101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.

Server stats:

484
active users

#netsupport

0 posts0 participants0 posts today
Brad<p>2025-07-15 (Tuesday): Tracking <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmartApeSG</span></a> </p><p>The SmartApeSG script injected into page from compromised website leads to <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> style fake verification page. ClickFix-ing you way through this leads to a <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupportRAT</span></a> infection.</p><p>Compromised site (same as yesterday): </p><p>- medthermography[.]com</p><p>URLs for ClickFix style fake verification page:</p><p>- warpdrive[.]top/jjj/include.js<br>- warpdrive[.]top/jjj/index.php?W11WzmLj<br>- warpdrive[.]top/jjj/buffer.js?409a8bdbd9</p><p>Running the script for NetSupport RAT:</p><p>- sos-atlanta[.]com/lal.ps1<br>- sos-atlanta[.]com/lotu.zip?l=4773</p><p><a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> RAT server (same as yesterday):</p><p>- 185.163.45[.]87:443</p>
ANY.RUN<p>🚨 <a href="https://infosec.exchange/tags/Obfuscated" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Obfuscated</span></a> BAT file used to deliver NetSupport RAT </p><p>At the time of the analysis, the sample had not yet been submitted to <a href="https://infosec.exchange/tags/VirusTotal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VirusTotal</span></a> ⚠️ </p><p>👨‍💻 See sandbox session: <a href="https://app.any.run/tasks/db6fcb53-6f10-464e-9883-72fd7f1db294?utm_source=mastodon&amp;utm_medium=post&amp;utm_campaign=obfuscated_bat_file&amp;utm_content=linktoservice&amp;utm_term=050625" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/db6fcb53-6f1</span><span class="invisible">0-464e-9883-72fd7f1db294?utm_source=mastodon&amp;utm_medium=post&amp;utm_campaign=obfuscated_bat_file&amp;utm_content=linktoservice&amp;utm_term=050625</span></a> </p><p>🔗 Execution chain: <br>cmd.exe (BAT) ➡️ <a href="https://infosec.exchange/tags/PowerShell" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PowerShell</span></a> ➡️ PowerShell ➡️ <a href="https://infosec.exchange/tags/client32" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>client32</span></a>.exe (NetSupport client) ➡️ reg.exe </p><p>Key details: <br>🔹 Uses a 'client32' process to run <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> and add it to autorun in registry via reg.exe <br>🔹 Creates an 'Options' folder in %APPDATA % if missing <br>🔹 NetSupport client downloads a task .zip file, extracts, and runs it from %APPDATA%\Application .zip <br>🔹 Deletes ZIP files after execution </p><p>❗️ BAT droppers remain a common choice in attacks as threat actors continue to find new methods to evade detection. </p><p>Use <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANYRUN</span></a>’s Interactive Sandbox to quickly trace the full execution chain and uncover <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> behavior for fast and informed response. </p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a></p>
Brad<p>2025-03-26 (Wednesday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmartApeSG</span></a> traffic for a fake browser update page leads to a <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> infection. A zip archive for <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> sent over the <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupportRAT</span></a> C2 traffic.</p><p>The <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> infection uses DLL side-loading by a legitimate EXE to <a href="https://infosec.exchange/tags/sideload" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sideload</span></a> the malicious DLL.</p><p>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> from an infection, the associated <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> samples, and <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOCs</span></a> are available at at <a href="https://www.malware-traffic-analysis.net/2025/03/26/index.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">025/03/26/index.html</span></a></p>
Samson<p>Важко це визнавати, але рівень технічних спеціалістів серед провайдерів швидко падає.</p><p>І це я пишу не про провайдерів домосєток. 😟 </p><p><a href="https://social.kyiv.dcomm.net.ua/tags/ukraine" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ukraine</span></a> <a href="https://social.kyiv.dcomm.net.ua/tags/netsupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>netsupport</span></a></p>
Brad<p>2024-12-17 (Tuesday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmartApeSG</span></a> injected script leads to fake browser update page, and that page leads to a <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> infection. </p><p>Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.</p><p>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> of the infection traffic, associated malware samples and more information is available at <a href="https://www.malware-traffic-analysis.net/2024/12/17/index.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">024/12/17/index.html</span></a></p><p>NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.</p><p><a href="https://infosec.exchange/tags/FakeUpdates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FakeUpdates</span></a> <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupportRAT</span></a></p>
Cisco Talos<p>Want to know the ins and outs of how we craft detection for our customers? Our new blog series covers the technical research that goes into each and every @snort rule, IP block and more. First up, we're covering the <a href="https://mstdn.social/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> RAT <a href="https://blog.talosintelligence.com/detecting-evolving-threats-netsupport-rat/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.talosintelligence.com/det</span><span class="invisible">ecting-evolving-threats-netsupport-rat/</span></a></p>
Selena Larson<p>BattleRoyal's use of email and fake updates to deliver <a href="https://mastodon.social/tags/DarkGate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DarkGate</span></a> and <a href="https://mastodon.social/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> is unique but aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied, and increasingly creative attack chains&nbsp; to enable malware delivery.</p>
Selena Larson<p>And here’s an example attack chain observed in late November, also leveraging Keitaro TDS to deliver <a href="https://mastodon.social/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a>.</p>
Selena Larson<p>We just published details on a new&nbsp; activity cluster we are temporarily calling <a href="https://mastodon.social/tags/BattleRoyal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BattleRoyal</span></a>. It started distributing <a href="https://mastodon.social/tags/DarkGate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DarkGate</span></a> using distinct GroupIDs from Sept - Nov, then switched to <a href="https://mastodon.social/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a>. Delivery methods include email and fake update lures <a href="https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">proofpoint.com/us/blog/threat-</span><span class="invisible">insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates</span></a></p>
abuse.ch :verified:<p><a href="https://ioc.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> RAT dropped by <a href="https://ioc.exchange/tags/GCleaner" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GCleaner</span></a> Pay-Per-Install (PPI) campaign 🔥</p><p>Payload URLs:<br>🌐 <a href="https://urlhaus.abuse.ch/url/2693412/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">urlhaus.abuse.ch/url/2693412/</span><span class="invisible"></span></a><br>🌐 <a href="https://urlhaus.abuse.ch/url/2693420/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">urlhaus.abuse.ch/url/2693420/</span><span class="invisible"></span></a></p><p>Botnet C2 domains:<br>📞 <a href="https://threatfox.abuse.ch/ioc/1143951/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">threatfox.abuse.ch/ioc/1143951</span><span class="invisible">/</span></a><br>📞 <a href="https://threatfox.abuse.ch/ioc/1143952/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">threatfox.abuse.ch/ioc/1143952</span><span class="invisible">/</span></a></p><p>Botnet C2 server hosted Vultr 🇺🇸:<br>🤖 <a href="https://threatfox.abuse.ch/ioc/1143953/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">threatfox.abuse.ch/ioc/1143953</span><span class="invisible">/</span></a></p>
mithrandir<p>Completed Part 3 of my personal <a href="https://defcon.social/tags/SocGholish" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocGholish</span></a> series.</p><p>The article digs into the follow-up payloads delivered once the Update.js is executed on a victim machine.</p><p>Interestingly, I saw <a href="https://defcon.social/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> RAT and an unknown (to me) PowerShell C2 beacon be delivered together.</p><p>If anyone can shed more light on what the PowerShell beacon may be, it would be much appreciated! Seems to be inspired by <a href="https://defcon.social/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AsyncRAT</span></a>, though.</p><p>Big thanks to <span class="h-card"><a href="https://infosec.exchange/@rmceoin" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>rmceoin</span></a></span> for help along the way.</p><p><a href="https://rerednawyerg.github.io/posts/malwareanalysis/socgholish_part3" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">rerednawyerg.github.io/posts/m</span><span class="invisible">alwareanalysis/socgholish_part3</span></a></p>
mithrandir<p><a href="https://defcon.social/tags/SocGholish" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocGholish</span></a> leads to <a href="https://defcon.social/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> RAT downloaded from --&gt; http://wudugf[.]top/f23.svg</p><p>Credit to <span class="h-card"><a href="https://infosec.exchange/@rmceoin" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>rmceoin</span></a></span> for the help getting the SocGholish C2 to respond.</p><p>C2: *.nodes.gammalambdalambda.org</p>