{
	"id": "911066fc-7398-47b4-a8e6-7bdd2e6e73e7",
	"created_at": "2026-04-06T00:21:24.342634Z",
	"updated_at": "2026-04-10T13:12:39.086266Z",
	"deleted_at": null,
	"sha1_hash": "5eae250a83288b62dfe021decc1468628fc6d186",
	"title": "EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1741469,
	"plain_text": "EITest: HoeflerText Popups Targeting Google Chrome Users Now\r\nPush RAT Malware\r\nBy Brad Duncan\r\nPublished: 2017-09-01 · Archived: 2026-04-05 17:16:36 UTC\r\nThe attackers behind the EITest campaign have occasionally implemented a social engineering scheme using fake\r\nHoeflerText popups to distribute malware targeting users of Google's Chrome browser. In recent months, the\r\nmalware used in the EITest campaign has been ransomware such as Spora and Mole. However, by late August\r\n2017, this campaign began pushing a different type of malware.  Recent samples are shown to infect Windows\r\nhosts with the NetSupport Manager remote access tool (RAT). This is significant, because it indicates a potential\r\nshift in the motives of this adversary. Today's blog reviews recent activity from these EITest HoeflerText popups\r\non August 30, 2017 to discover more about this recent change.\r\nFigure 1 below shows what victims see when they view a compromised website, and Figure 2 shows the page if\r\nthe user clicks the \"Update\" button. Chrome users should be suspicious of any pop-ups that match these images.\r\nFigure 1: Fake HoeflerText popup after viewing a compromised site with the Chrome browser.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/\r\nPage 1 of 10\n\nFigure 2: Clicking the \"update\" button sent us Font_Chrome.exe.\r\nHistory\r\nAs early as December 2016, the EITest campaign began using HoeflerText popups to distribute malware. Since\r\nlate January 2017, we have only seen ransomware from these popups.  The method has occasionally disappeared\r\nfor weeks at a time. By July 2017, the HoeflerText popups delivered Mole ransomware under the file name\r\nFont_Chrome.exe. These popups stopped in late July. But by late August 2017, they reappeared, and we saw a\r\ndifferent type malware sent under the file name Font_Chrome.exe. Recent examples reviewed by Unit 42 are not\r\nransomware; they are file downloaders. Figure 3 below shows the hits on Font_Chrome.exe in AutoFocus from\r\nJuly 16, 2017 through August 30, 2017.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/\r\nPage 2 of 10\n\nFigure 3: Recent activity from fake HoeflerText popups in Google Chrome sending malware.\r\nRecent Activity\r\nNetwork traffic follows two distinct paths. Victims who use Microsoft Internet Explorer as their web browser will\r\nget a fake anti-virus alert with a phone number for a tech support scam. Victims using Google Chrome as their\r\nbrowser will get a fake HoeflerText popup as seen in Figure 1 that offers malware disguised as Font_Chrome.exe.\r\nFigure 4 shows the chain of events for current activity from the EITest campaign.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/\r\nPage 3 of 10\n\nFigure 4: Chain of events for activity from the EITest campaign.\r\nCurrent samples of Font_Chrome.exe are file downloaders. They retrieve follow-up malware that installs a\r\nNetSupport Manager remote access tool (RAT).  NetSupport Manager is a commercially-available RAT previously\r\nassociated with a malware campaign from hacked Steam accounts last year. For the August 2017 HoeflerText\r\npopups, we have found two examples of the file downloader and two examples of follow-up malware to install\r\nNetSupport Manager RAT.\r\nFigure 5: Traffic from a recent infection filtered in Wireshark.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/\r\nPage 4 of 10\n\nFigure 6: The downloaded fake Chrome font program.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/\r\nPage 5 of 10\n\nFigure 7: Double-clicking Font_Chrome.exe downloads and executes more malware.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/\r\nPage 6 of 10\n\nFigure 8: Follow-up malware installs NetSupport Manger RAT on the infected Windows host.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/\r\nPage 7 of 10\n\nFigure 9: RAT configuration settings from an infected Windows host.\r\nNetSupport Manager is currently at version 12.5.  The version seen on the infected host was version 11.00.\r\nConclusion\r\nUsers should be aware of this ongoing threat. Be suspicious of popup messages in Google Chrome that state: The\r\n\"HoeflerText\" font wasn't found. Since this is a RAT, infected users will probably not notice any change in their\r\nday-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to\r\na malware infection.\r\nIt's yet to be determined why EITest HoeflerText popups changed from pushing ransomware to pushing a RAT.\r\nRansomware is still a serious threat, and it remains the largest category of malware we see on a daily basis from\r\nmass-distribution campaigns. However, we have also noticed an increasing amount of other forms of malware in\r\nrecent campaigns, especially compared to 2016. RATs give attackers more capabilities on a host and are generally\r\nmuch more flexible than malware designed for a single purpose. The August 2017 change by EITest HoeflerText\r\npopups represents a subtle shift where ransomware is slightly less prominent than it once was.\r\nSee the section below for file names, locations, hashes, and other related information on today's infection. Palo\r\nAlto Networks customers are protected from this threat through our next-generation security platform. Current\r\nsamples appear as malware in AutoFocus, and customers can search for similar malware using the\r\nNetSupportManager tag.\r\nWe will continue to investigate this activity for applicable indicators, inform the community, and further enhance\r\nour threat prevention platform.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/\r\nPage 8 of 10\n\nIndicators of Compromise\r\nURLs and domains to block:\r\nhxxp://demo.ore.edu[.]pl/book1.php\r\nboss777[.]ga\r\npudgenormpers[.]com\r\ninvoktojenorm[.]com\r\nhxxp://94.242.198[.]167/fakeurl.htm\r\nhxxp://94.242.198[.]168/fakeurl.htm\r\nFirst file downloader and follow-up malware:\r\nSHA256: 23579722efb0718204860c19a4833d20cb989d50a7c5ddd6039982cf5ca90280\r\nFile size: 168,905 bytes\r\nFile name: Font_Chrome.exe\r\nFile description: Malware downloader\r\nSHA256: 8cbbb24a0c515923293e9ff53ea9967be7847c7f559c8b79b258d19da245e321\r\nFile size: 2,665,634 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\temp\\[9 random characters].jpg.exe\r\nFile location: hxxp://boss777[.]ga/HELLO.exe\r\nFile description: Follow-up malware that installs NetSupport Manager RAT\r\nSecond file downloader and follow-up malware:\r\nSHA256: 463bef675e8e100eb30aeb6de008b9d96e3af6c3d55b50cc8a4736d7a11143a0\r\nFile size: 169,796 bytes\r\nFile name: Font_Chrome.exe\r\nFile description: Malware downloader\r\nSHA256: 8188732c8f9e15780bea49aced3ef26940a31c18cf618e2c51ae7f69ef53ea10\r\nFile size: 2,665,612 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\temp\\[9 random characters].jpg.exe\r\nFile location: hxxp://boss777[.]ga/joined1.exe\r\nFile description: Follow-up malware that installs NetSupport Manager RAT\r\nAssociated URLs:\r\n46.248.168[.]49 port 80 - demo.ore.edu[.]pl - GET /book1.php\r\n51.15.9[.]99 port 80 - boss777[.]ga - GET /HELLO.exe\r\n51.15.9[.]99 port 80 - boss777[.]ga - GET /joined1.exe\r\n51.15.9[.]99 port 80 - boss777[.]ga - POST /JS/testpost.php\r\nDNS query for pudgenormpers[.]com, resolved to 94.242.198[.]167\r\nDNS query for invoktojenorm[.]com, resolved to 94.242.198[.]168\r\n94.242.198[.]167 port 1488 - POST hxxp://94.242.198[.]167/fakeurl.htm\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/\r\nPage 9 of 10\n\n94.242.198[.]168 port 1488 - POST hxxp://94.242.198[.]168/fakeurl.htm\r\nDirectories seen so far for NetSupport Manager RAT on an infected host:\r\nC:\\Users\\[username]\\AppData\\Roaming\\AppleDesk1\r\nC:\\Users\\[username]\\AppData\\Roaming\\AppleDesk2\r\nSource: https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malw\r\nare/\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/"
	],
	"report_names": [
		"unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434884,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5eae250a83288b62dfe021decc1468628fc6d186.pdf",
		"text": "https://archive.orkl.eu/5eae250a83288b62dfe021decc1468628fc6d186.txt",
		"img": "https://archive.orkl.eu/5eae250a83288b62dfe021decc1468628fc6d186.jpg"
	}
}