A sophisticated phishing campaign against U.S. organizations has been deploying a remote access trojan known as NetSupport RAT. Dubbed “Operation PhantomBlu,” the activity has been closely monitored by Israeli cybersecurity firm Perception Point.
According to security researcher Ariel Davidpur, the PhantomBlu operation showcases a refined approach to exploitation tactics. Unlike typical delivery methods associated with NetSupport RAT, the attackers have employed Object Linking and Embedding (OLE) template manipulation. By exploiting Microsoft Office document templates, they execute malicious code while evading detection.
NetSupport RAT, an illegitimate variant of the legitimate remote desktop tool NetSupport Manager, grants threat actors a broad spectrum of data-gathering capabilities on compromised endpoints.
Phishing Tactics and Microsoft Office Exploitation
The attack begins with a phishing email disguised as a communication from the organization’s accounting department. The email, themed around salary reports, prompts recipients to open an attached Microsoft Word document titled “Monthly Salary Report.”
Closer examination of the email headers reveals that the attackers utilize the legitimate email marketing platform Brevo (formerly Sendinblue).
Upon opening the Word document, recipients are instructed to enter a provided password and enable editing. They are then prompted to double-click on a printer icon within the document to view a salary graph. This action initiates the opening of a ZIP archive file (“Chart20072007.zip”) containing a Windows shortcut file. This file acts as a PowerShell dropper, fetching and executing a NetSupport RAT binary from a remote server.
Davidpur highlights the innovation of Operation PhantomBlu in blending sophisticated evasion tactics with social engineering. The use of encrypted .docs and OLE template injection to deliver NetSupport RAT represents a departure from conventional tactics, enhancing the stealth and effectiveness of the campaign.
Exploitation of Cloud Platforms and Popular CDNs
Simultaneously, cybersecurity experts have raised concerns about the growing abuse of public cloud services and Web 3.0 data-hosting platforms by threat actors. Services like Dropbox, GitHub, IBM Cloud, and Oracle Cloud Storage, as well as platforms like Pinata built on the InterPlanetary File System (IPFS) protocol, are being exploited to generate fully undetectable phishing URLs using phishing kits.
These malicious URLs, commonly known as FUD (Fully Undetectable) links, are sold by underground vendors on platforms like Telegram. They are priced starting at $200 per month and are secured behind antibot barriers to evade detection.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: