eSentire | Threat Intelligence Malware Analysis | Fake Chrome
Setup Leads to NetSupportManager RAT and Mars Stealer
By eSentire Threat Response Unit (TRU)
Archived: 2026-04-05 18:28:16 UTC
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters
and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the
Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced
Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We
outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
An information stealing malware called Mars Stealer in a customer’s environment within the consumer
services industry.
Summary of the Incident
The victim downloaded and executed a fake Chrome installer (chromesetup.iso) from
>hxxps[:]//googleglstatupdt[.]com/LEND/ChromeSetup.iso.
The ISO contains chromesetup.exe.
Background on Mars Stealer
In June 2021, Mars Stealer was advertised on XSS, the Russian-language criminal forum, by MarsTeam for
$140/month or $800 for a lifetime subscription.
Mars Stealer’s capabilities include:
Cryptocurrency theft (“Our software was developed taking into account the wishes of people
working in crypto, so at Mars you can find everything you need to work with crypto and more.” –
MarsTeam post on XSS forum).
The stealer supports dozens of popular browser plugins for popular cryptocurrency
platforms, such as Coinbase.
https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer
Page 1 of 6

Additionally, in December 2021, MarsTeam announced the release of “Mars
ClipboardChanger”, which substitutes crypto wallet addresses in the victim’s clipboard cache
to hijack payments.
Data theft from major web browsers, including two-factor authentication (2FA) Chrome-based
browser extensions (“Collects passwords, cookies, cc, autocomplete, browsing history, file
download history.” - MarsTeam post on XSS forum).
Profiling or fingerprinting the infected system.
Exfiltrating files from the infected system.
Figure 4 Mars Stealer admin panel
How did we find it?
MDR for Endpoint identified the tactics, techniques, and procedures (TTPs) associated with
NetSupportManager RAT and AutoIT malware deployment.
What did we do?
Our team of 24/7 SOC Cyber Analysts alerted the customer of the activity.
What can you learn from this TRU positive?
Drive-by attacks involving malware masquerading as legitimate software are becoming increasingly
common since they require no exploits and rely on a victim running code on the attacker’s behalf.
Mars Stealer has seen continued development since its release, and targets a wide array of credentials,
particularly those used for cryptocurrency exchanges.
Identifying information stealing malware as early as possible is critical to minimize losses from fraud and
hijacked accounts.
https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer
Page 2 of 6

Recommendations from our Threat Response Unit (TRU) Team:
While rapid identification and containment of successful exploits is necessary to limit impact, unsuccessful
attempts still present an opportunity to shore up defenses. The best approach to preventing drive-by attacks is by
using a layered defense, such as:
Ensure antivirus signatures are up-to-date.
Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain
threats.
Audit your environment and endpoints regularly to ensure endpoints are patched with the latest vendor
security updates.
Increase awareness of social engineering threat tactics with your users through phishing and security
awareness training.
Ensure users are aware of risks associated with downloading applications from the web.
Always ensure software is downloaded from a legitimate source.
Ask Yourself
Do you have the capability to rapidly identify and contain malicious code executed unwittingly by
users in your environment?
Are you monitoring your endpoints 24/7 and what degree of control do you have to initiate a kill
switch when required?
What level of managed endpoint support do you have in place?
Indicators of Compromise
Value Note
googleglstatupdt[.]com Hosting fake Chrome setup ISO
zrianevakn1[.]com NetSupportManager RAT C2
115d1ae8b95551108b3a902e48b3f163 ‘ChromeSetup.iso’
b15e0db8f65d7df27c07afe2981ff5a755666dce ChromeSetup.exe
37c24b4b6ada4250bc7c60951c5977c0 NetSupportManager RAT
5[.]45.84.214 Mars Stealer C2
71672a495b4603ecfec40a65254cb3ba8766bbe0 Esitanza.exe.pif (renamed AutoIt)
e3c91b6246b2b9b82cebf3700c0a7093bacaa09b
ANpRAHx.exe (disguised as 3uAirPlayer, drops
Mars Stealer and obfuscated AutoIt scripts)
5c4e3e5fda232c31b3d2a2842c5ea23523b1de1a Installer_ovl.exe
https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer
Page 3 of 6

2a2b00d0555647a6d5128b7ec87daf03a0ad568f consoleappmrss.exe
3c80b89e7d4fb08aa455ddf902a3ea236d3b582a Fervore.wmd (obfuscated AutoIt script)
26136c59afe28fc6bf1b3aeba8946ac2c3ce61df Vai.wmd (obfuscated AutoIt script)
e6f18804c94f2bca5a0f6154b1c56186d4642e6b Una.wmd (obfuscated AutoIt script)
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new
detections enriched by original threat intelligence and leverage new machine learning models that correlate
multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage
and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect
with an eSentire Security Specialist.
To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next
Level MDR, connect with an eSentire Security Specialist now.
https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer
Page 4 of 6

GET STARTED
ABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your
organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7
Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and
works as an extension of your security team to continuously improve our Managed Detection and Response
service. By providing complete visibility across your attack surface and performing global threat sweeps and
proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending
your organization against known and unknown threats.
https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer
Page 5 of 6

Back to blog
Take Your Cybersecurity Program to the Next Level with eSentire MDR.
BUILD A QUOTE
in this blog
What did we find?Summary of the IncidentBackground on Mars StealerHow did we find it?What did we do?
Source: https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer
https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer
Page 6 of 6