Issuer: Adverse Trace Date issued: 2026-06-06 Version: 1.0
1. Executive summary
On 2026-05-27, an unidentified remote-access trojan (RAT) — active since at least April 2026 — delivered a malicious NetSupport Manager RAT package to a Windows host via the SmartApeSG ClickFix campaign. The initial RAT communicates over TCP 443 to 89.110.110.119 using encoded (non-TLS) traffic. It stages processor.vbs and token.bat to C:\ProgramData\, which install NetSupport RAT persistently and self-delete. NetSupport RAT then beacons to 185.163.47.217:443. EMEA financial services firms are exposed through phishing-driven ClickFix lures; the unidentified initial RAT remains unattributed and its C2 infrastructure is stable. Indicators rotate daily.
2. Regulatory framing
| Regulation | Article | Practical impact |
|---|---|---|
| DORA | Art. 17 (ICT risk management) | Firms must ensure threat-intel feeds cover ClickFix/SmartApeSG IOCs and that EDR/XDR rules detect processor.vbs/token.bat execution from C:\ProgramData\. |
| DORA | Art. 19 (Incident reporting) | Compromise of a financial entity's system by this chain constitutes a major incident; 4-hour initial notification clock starts on detection of NetSupport RAT beaconing. |
| DORA | Art. 28-30 (Third-party risk) | NetSupport Manager is a legitimate remote-support tool; vendors and MSPs using it must be inventoried and monitored for unauthorised installations. |
| NIS2 | Art. 21(2)(d) (Supply-chain security) | ClickFix delivery via compromised/hijacked domains requires verification of web-filtering and DNS-security controls across the supply chain. |
| NIS2 | Art. 23 (Reporting obligations) | Essential/important entities must report significant impact incidents within 24h; this chain qualifies if NetSupport RAT achieves persistent access. |
| UK NIS | Reg. 12 (Incident reporting) | UK-regulated firms follow equivalent 72h reporting; early containment of the initial RAT C2 traffic is a mitigating factor. |
3. Attack chain
- User visits a SmartApeSG ClickFix fake verification page (e.g.,
hiddenplanetlab.top/signin/...). - ClickFix script executes, downloading initial RAT payload from
silverharvestnetwork.com/check(ZIP, SHA2561514b1268e9dc6d2f37137aa38c756cb4bf8186ac9235d6863b78e7f8bbbe976). - Initial RAT executes, establishes encoded C2 over TCP 443 to
89.110.110.119(observed since April 2026). - Initial RAT downloads follow-up files:
processor.vbs(SHA256469bac8e10f50263e8ff0806e6ba126bb4cc660799129a8653eab3f8ec7201e5),token.bat,setup.cabtoC:\ProgramData\. processor.vbslaunchestoken.bat.token.batinstalls malicious NetSupport Manager RAT package (setup.cab), configures persistence, then deletesprocessor.vbs,token.bat, andsetup.cab.- NetSupport RAT beacons to
185.163.47.217:443.
Unconfirmed / caveated: The initial RAT family name and attribution are unknown. The exact persistence mechanism used bytoken.bat(scheduled task, service, Run key) is not disclosed in the source. The full SHA256 for the third and fourth file hashes (9c7eda2c4d3aaa8746495741bef57a07de180f0409409faf0f91658e88ba33f5,7ba5481c873bb3081442561f749f590badd72ef249fddfe993e30b28dc0c2112) are provided but file names/descriptions are not given.
4. Mitigation & containment
P1 — within 24h
- Block network IOCs at perimeter firewall / proxy / DNS sinkhole:
89.110.110.119TCP/443 (initial RAT C2)185.163.47.217TCP/443 (NetSupport RAT C2)178.156.165.82,178.156.173.194(ClickFix payload hosts)- Domains:
hiddenplanetlab.top,silverharvestnetwork.com - EDR/XDR detection & block: Alert on
wscript.exe/cscript.exeexecutingC:\ProgramData\processor.vbs; alert oncmd.exe/powershell.exeexecutingC:\ProgramData\token.bat. - Quarantine any host with NetSupport Manager (
nsm.exe,client32.exe) installed outside approved MSP/IT paths.
P2 — within 72h
- Deploy YARA/Sigma rules (see Section 6) to all endpoints and log collectors.
- Hunt for
processor.vbs/token.batremnants inC:\ProgramData\and prefetch (C:\Windows\Prefetch\PROCESSOR.VBS-*.pf,TOKEN.BAT-*.pf). - Review NetSupport Manager legitimate usage: enumerate all installed instances via
HKLM\SOFTWARE\NetSupport\andHKLM\SOFTWARE\WOW6432Node\NetSupport\; verify each against CMDB.
P3 — within 7 days
- Harden ClickFix surface: Enforce script-blocking (AppLocker/WDAC) for
.vbs,.bat,.ps1fromC:\ProgramData\,C:\Users\*\AppData\Local\Temp\. - Update threat-intel ingestion: Subscribe to
@monitorsgMastodon feed for daily SmartApeSG IOC rotations; automate feed-to-blocklist pipeline. - Third-party attestation: Require MSPs/IT vendors to confirm NetSupport Manager deployment policies and version pinning (current legitimate version ≥ 12.80).
5. Indicators of compromise
| type | value | confidence | source |
|---|---|---|---|
| ipv4 | 89.110.110.119 | high | SANS ISC diary 33034 |
| ipv4 | 185.163.47.217 | high | SANS ISC diary 33034 |
| ipv4 | 178.156.165.82 | medium | SANS ISC diary 33034 |
| ipv4 | 178.156.173.194 | medium | SANS ISC diary 33034 |
| domain | hiddenplanetlab.top | high | SANS ISC diary 33034 |
| domain | silverharvestnetwork.com | high | SANS ISC diary 33034 |
| url | https://hiddenplanetlab.top/signin/secure-util.js | medium | SANS ISC diary 33034 |
| url | https://hiddenplanetlab.top/signin/private-template?c66kjD5i | medium | SANS ISC diary 33034 |
| url | https://hiddenplanetlab.top/signin/legacy-worker.js?18b3825af007e53d | medium | SANS ISC diary 33034 |
| url | http://178.156.165.82/ | medium | SANS ISC diary 33034 |
| url | http://178.156.173.194/ | medium | SANS ISC diary 33034 |
| url | https://silverharvestnetwork.com/check | high | SANS ISC diary 33034 |
| sha256 | 1514b1268e9dc6d2f37137aa38c756cb4bf8186ac9235d6863b78e7f8bbbe976 | high | SANS ISC diary 33034 |
| sha256 | 469bac8e10f50263e8ff0806e6ba126bb4cc660799129a8653eab3f8ec7201e5 | high | SANS ISC diary 33034 |
| sha256 | 9c7eda2c4d3aaa8746495741bef57a07de180f0409409faf0f91658e88ba33f5 | high | SANS ISC diary 33034 |
| sha256 | 7ba5481c873bb3081442561f749f590badd72ef249fddfe993e30b28dc0c2112 | high | SANS ISC diary 33034 |
| filepath | C:\ProgramData\processor.vbs | high | SANS ISC diary 33034 |
| filepath | C:\ProgramData\token.bat | high | SANS ISC diary 33034 |
| filepath | C:\ProgramData\setup.cab | high | SANS ISC diary 33034 |
ipv4 89.110.110.119
ipv4 185.163.47.217
ipv4 178.156.165.82
ipv4 178.156.173.194
domain hiddenplanetlab.top
domain silverharvestnetwork.com
url https://hiddenplanetlab.top/signin/secure-util.js
url https://hiddenplanetlab.top/signin/private-template?c66kjD5i
url https://hiddenplanetlab.top/signin/legacy-worker.js?18b3825af007e53d
url http://178.156.165.82/
url http://178.156.173.194/
url https://silverharvestnetwork.com/check
sha256 1514b1268e9dc6d2f37137aa38c756cb4bf8186ac9235d6863b78e7f8bbbe976
sha256 469bac8e10f50263e8ff0806e6ba126bb4cc660799129a8653eab3f8ec7201e5
sha256 9c7eda2c4d3aaa8746495741bef57a07de180f0409409faf0f91658e88ba33f5
sha256 7ba5481c873bb3081442561f749f590badd72ef249fddfe993e30b28dc0c2112
filepath C:\ProgramData\processor.vbs
filepath C:\ProgramData\token.bat
filepath C:\ProgramData\setup.cab
6. Detection
YARA rule
rule AT_2026_06_06_046_SmartApeSG_NetSupport_RAT_Chain
{
meta:
author = "Adverse Trace"
date = "2026-06-06"
reference = "https://isc.sans.edu/diary/rss/33034"
description = "Detects file artefacts from the SmartApeSG ClickFix chain delivering NetSupport RAT via unidentified initial RAT. Matches processor.vbs, token.bat, and NetSupport Manager cabinet/installer strings."
strings:
$vbs_path = "C:\\ProgramData\\processor.vbs" ascii wide nocase
$bat_path = "C:\\ProgramData\\token.bat" ascii wide nocase
$cab_path = "C:\\ProgramData\\setup.cab" ascii wide nocase
$nsm_mutex = "NetSupportManager" ascii wide nocase
$nsm_reg = "SOFTWARE\\NetSupport\\" ascii wide nocase
$clickfix_domain = "hiddenplanetlab.top" ascii wide nocase
$payload_domain = "silverharvestnetwork.com" ascii wide nocase
$c2_ip1 = "89.110.110.119" ascii wide nocase
$c2_ip2 = "185.163.47.217" ascii wide nocase
condition:
3 of them
}
Sigma rule
title: SmartApeSG ClickFix Chain - Processor.vbs / Token.bat Execution
id: 3f8a1c2e-9d4b-4a7e-8f1a-6c5d9e2b0a1f
status: test
description: Detects execution of processor.vbs and token.bat from C:\ProgramData\ as observed in the SmartApeSG ClickFix campaign delivering NetSupport RAT.
author: Adverse Trace
date: 2026-06-06
references:
- https://isc.sans.edu/diary/rss/33034
logsource:
category: process_creation
product: windows
detection:
selection_vbs:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
CommandLine|contains: 'C:\ProgramData\processor.vbs'
selection_bat:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains: 'C:\ProgramData\token.bat'
selection_netsupport_install:
Image|endswith: '\msiexec.exe'
CommandLine|contains: 'setup.cab'
condition: selection_vbs or selection_bat or selection_netsupport_install
falsepositives:
- Legitimate administrative scripts placed in ProgramData (rare)
level: high
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.003
- attack.t1218.011
7. Sources
- SANS Internet Storm Center, "Unidentified RAT pushes NetSupport RAT", diary 33034, 2026-06-01. URL: https://isc.sans.edu/diary/rss/33034
8. Adverse Trace position
Severity: HIGH for EMEA financial services — the chain combines a persistent, unattributed initial RAT with a living-off-the-land remote-access tool (NetSupport Manager) that blends into legitimate admin traffic. Client impact: any host that executed the ClickFix script is likely compromised; NetSupport RAT provides interactive control and survives the initial artifact cleanup. We will track @monitorsg daily IOC drops, enrich the YARA/Sigma rules with NetSupport Manager version-specific strings, and issue a follow-up advisory if the initial RAT is identified or if new C2 infrastructure appears.
Published via PulseTrace — Adverse Trace threat intelligence.