This threat involves a multi-stage RAT infection starting with an unidentified RAT that establishes encoded C2 communication on TCP port 443 to IP 89.110.110.119. This initial RAT downloads and executes scripts (processor.vbs, token.bat) and a cabinet archive (setup.cab) containing the NetSupport Manager RAT. The batch script installs and persists the NetSupport RAT on the infected Windows system and then deletes the initial infection files. The campaign is associated with the SmartApeSG ClickFix campaign, with changing indicators such as URLs and file hashes. The NetSupport RAT C2 server is located at IP 185.163.47.217 on port 443. The infection chain was observed starting in April 2026 and documented in late May 2026.

The infection results in unauthorized remote access to compromised Windows hosts via the NetSupport Manager RAT, which can allow attackers to control the system, execute commands, and potentially move laterally or exfiltrate data. The initial RAT facilitates the delivery and installation of the NetSupport RAT. The dynamic nature of indicators complicates detection and response. No known exploits in the wild beyond this campaign are reported, and no CVE or patch information is available.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or vendor advisory is available, mitigation should focus on detecting and blocking the identified indicators of compromise such as the associated domains, IP addresses, and file hashes. Network monitoring for unusual encoded traffic on TCP port 443 to the specified IP addresses may help identify infections. Removal of the NetSupport RAT and associated files requires forensic analysis and manual cleanup. Stay updated with threat intelligence feeds like the @monitorsg Mastodon feed for evolving indicators.