RAT C2 server revealed that the infrastructure was still\r\nactive and receiving victim communications. The most notable finding was a third IP 5.181.158.15, also hosted on\r\nMivoCloud, which had been connecting to the same C2 on remote TCP/443 for several months.\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 6 of 17\n\n5.181.158.15\r\nThe server hosted on 5.181.158.15 had services listening on TCP/137, TCP/3389, and TCP/5985, in an identical\r\npattern to 5.181.157.69.\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 7 of 17\n\nThe X.509 certificate for this host had both its subject and issuer set to CN=WIN-7FUHAU7D2HV. Initially, the\r\ncertificate was hosted on TCP/6778, but this was later updated to TCP/3389. \r\nAnalysis of Internet telemetry data for 5.181.158.15 uncovered seven additional NetSupport RAT C2s that it was\r\ncommunicating with on remote TCP/443 or TCP/447. For one of these C2s, there was also a period of connections\r\non remote TCP/2552 lasting about a month. This activity was consistent and had been ongoing for several months,\r\nsuggesting another form of backend management activity.\r\nThe only other long-term activity from this IP occurred from at least April 2024 until recently and consisted of\r\noutbound connections to derelay.rabby[.]io, a public relay for Rabby Wallet.\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 8 of 17\n\nThird Pivot: Cross-Connections with Quasar RAT and More\r\nInterestingly, all but one of the eight NetSupport RAT C2 IPs had been publicly reported around a year earlier.\r\nMost of these IPs had domains pointing to them that were known NetSupport RAT C2s that were also up to a year\r\nold.\r\nAnalyzing Internet telemetry data for these C2s confirmed that they were still actively receiving victim\r\ncommunication—an unexpected finding given the age of the infrastructure. On a few occasions, four of these C2s\r\nestablished connections to fex[.]net, a Russian-language cloud storage and file-sharing service.\r\nOne notable C2, 194.31.109.74, was receiving connections on local TCP/2552 and had multiple NetSupport RAT\r\ndomains pointing to it, yet it had never been publicly reported as malicious. Additionally, the X.509 certificate this\r\nIP initially hosted used the common name CN=MATRACHEDICIDGA, matching the Moldovan SmartApeSG\r\nmanagement host 5.181.157.69 that had also connected to a NetSupport RAT C2 in this cluster. In October 2024, a\r\nnew X.509 certificate was observed, with the common name CN=WIN-J9D866ESIJ2.\r\nThis C2 also frequently communicated with 193.107.109.76, which was reported to ThreatFox as a Lycantrox C2\r\nin 2023 and later as a Quasar RAT C2 in August 2024, a few weeks after we observed its communication with the\r\nNetSupport RAT C2. This activity occurred primarily to remote TCP/1488 but occasionally remote TCP/54664.\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 9 of 17\n\nThe latter port was associated with Quasar RAT C2 communication, but there was no public information about\r\nactivity on 193.107.109.76:1488.\r\nQuick SidePivot\r\nPivoting to the Quasar RAT C2 hosted on 193.107.109.76, Internet telemetry analysis revealed approximately 15\r\nhosts communicating with it on TCP/1488, TCP/54664, or both. Activity on TCP/54664 could potentially indicate\r\nvictim communication with the Quasar RAT C2, but the purpose of the service listening on TCP/1488 remains\r\nunclear.\r\nMany of these hosts shared the X.509 certificate CN=DESKTOP-TCRDU4C, often linked to malicious\r\ninfrastructure, and displayed Internet telemetry activity atypical of normal victim machines. Some were used for\r\nTox, Telegram, or Jabber server communication, with Jabber activity connecting to exploit[.]im. Others appeared\r\nto be part of an unidentified proxy network. One host was identified as another known QuasarRAT C2, while\r\nothers interacted with services related to cryptocurrency, including Rabby Wallet. A few led to Russian-language\r\nmarketplaces such as DarkSeller and DarkMarket, as well as Russian-language forums for bitcoin and\r\ncryptocurrency.\r\nOne of these hosts, which communicated with the Quasar RAT C2 on TCP/54663, appeared to SSH (connections\r\nto remote TCP/22) into sites used for cryptocurrency scams and visited numerous others on TCP/443. Among the\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 10 of 17\n\nsites it connected to over SSH was ubsglobalmarkets[.]com, which appeared to impersonate ubs[.]com, the\r\nlegitimate website of a major investment bank and financial services company.\r\nFake UBSWebsite:\r\nReal UBSWebsite:\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 11 of 17\n\nOther recent SSH connections were made to k-trades[.]com and rivosgroup[.]com, both of which use the same\r\nwebsite template. Neither site appears to represent a legitimate company; although they claim to have been\r\nestablished for years, no information about them exists online.\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 12 of 17\n\nOverall, the activity observed from these 15 hosts was more consistent with threat actor behavior than that of\r\ntypical victim machines. The reason why only this NetSupport RAT C2 is communicating with a Quasar RAT C2\r\nremains unclear. It’s possible that this C2 is compromised, and its activity is unrelated to the other infrastructure.\r\nHowever, the unusual behavior of the other “infected” hosts suggests they maybe connected to threat actor\r\noperations.\r\nAt this stage, there isn’t enough information to draw definitive conclusions. Regardless, this pivoting detour\r\nuncovered intriguing infrastructure worth investigating further in the future.\r\nReporting and Recent Developments\r\nWe reported the SmartApeSG C2s to Stark Industries, and they were promptly taken down. SmartApeSG\r\ncontinued using Stark for a couple more weeks, procuring new VPS hosts which were also promptly taken down,\r\nbefore transitioning to Hivelocity (HVC-AS) for about a month, and then to HostZealot (HZ-US-AS). Since that\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 13 of 17\n\ntime, no additional ISPManager activity has been observed from the two Moldovan management hosts. While\r\nthere have been minor changes in Internet telemetry patterns and open ports, the X.509 certificates associated with\r\nthese hosts have remained consistent. \r\nThe NetSupport RAT C2s were also reported and taken offline, although some were discovered after the initial\r\nreporting. Since then, most of the previous NetSupport RAT domains have been randomly reassigned to new IPs,\r\nwith the most recent setup occurring at the end of November. Additionally, some new domains have been created.\r\nThe same management host, 5.181.158.15, is now communicating with some of these new IPs as it did with the\r\nprevious set. While it’s likely that other hosts are also involved in this communication, available Internet telemetry\r\nvisibility has not illuminated them at this stage. We have reported these new IPs to the relevant hosting providers,\r\nand Stark has responded by taking them down. It is probable that 5.181.158.15 is engaging with additional\r\nNetSupport RAT C2 servers beyond those identified in our Internet telemetry data, though they have not yet been\r\ndiscovered.\r\nConclusion\r\nThis investigation demonstrates how pivoting through Internet telemetry data can uncover unexpected connections\r\nand shed light on complex threat actor infrastructure. Starting with SmartApeSG C2s, the analysis expanded to\r\nreveal active NetSupport RAT clusters, potential links between infrastructures, and additional malicious activity\r\ninvolvingQuasar RAT and cryptocurrency scams. While many components were taken down through proactive\r\nreporting, the continued evolution of these infrastructures highlights the persistence of the associated threat actors.\r\nRecommendations\r\n●     Pure SignalTM users can hunt for this activity by querying for the indicators of compromise shared below or\r\nbased on characteristics such as X.509 certificate common names as shared in this blog post.\r\n●     More broadly, this research highlights the re-use of infrastructure in cyber-attack campaigns, potentially\r\ntargeting a flaw in cyber defense rulesets and blocklists where indicators “age out” after a pre-determined time\r\nperiod. This is a good reminder to periodically review “old” indicators to check for current utilization.\r\nIndicators of Compromise\r\nIPs\r\n5.181.159.111\r\n5.181.159.113\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 14 of 17\n\n5.181.159.119\r\n45.8.145.132\r\n45.67.35.101\r\n185.153.183.59\r\nDomains\r\n23mtkro[.]cn\r\nallenew1[.]com\r\nasdgelvasd[.]icu\r\nasdsrjhegrhj[.]xyz\r\ncomparegjs[.]com\r\ndgdsrzzw45tg[.]cn\r\ndsfygfnb3[.]icu\r\nduvje6egvuas[.]com\r\ndvtrstrhdbcvbxr[.]xyz\r\ne3ubj753ifg[.]xyz\r\nfdoshbjdo[.]icu\r\nfufvnasie[.]icu\r\ngfu6nfmgnm86gm[.]xyz\r\ngjuauyfhjha[.]cn\r\ngkdkr[.]icu\r\ngsdgtruhu45[.]cn\r\nhuntaget[.]cn\r\nisaydiuaysoidalkspw[.]com\r\njintsung[.]cn\r\njkhmzxvidfyidu[.]xyz\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 15 of 17\n\nmgsubneu4hgba[.]xyz\r\nmixuvvvjsurub[.]cn\r\nmoreeu[.]cn\r\nmsguguudfh4[.]xyz\r\nnfdsnvuusds7d64jg[.]cn\r\nrecsfgsfxvdgr[.]xyz\r\nruhvsvya[.]icu\r\nsafvyhgdrsdfhd[.]xyz\r\nsasfyvuaseyzzs[.]cn\r\nsasygzsu4zusaty[.]cn\r\nscheduleyaraupd2[.]cn\r\nsdfojbeufibibsuu8u[.]cn\r\nsdgn446yhd[.]cn\r\nsdjbizirebz[.]cn\r\nsertte56gzxes[.]cn\r\nsevndgkhkidgr[.]xyz\r\nsidfbuz8egozs[.]cn\r\nssdghgrehndx[.]cn\r\ntojh5roh4[.]top\r\ntorpoa[.]cn\r\ntripdsbeacgsa43wes[.]xyz\r\nu4snvsrtvlrui[.]xyz\r\nu55fbwiubyuere[.]xyz\r\nusjnvovoo4[.]net\r\nzjdhduv[.]com\r\nzytjbgev[.]icu\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 16 of 17\n\nSource: https://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nhttps://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat\r\nPage 17 of 17\n\n  https://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat    \nOther recent SSH connections were made to k-trades[.]com and rivosgroup[.]com, both of which use the same\nwebsite template. Neither site appears to represent a legitimate company; although they claim to have been\nestablished for years, no information about them exists online.   \n   Page 12 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.team-cymru.com/post/tracing-the-path-from-smartapesg-to-netsupport-rat"
	],
	"report_names": [
		"tracing-the-path-from-smartapesg-to-netsupport-rat"
	],
	"threat_actors": [
		{
			"id": "4390d8ec-605d-493a-81ee-d5ef80c07046",
			"created_at": "2025-05-29T02:00:03.223467Z",
			"updated_at": "2026-04-10T02:00:03.873701Z",
			"deleted_at": null,
			"main_name": "TAG-124",
			"aliases": [
				"LandUpdate808"
			],
			"source_name": "MISPGALAXY:TAG-124",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434038,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f0e8fce607584e2e2301a4b0b18a1d15c470166.pdf",
		"text": "https://archive.orkl.eu/4f0e8fce607584e2e2301a4b0b18a1d15c470166.txt",
		"img": "https://archive.orkl.eu/4f0e8fce607584e2e2301a4b0b18a1d15c470166.jpg"
	}
}