SmartApeSG, a FakeUpdate cyber threat, has emerged as a significant vector for delivering NetSupport RAT, a maliciously exploited remote administration tool.
The campaign ensnares victims by tricking them into downloading fake browser updates, ultimately enabling attackers to gain unauthorized access to infected systems.
A Web of Connections
Recent investigations examined SmartApeSG’s command-and-control (C2) infrastructure, revealing alarming cross-connections to NetSupport RAT servers, cryptocurrency scams, and other illicit activities.
Three C2 management nodes hosted in Moldova, powered by Stark Industries’ infrastructure and later transitioned to other providers, played a vital role in these campaigns.
These nodes leveraged control panel software like ISPManager for automation and management, exploiting free trials to minimize operational costs.
Analysis extended beyond initial servers to uncover additional malicious infrastructure.
Notably, old NetSupport RAT servers from 2023 were still actively communicating with victims.
Strong overlaps in observed X.509 certificate characteristics tied SmartApeSG’s C2s to this RAT infrastructure, hinting at a shared threat actor or a tightly linked network of operations.
Pivoting Through Threat Actor Operations
Expanding the scope, telemetry data exposed numerous connections between SmartApeSG, NetSupport RAT, and even Quasar RAT, a separate remote administration tool.
Moldovan IPs linked to SmartApeSG were observed routing activity through proxies to conceal operations.
One management server also communicated with cryptocurrency-related services and Quasar RAT C2 nodes.
These intersections suggest organized, multifaceted threat actor campaigns targeting diverse systems for financial gain or extended control.
Further, active NetSupport RAT C2 servers showed consistent malicious activities months after earlier public disclosures, often associated with Russian-language darknet forums.
Some hosts exhibited atypical behavior, including using encrypted messaging platforms like Telegram or Jabber and accessing cryptocurrency scam-related websites.
The SmartApeSG and NetSupport RAT campaigns highlight the persistence and adaptability of modern cybercriminal operations.
According to Team Cymru Report, by reusing aged infrastructure and distributing their operations across a global network, these campaigns evade detection and remain operational even after takedown efforts.
Importantly, cybersecurity teams should frequently revisit “aged-out” indicators of compromise (IoCs) to identify reused infrastructure, emphasizing the importance of thorough investigation and proactive defense strategies.
While authorities have worked to dismantle components of the SmartApeSG and NetSupport RAT infrastructures, the threat actors behind these campaigns continue to evolve their tactics.
Users and organizations are advised to remain vigilant, especially against unexpected browser update prompts and phishing schemes.
Organizations can bolster defenses by implementing endpoint detection tools and monitoring telemetry for signs of potential RAT infections.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free