SmartApeSG Campaign Uncovered: A Deep Dive into NetSupport RAT Distribution and Suspected Threat Actor Connections

A recent investigation by Team Cymru has revealed an intricate web of malicious infrastructure linking the SmartApeSG FakeUpdate campaign to NetSupport RAT, a widely abused remote administration tool. The research, which began with tracking SmartApeSG’s command-and-control (C2) infrastructure, uncovered an active cluster of NetSupport RAT servers, suspicious management hosts, and connections to additional threats, including Quasar RAT and cryptocurrency-related platforms.

SmartApeSG, first observed in June 2023, is part of a broader family of FakeUpdate threats, which trick users into installing fake browser updates after visiting compromised websites. This tactic mirrors other campaigns like SocGholish, LandUpdate808, and ClearFake, all of which deliver secondary payloads—in this case, NetSupport RAT.

As Team Cymru notes, “NetSupport RAT refers to the malicious use of NetSupport Manager, a legitimate remote administration tool. When abused, it can be used to control systems, steal data, or install malware.” The tool is frequently deployed via phishing campaigns or deceptive update mechanisms.

Initial research into SmartApeSG’s infrastructure led investigators to a set of management hosts geolocated in Moldova, hosted by MivoCloud. Two particular IPs, 5.181.156.16 and 5.181.157.69, stood out due to their TCP/1500 connections to SmartApeSG’s C2 servers.

One of the most striking revelations was that these hosts were using ISPManager, a Linux-based web hosting control panel favored by Russian-speaking users. The report states, “Conveniently for the threat actors, the platform offers a two-week free trial per server—longer than the typical lifespan of these C2s.”

Further scrutiny revealed a notable overlap in infrastructure between SmartApeSG and NetSupport RAT, including the reuse of X.509 certificates, suggesting a direct link between the two operations.

By pivoting from the Moldovan management hosts, researchers discovered a cluster of NetSupport RAT C2s that remained active long after initial reporting. One of these, 95.164.37.152, had been flagged as a NetSupport RAT C2 in 2023 and was still receiving victim communications.

A third Moldovan IP, 5.181.158.15, was found to be deeply entangled with this cluster, communicating with at least seven additional NetSupport RAT servers via TCP/443 and TCP/447. The persistence of these connections indicated that the threat actor’s infrastructure was still operational and adapting. The report highlights: “Most of the observed Internet telemetry data was related to TCP/1500 activity associated with C2 management, with 5.181.156.16interacting with SmartApeSG C2s more frequently than 5.181.157.69.”

An unexpected discovery in the investigation was the communication between NetSupport RAT C2s and a Quasar RAT C2 (193.107.109.76), first flagged as a Lycantrox C2 in 2023. This C2 exhibited unusual behavior, including activity on TCP/1488 and TCP/54664, ports commonly associated with Quasar RAT operations.

Some of these infected hosts were communicating with fex[.]net, a Russian-language cloud storage service, and even interacting with cryptocurrency platforms like Rabby Wallet. In some cases, these same hosts were found to be connecting to dark web marketplaces such as DarkSeller and DarkMarket. The researchers noted: “Some were used for Tox, Telegram, or Jabber server communication, with Jabber activity connecting to exploit[.]im. Others appeared to be part of an unidentified proxy network.”

One particularly concerning finding was the identification of SSH connections to fraudulent financial websites, including ubsglobalmarkets[.]com, which appears to impersonate UBS, the legitimate investment banking giant. Other domains such as k-trades[.]com and rivosgroup[.]com shared identical website templates but had no credible history of existence.

As the report states, “Neither site appears to represent a legitimate company; although they claim to have been established for years, no information about them exists online.” This suggests a larger fraudulent financial network operating in parallel with the NetSupport RAT infrastructure.

Efforts to dismantle SmartApeSG’s infrastructure have been ongoing. The SmartApeSG C2 servers were reported to Stark Industries and subsequently taken down. However, the threat actors quickly pivoted to new hosting providers, including Hivelocity (HVC-AS) and HostZealot (HZ-US-AS).

Similarly, while several NetSupport RAT C2s were also taken offline, the actors continued to reassign old domains to new IPs. Team Cymru warns, “It is probable that 5.181.158.15 is engaging with additional NetSupport RAT C2 servers beyond those identified in our Internet telemetry data, though they have not yet been discovered.”

Related Posts:

• Hackers are trying to install NetSupport Remote Access Tool on victim machine through Fake Software Update
• Cisco Talos Warns of Stealthy NetSupport RAT Campaigns
• NetSupport RAT Wielded in Escalating Cyber Attacks: Educational Institutions, Government Agencies, and Service Businesses at Risk
• Unveiling the NetSupport Threat: McAfee Researchers Delve into the Malware’s Tactics
• Horns&Hooves Campaign Leverages NetSupport and BurnsRAT for Widespread Compromise