Pulse Detail — Threat Intelligence

PULSE NAME

Unpacking NetSupport RAT Loaders Delivered via ClickFix

WHITE AlienVault 2025-10-24 Modified: 2025-11-23

108

IOCs

HIGH VOLUME

eSentire's Threat Response Unit observed multiple threat groups utilizing NetSupport Manager for malicious purposes throughout 2025. These groups have shifted from Fake Updates to ClickFix as their primary delivery method. The attack methodology involves social engineering victims to execute malicious commands in the Windows Run Prompt, leading to NetSupport extraction and execution. Three distinct threat groups were identified, each using different loaders and infrastructure. The groups are designated by their licensee names: EVALUSION, FSHGDREE32/SGI, and XMLCTL. The analysis includes details on the PowerShell/JSON-based loader, MSI-based loader, and NetSupport PCAP analysis. An unpacking utility and YARA rule are provided to aid researchers in detecting and analyzing NetSupport variants.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1204.002 T1553.002 T1218.007 T1106 T1140 T1059.001 T1547.001 T1027 T1071.001 T1105

MALWARE FAMILIES

NetSupport Manager

Indicators of Compromise (108)

All domain FileHash-MD5 FileHash-SHA1 FileHash-SHA256 CVE URL hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	cromvix.com	—	2025-10-24
FileHash-MD5	1542df483ad5e2965fe768402eddae58	—	2025-10-24
FileHash-MD5	1c19c2e97c5e6b30de69ee684e6e5589	—	2025-10-24
FileHash-MD5	224bcc0a40cc43add82f5b03a11e59e3	—	2025-10-24
FileHash-MD5	290c26b1579fd3e48d60181a2d22a287	—	2025-10-24
FileHash-MD5	64f1310f6300870f1c81792733e92e5e	—	2025-10-24
FileHash-MD5	8bdcbba121984169948dfd09c629d6ae	—	2025-10-24
FileHash-MD5	9fe9416c45e183554e41fda8340e3338	—	2025-10-24
FileHash-MD5	beaac58fbfb2c65866cdf69cd785a48b	—	2025-10-24
FileHash-MD5	c4f1b50e3111d29774f7525039ff7086	—	2025-10-24
FileHash-MD5	cb08519e5cf5e95074c4d50bb4b87ca0	—	2025-10-24
FileHash-MD5	ee75b57b9300aab96530503bfae8a2f2	—	2025-10-24
FileHash-MD5	fce17b987f321dce852c8a52116e7eb6	—	2025-10-24
FileHash-SHA1	0448ec0d30fc0ee4fca250b81004198e49d8847d	—	2025-10-24
FileHash-SHA1	06c1b477be2d08aac95d9682c8ae75871a816bdc	—	2025-10-24
FileHash-SHA1	1adcd07caff87ff9b0598ebc2d48bcc86aa89bd6	—	2025-10-24
FileHash-SHA1	26db96346e6c160db0badaaa68cae8d4a3a9b7a2	—	2025-10-24
FileHash-SHA1	4fbf867e3c691edc4cadaa7f637b37b727368911	—	2025-10-24
FileHash-SHA1	5734ef7f9e4dba0639c98881e00f03eea35a62ee	—	2025-10-24
FileHash-SHA1	57539c95cba0986ec8df0fcdea433e7c71b724c6	—	2025-10-24
FileHash-SHA1	9683a2a0336b9f37eaac199b18f9f284a22cf7b2	—	2025-10-24
FileHash-SHA1	98dd757e1c1fa8b5605bda892aa0b82ebefa1f07	—	2025-10-24
FileHash-SHA1	9c7c0360402f816f9f1f12700e5e110d15ccfd9d	—	2025-10-24
FileHash-SHA1	e4c91a7f161783c68cf67250206047f23bd25a29	—	2025-10-24
FileHash-SHA1	e9943b73cc66fc0a561d477a05d76cea5f5fb966	—	2025-10-24
FileHash-SHA256	03401e4637259a56561ad3f18cc76933345f6a3c8d64dc44fc6751052471b551	—	2025-10-24
FileHash-SHA256	06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268	—	2025-10-24
FileHash-SHA256	168f1b974b31df0889e6dbe75f0fe8486cf932d72f0d6ad8348c97a2e537a738	—	2025-10-24
FileHash-SHA256	18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d	—	2025-10-24
FileHash-SHA256	2799454ff46c3eb1b94278c7f5de53621665d8953dd478ecab939fc06a23343e	—	2025-10-24
FileHash-SHA256	2e06ca68558d2f40d3fa262be8531f9621de3889d9cb2c3195be734a782fd4d2	—	2025-10-24
FileHash-SHA256	312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67	—	2025-10-24
FileHash-SHA256	31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c	—	2025-10-24
FileHash-SHA256	37d1d033e19cf9dc7313846d9d4026b03d2f822efccd963e5697e9633a4df0d0	—	2025-10-24
FileHash-SHA256	5c2aad823a0b3757889967c98acd6515eee5aaf20164b082cdf817598d5e7136	—	2025-10-24
FileHash-SHA256	69ec5513e1edc5e450b4b0fbe782e25fadb89c787383da9ceca415301d3e8fb4	—	2025-10-24
FileHash-SHA256	6b4219acaa29bb1b028a57c291dec2505d48ff75dbc308bfdb5b995cb255fefb	—	2025-10-24
FileHash-SHA256	860393e31788499f8774be83c65bcf29658cc77bf96ee2f4c86b065aedbf77de	—	2025-10-24
FileHash-SHA256	959e229a9308aff3104e46db178a7d8e28f5083c24cdedb41f760afb1a38e70f	—	2025-10-24
FileHash-SHA256	973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128	—	2025-10-24
FileHash-SHA256	a417f700fd5c8d36a13b2edec341827f6f05bc24f045429225a08a112f140f68	—	2025-10-24
FileHash-SHA256	a823031ba57d0e5f7ef15d63fe93a05ed00eadfd19afc7d2fed60f20e651a8bb	—	2025-10-24
FileHash-SHA256	ab9689e59785fa63570b9e3750c39aa778f9e9cd671691f198130eadf8f6602d	—	2025-10-24
FileHash-SHA256	afc45cc0df7f7e481bff45c6f62a6418b6ae4c8b474ec36113e05ab7ca7e2743	—	2025-10-24
FileHash-SHA256	d5b13eb9e8afb79b4d7830caf3ac746637e5bda1752962e5bd0aed3352cc4a42	—	2025-10-24
FileHash-SHA256	d7b46caebba2157fa58f06d9b6571939e4d51882dc8000c8c264a585b5eedf98	—	2025-10-24
FileHash-SHA256	de5daba9d7b428addd0a4981a10562e104098443d21ad2ddc224a03b2672be35	—	2025-10-24
FileHash-SHA256	fd54baae445d9b79b5af9958440203ce99de2302228dc135f7f0e1ac2efd4324	—	2025-10-24
FileHash-SHA256	fda64df771aa9afc4c9ac7b3aaaf3a2020851acc3b51d6adf8cb7a32b766c9a4	—	2025-10-24
domain	2beinflow.com	—	2025-10-24
domain	amxdh1.icu	—	2025-10-24
domain	ayzyw.top	—	2025-10-24
domain	benafaciario.com	—	2025-10-24
domain	bylistening.com	—	2025-10-24
domain	camplively.com	—	2025-10-24
domain	care4hygiene.com	—	2025-10-24
domain	caribemove.com	—	2025-10-24
domain	chiklx.com	—	2025-10-24
domain	cuenten.com	—	2025-10-24
domain	cuoreincomune.com	—	2025-10-24
domain	curemile.com	—	2025-10-24
domain	deepholeintheworld.com	—	2025-10-24
domain	eddereklam.com	—	2025-10-24
domain	ejays.com	—	2025-10-24
domain	exemplar-industry.com	—	2025-10-24
domain	fivepathways.com	—	2025-10-24
domain	freaner.com	—	2025-10-24
domain	frontiersecu.com	—	2025-10-24
domain	gcsglaw.com	—	2025-10-24
domain	haidao10.top	—	2025-10-24
domain	jelaromo.com	—	2025-10-24
domain	jiezishijie.top	—	2025-10-24
domain	kamagrafr.icu	—	2025-10-24
domain	lastmychancetoss.com	—	2025-10-24
domain	lordphoenix.net	—	2025-10-24
domain	mawp.us	—	2025-10-24
domain	michellegraci.com	—	2025-10-24
domain	nicewk.com	—	2025-10-24
domain	olbanha.com	—	2025-10-24
domain	oljaeinfalt.com	—	2025-10-24
domain	pennylamont.com	—	2025-10-24
domain	poormet.com	—	2025-10-24
domain	regopramide.top	—	2025-10-24
domain	surethinks.com	—	2025-10-24
domain	territoirespaysagistes.com	—	2025-10-24
domain	todocarritos.top	—	2025-10-24
domain	uncustomary.org	—	2025-10-24
domain	utahlvs.com	—	2025-10-24
domain	vietnam24hvoyage.com	—	2025-10-24
domain	wavob.top	—	2025-10-24
domain	westford-systems.icu	—	2025-10-24
domain	yourcialsupply.top	—	2025-10-24
CVE	CVE-2025-61882	—	2025-10-24
FileHash-MD5	2f0125ebef13328bfd11bcd6f3a0617a	—	2025-10-24
FileHash-SHA1	3bac11e7cedb4b5126ebba373106e0a07408d1d5	—	2025-10-24
FileHash-SHA256	94c2f209e5710fe5b2d2c6ac8ab6060db67627331ca11c1394fbded2875d039f	—	2025-10-24
FileHash-SHA256	f3f44fd37502cd4b16bca3c3fb1e88a687bd2980926017b0ff1752dc601d4c1e	—	2025-10-24
FileHash-SHA256	f81220b94384e98203d230fe6a386b6047157474d16f7e75e0f4ffb6d8bdcde3	—	2025-10-24
URL	https://global-weekends.net/res/helprecord	—	2025-10-24
URL	https://riverlino.com/U.GRE';$j=$env:TEMP+'\1.ps1';	—	2025-10-24
URL	https://stradomi.com/res/presentjudge	—	2025-10-24
URL	https://xunira.cloud/C.GRE'	—	2025-10-24
FileHash-SHA1	caa4fe424a1e4993bcaaa226fa193f4af951374a	—	2025-10-24
domain	global-weekends.net	—	2025-10-24
domain	riverlino.com	—	2025-10-24
domain	stradomi.com	—	2025-10-24
domain	xunira.cloud	—	2025-10-24
hostname	cdn.westford-computing6.net	—	2025-10-24

References (1)

↗ https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix