Executive Summary
ZPHP malware, also tracked as SmartApeSG, is a malvertising-driven campaign using fake browser update lures to distribute the NetSupport RAT. The campaign exploits injected JavaScript on compromised websites, presenting fake update pop-ups that trick users into installing malicious payloads.
Once deployed, the RAT (Remote Access Trojan) grants attackers full control over infected endpoints, enabling persistence, data theft, and lateral movement.
This analysis provides a technical breakdown, IoCs, real-world case studies, detection strategies, and CyberDudeBivash defensive recommendations.
1. ZPHP Campaign Mechanics
- Infection Vector:
- Compromised websites inject JavaScript (e.g.,
Edge 50728.js) that spawns a fake browser update popup. - User downloads a malicious ZIP archive disguised as an update package.
- Compromised websites inject JavaScript (e.g.,
- Payload:
- The ZIP contains an executable (NetSupport RAT installer).
- Once launched, RAT connects to remote C2 servers and establishes persistence.
- Persistence & Post-Exploitation:
- RAT can download secondary payloads (e.g., StealC).
- Enables credential theft, surveillance, and privilege abuse.
2. Technical Indicators of Compromise (IoCs)
- Installer JavaScript:
Edge 50728.js(~831KB obfuscated JS). - Malicious ZIP Payload:
2mprext.zip→ NetSupport RAT binary. - Known C2 Servers:
194.180.191.168/fakeurl.htmlayardrama21[.]top/upload/lib.css.js
- SHA256 Hashes:
68c6411cc9...c7bd(JS installer)4c048169e3...a3f3e(ZIP payload)
3. Campaign Impact
- Targets: General internet users across EU/Asia.
- Vector: Drive-by malvertising & compromised websites.
- Payload Power:
- Remote desktop access.
- File exfiltration.
- Credential dumping.
- Surveillance (screenshots, keystrokes).
This positions ZPHP in the same fake update threat family as SocGholish and RogueRaticate.
4. Detection & Hunting
- Proxy/Web Gateway Rules:
- Flag large JavaScript files served from unusual domains.
- Block ZIPs with suspicious “update” naming.
- Sysmon & EDR Detections:
- Browser →
mshta.exeor PowerShell execution. - RAT persistence via
explorer.exeor scheduled tasks.
- Browser →
- DNS/HTTP Logs:
- Query logs for known IoCs (
layardrama21[.]top,194.180.191.168).
- Query logs for known IoCs (
5. MITRE ATT&CK Mapping
| Stage | Technique |
|---|---|
| Initial Access | Drive-by Compromise (T1189) |
| Execution | Obfuscated/Encrypted Script (T1027) |
| Persistence | Registry Run Keys/Startup (T1547.001) |
| C2 | Application Layer Protocol: HTTP (T1071.001) |
| Exfiltration | Exfiltration Over C2 Channel (T1041) |
6. Defensive Playbook
Preventive
- Harden browsers with ad-blocking & script filtering.
- Block
mshta.exeand unnecessary LOLBins. - Train users to recognize fake browser update lures.
Detection
- Enable PowerShell logging & command-line auditing.
- Deploy EDR tuned for RAT behavioral signatures.
- Ingest community IoCs into SIEM/SOAR.
Response
- Isolate infected hosts immediately.
- Gather volatile memory for RAT process analysis.
- Block IoCs at firewall/proxy.
- Rotate credentials & enforce MFA.
7. CyberDudeBivash Recommendations
- Use 1Password Business for instant credential resets after compromise.
- Deploy Malwarebytes EDR / Bitdefender for RAT behavior detection.
- Enforce Cloudflare Zero Trust to block malvertisement delivery channels.
- Harden patching policies for browsers and plugins.
8. Blogspot Publishing Block
Title: ZPHP Malware Threat Analysis — Fake Browser Updates to NetSupport RAT
Meta Description: ZPHP (SmartApeSG) uses fake browser updates to spread NetSupport RAT. Technical breakdown, IoCs, detection, and defense strategies by CyberDudeBivash.
Slug: /zphp-malware-threat-analysis-netsupport
Excerpt: A deep analysis of ZPHP malware (SmartApeSG), its infection chain via fake browser updates, NetSupport RAT payload, technical IoCs, and a defender’s playbook.
#ZPHP #SmartApeSG #NetSupportRAT #Malvertising #FakeBrowserUpdate #CyberThreats #CyberDudeBivash
Cyberdudebivash 
Leave a comment