📖 Overview
A new URL-based indicator has been identified delivering NetSupport Manager RAT. The domain is associated with the SmartApeSG campaign and is actively used for payload delivery. This IOC represents a high-confidence threat to endpoints, enabling full remote access capabilities once executed.
📌 Key Details
| Field | Information |
|---|---|
| Type | URL |
| Indicator | wood-simple[.]com/drip.sym |
| Threat Type | Payload Delivery |
| Malware | win.netsupportmanager_rat |
| Confidence | 100% |
| Date | 02 Sep 2025 – 12:10:58 UTC |
| Tags | SmartApeSG |
| Reporter | monitorsg |
🔎 URLScan Result
Page Title: No Title
Screenshot: https://urlscan.io/screenshots/01990a58-927f-71f8-8d21-5b4f87b96914.png
Result: https://urlscan.io/result/01990a58-927f-71f8-8d21-5b4f87b96914/
📡 Related Intelligence
VirusTotal Report: https://www.virustotal.com/gui/url/93b064ddedb6cf394cce4eadc05caad150e6834f79ff93a796e71ba4a3c03ec7
Reference: https://infosec.exchange/@monitorsg/115134631148960678
🛡️ Defensive Guidance
- Block
wood-simple[.]comat the network and endpoint level. - Monitor for file retrieval attempts from
/drip.sym. - Hunt for NetSupport Manager RAT persistence artifacts in endpoint telemetry.
- Review proxy and firewall logs for suspicious outbound requests to this domain.
![IOC Alert: Suspicious Crypto Wallet Domain Used for Payload Delivery – ashigaruwallet[.]rs](/content/images/size/w1304/format/webp/2025/09/IOC_Alert-2.png)
![IOC Alert: Suspicious C2 Domain Masquerading as Guarda Wallet – app-guarda[.]com](/content/images/size/w1304/format/webp/2025/09/189724698712489723587961.jpg)
![IOC Alert: Lumma Stealer C2 Domain Identified – larpfxs[.]top](/content/images/size/w1304/format/webp/2025/08/23985762398576198764252-1.jpg)
