📖 Overview
A new URL-based indicator has been identified associated with payload delivery activity tied to the malware win.netsupportmanager_rat. This malicious URL, hosted under the domain linomu[.]com, masquerades as a legitimate JavaScript resource but instead delivers a remote access trojan with full control capabilities.
📌 Key Details
| Field | Information |
|---|---|
| Type | URL |
| Indicator | linomu[.]com/ajax/pixi.min.js |
| Threat Type | Payload Delivery |
| Malware | win.netsupportmanager_rat |
| Confidence | 100% |
| Date | 28 Aug 2025 – 14:02:09 UTC |
| Tags | SmartApeSG |
| Reporter | monitorsg |
🔎 URLScan Result
- Page Title: Home Page
- Screenshot: https://urlscan.io/screenshots/0198f104-03d0-74e7-a2c9-00439dce91e1.png
- Result: https://urlscan.io/result/0198f104-03d0-74e7-a2c9-00439dce91e1/
📡 Related Intelligence
- VirusTotal Report: https://www.virustotal.com/gui/url-analysis/u-d6003ff5bcebc6d398a9ec864edb9e27579e22f2141e5b22b99b04817420d8ff-1756402617
🛡️ Defensive Guidance
- Block
linomu[.]comat the network and endpoint level. - Monitor for suspicious script loads from unexpected domains.
- Hunt for win.netsupportmanager_rat persistence artifacts in endpoint telemetry.
- Review proxy/firewall logs for attempted outbound requests to malicious JS payloads.
![IOC Alert: Lumma Stealer C2 Domain Identified – larpfxs[.]top](/content/images/size/w1304/format/webp/2025/08/23985762398576198764252-1.jpg)
