{
	"id": "3396f3c1-9261-48fc-b21c-1b2e38060dec",
	"created_at": "2026-04-06T00:06:46.258722Z",
	"updated_at": "2026-04-10T13:13:00.207595Z",
	"deleted_at": null,
	"sha1_hash": "bdde1eed71583093c4f4990c7df8d35543e80852",
	"title": "eSentire | Threat Intelligence Malware Analysis | Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 345031,
	"plain_text": "eSentire | Threat Intelligence Malware Analysis | Fake Chrome\r\nSetup Leads to NetSupportManager RAT and Mars Stealer\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 18:28:16 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nAn information stealing malware called Mars Stealer in a customer’s environment within the consumer\r\nservices industry.\r\nSummary of the Incident\r\nThe victim downloaded and executed a fake Chrome installer (chromesetup.iso) from\r\n\u003ehxxps[:]//googleglstatupdt[.]com/LEND/ChromeSetup.iso.\r\nThe ISO contains chromesetup.exe.\r\nBackground on Mars Stealer\r\nIn June 2021, Mars Stealer was advertised on XSS, the Russian-language criminal forum, by MarsTeam for\r\n$140/month or $800 for a lifetime subscription.\r\nMars Stealer’s capabilities include:\r\nCryptocurrency theft (“Our software was developed taking into account the wishes of people\r\nworking in crypto, so at Mars you can find everything you need to work with crypto and more.” –\r\nMarsTeam post on XSS forum).\r\nThe stealer supports dozens of popular browser plugins for popular cryptocurrency\r\nplatforms, such as Coinbase.\r\nhttps://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer\r\nPage 1 of 6\n\nAdditionally, in December 2021, MarsTeam announced the release of “Mars\r\nClipboardChanger”, which substitutes crypto wallet addresses in the victim’s clipboard cache\r\nto hijack payments.\r\nData theft from major web browsers, including two-factor authentication (2FA) Chrome-based\r\nbrowser extensions (“Collects passwords, cookies, cc, autocomplete, browsing history, file\r\ndownload history.” - MarsTeam post on XSS forum).\r\nProfiling or fingerprinting the infected system.\r\nExfiltrating files from the infected system.\r\nFigure 4 Mars Stealer admin panel\r\nHow did we find it?\r\nMDR for Endpoint identified the tactics, techniques, and procedures (TTPs) associated with\r\nNetSupportManager RAT and AutoIT malware deployment.\r\nWhat did we do?\r\nOur team of 24/7 SOC Cyber Analysts alerted the customer of the activity.\r\nWhat can you learn from this TRU positive?\r\nDrive-by attacks involving malware masquerading as legitimate software are becoming increasingly\r\ncommon since they require no exploits and rely on a victim running code on the attacker’s behalf.\r\nMars Stealer has seen continued development since its release, and targets a wide array of credentials,\r\nparticularly those used for cryptocurrency exchanges.\r\nIdentifying information stealing malware as early as possible is critical to minimize losses from fraud and\r\nhijacked accounts.\r\nhttps://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer\r\nPage 2 of 6\n\nRecommendations from our Threat Response Unit (TRU) Team:\r\nWhile rapid identification and containment of successful exploits is necessary to limit impact, unsuccessful\r\nattempts still present an opportunity to shore up defenses. The best approach to preventing drive-by attacks is by\r\nusing a layered defense, such as:\r\nEnsure antivirus signatures are up-to-date.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain\r\nthreats.\r\nAudit your environment and endpoints regularly to ensure endpoints are patched with the latest vendor\r\nsecurity updates.\r\nIncrease awareness of social engineering threat tactics with your users through phishing and security\r\nawareness training.\r\nEnsure users are aware of risks associated with downloading applications from the web.\r\nAlways ensure software is downloaded from a legitimate source.\r\nAsk Yourself\r\nDo you have the capability to rapidly identify and contain malicious code executed unwittingly by\r\nusers in your environment?\r\nAre you monitoring your endpoints 24/7 and what degree of control do you have to initiate a kill\r\nswitch when required?\r\nWhat level of managed endpoint support do you have in place?\r\nIndicators of Compromise\r\nValue Note\r\ngoogleglstatupdt[.]com Hosting fake Chrome setup ISO\r\nzrianevakn1[.]com NetSupportManager RAT C2\r\n115d1ae8b95551108b3a902e48b3f163 ‘ChromeSetup.iso’\r\nb15e0db8f65d7df27c07afe2981ff5a755666dce ChromeSetup.exe\r\n37c24b4b6ada4250bc7c60951c5977c0 NetSupportManager RAT\r\n5[.]45.84.214 Mars Stealer C2\r\n71672a495b4603ecfec40a65254cb3ba8766bbe0 Esitanza.exe.pif (renamed AutoIt)\r\ne3c91b6246b2b9b82cebf3700c0a7093bacaa09b\r\nANpRAHx.exe (disguised as 3uAirPlayer, drops\r\nMars Stealer and obfuscated AutoIt scripts)\r\n5c4e3e5fda232c31b3d2a2842c5ea23523b1de1a Installer_ovl.exe\r\nhttps://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer\r\nPage 3 of 6\n\n2a2b00d0555647a6d5128b7ec87daf03a0ad568f consoleappmrss.exe\r\n3c80b89e7d4fb08aa455ddf902a3ea236d3b582a Fervore.wmd (obfuscated AutoIt script)\r\n26136c59afe28fc6bf1b3aeba8946ac2c3ce61df Vai.wmd (obfuscated AutoIt script)\r\ne6f18804c94f2bca5a0f6154b1c56186d4642e6b Una.wmd (obfuscated AutoIt script)\r\neSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new\r\ndetections enriched by original threat intelligence and leverage new machine learning models that correlate\r\nmulti-signal data and automate rapid response to advanced threats.\r\nIf you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage\r\nand put your business ahead of disruption.\r\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect\r\nwith an eSentire Security Specialist.\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer\r\nPage 4 of 6\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer\r\nPage 5 of 6\n\nBack to blog\r\nTake Your Cybersecurity Program to the Next Level with eSentire MDR.\r\nBUILD A QUOTE\r\nin this blog\r\nWhat did we find?Summary of the IncidentBackground on Mars StealerHow did we find it?What did we do?\r\nSource: https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer\r\nhttps://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer"
	],
	"report_names": [
		"fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434006,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bdde1eed71583093c4f4990c7df8d35543e80852.pdf",
		"text": "https://archive.orkl.eu/bdde1eed71583093c4f4990c7df8d35543e80852.txt",
		"img": "https://archive.orkl.eu/bdde1eed71583093c4f4990c7df8d35543e80852.jpg"
	}
}