BEC Fraud NetSupport RAT: Logistics

  • Project BEC Fraud Detection
  • Company Merabytes
  • Sector Logistics
  • Date : 16 December, 2025
  • Duration Real-time detection

Share:

We're here to help!

Need assistance? We're here to help with support, guidance, and resources. Reach out to us anytime.

BEC Fraud NetSupport RAT: Logistics

Real case: Logistics sector company victim of BEC fraud with NetSupport RAT (client name omitted for confidentiality)

Key points

Date/Time (CET) Event
Dec 8 - Start Email conversation begins. Attacker (“Michal Grzegorzewski”) simulates being a legitimate client negotiating transport loads (NL to FR, 8T, 1,200-1,500 EUR).
Dec 8-15 Sustained conversation for 8 days. Negotiation of prices, routes, and technical details (FTL) to build trust with the victim.
Dec 16 - 11:31 Malicious email: attacker redirects victim to fraudulent portal euroads[.]eu to “register” and download “cargo order”.
Dec 16 - 12:00 Victim downloads Order_024771.exe (Python Loader with fake PDF icon) from cloned portal euroads[.]eu/order.
Dec 16 - 12:05 Manual execution of loader. Immediate connection to C2 VPS in New York (173.225.111.189 - Interserver Inc) to retrieve payloads.
Dec 16 - 12:10 Deployment of NetSupport Manager RAT (legitimate Client.exe + malicious DLLs). Silent configuration: no visual alerts, C2 at akusa.icu:443 and 45.93.20.177:443.
Dec 16 - 12:12 Deployment of Telegram.exe (custom .NET tool for C2/exfiltration via Telegram API). Legitimate HTTPS traffic conceals malicious communication.
Dec 16 - 14:00 SOC Detection: Identification of Python Loader connecting to foreign VPS + NetSupport running from non-standard directories + unofficial Telegram.exe (.NET).
Dec 16 - 14:15 SOC Response: Endpoint isolation, termination of malicious processes, credential change, and removal of backdoors.

Anatomy of a BEC Fraud Against Logistics Companies (Python Loader + Telegram C2 + NetSupport - SentinelOne Bypass)

Incident Description

Initial Access: Long-term Email Social Engineering

The entry vector is distinguished by its high sophistication and patience. Unlike mass campaigns, the attacker maintained a coherent email thread negotiating prices (1,200 - 1,500 EUR), routes (NL to FR), and technical details (FTL, 8T) for 8 days.

On December 16, after simulating an agreement, the attacker (“Michal”) instructed the victim to register on an external platform to “reserve the load” and download the order PDF.

Excerpt from malicious email (The hook):

From: Michal Grzegorzewski mgrzegorzewski2.kaspeda@gmail.com
Sent: Tuesday, December 16, 2025 11:31
To: [REDACTED]
Subject: Re: Invoice with POD

The victim accessed the domain euroads[.]eu/order, a cloned/fraudulent portal, where they downloaded the malicious file.

Execution and Staging (Python Loader)

The downloaded file was named Order_024771.exe. Despite having a PDF document icon to deceive the user, it was a compiled Python executable that acted as a loader for the Telegram.exe tool (explained later) and the modified NetSupport executable.

Immediately after manual execution by the user, the Order_024771.exe process initiated an outbound network connection to retrieve the final payloads.

Connection destination:

  • IP: 173.225.111.189
  • Host: vps3191010.trouble-free.net
  • Provider (ISP): Interserver, Inc (Hosting / Data Center)
  • Location: New York City, USA. This IP corresponds to a VPS rented by the attacker, used as a first-stage C2.

NetSupport RAT Deployment

Once the VPS was contacted, the stager dropped NetSupport Manager components to disk:

  • Legitimate Execution: The Client.exe binary (signed and legitimate from NetSupport) is executed.
  • Malicious Load: Client.exe is programmed to load libraries from its same directory. The attacker loaded the DLLs into the directory using the Python Loader and file transfer.

Forensic Configuration Analysis (NetSupport Client32.ini)

During forensic disk analysis, we recovered the malware configuration file (Client32.ini). Its content confirms malicious intent, as it disables all visual alerts for the user and configures external Command and Control (C2) servers.

Recovered configuration:

[Client]
_present=1
DisableChatMenu=1          ; Prevents user from seeing chat options
DisableClientConnect=1     ; Hides connection
DisableDisconnect=1        ; Prevents user from disconnecting the RAT
HideWhenIdle=1
ShowUIOnConnect=0          ; Does not show interface when attacker connects
silent=1                   ; Silent mode activated
SysTray=0                  ; Hides icon in taskbar
Usernames=*                ; Allows connection to any logged-in user

[HTTP]
GatewayAddress=akusa.icu:443       ; Primary C2
SecondaryGateway=45.93.20.177:443  ; Backup C2 (IP of Chang Way Technologies Co. Limited)
GSK=EDHF;I>MBBEHHO<G

Interpretation: The attacker has configured the RAT to be invisible (SysTray=0, silent=1). It uses a domain (akusa.icu) and a direct IP as backup to ensure connection. The GSK value is the encryption key needed to communicate with the attacker’s Gateway.

Exfiltration via Telegram (.NET) and Evasion

Parallel to the RAT, a binary named Telegram.exe was deployed. Forensic analysis confirms it is not the official application, but a .NET tool developed by the attacker.

Purpose: Use the public Telegram API as a Command and Control (C2) channel. This allows data exfiltration traffic to blend with legitimate HTTPS traffic, making detection by conventional firewalls difficult.

Detection and IOCs (Indicators of Compromise)

Network and Infrastructure

  • Staging / Primary C2 IP: 173.225.111.189 (Interserver, VPS, Hostname: vps3191010.trouble-free.net)
  • C2 Domain: akusa.icu (45.93.20.177)
  • Phishing Domains: euroads[.]eu/order (VirusTotal)
  • Threat Actor Emails: mgrzegorzewski2.kaspeda@gmail.com (Alias: Michal Grzegorzewski)

File Hashes (SHA256)

  • Initial Dropper (Python Loader disguised as PDF): bacee81bd00a56c617e05a9fdb9a89cd1a47eea13ba986176fc5dc6000235fad (Identified as 1.exe or Order_024771.exe) (VirusTotal)
  • Fake Telegram (.NET C2 Tool): 54d3a59d202bc7de11f794b127395363e8eeb3d2
  • Malicious DLL (Side-Loading): a6f89004a246b6ae6e41326052837d375ac832399ac4657ae9549a404f31f140 (PCICL32.DLL) (VirusTotal)

SOC Response

  1. Credential Reset: Reset all passwords for the affected user, as the RAT has keylogging and cookie theft capabilities.
  2. Isolation: Immediately disconnect the device from the corporate network.
  3. Cleanup: Remove files in %AppData% and %Temp% related to Telegram.exe and the NetSupport installation folder.
  4. Process Monitoring: Alert on any execution of remote control binaries (RMM) and programs named Telegram.exe that are not digitally signed by “Telegram FZ-LLC” and are .NET binaries.
  5. Side-Loading Detection: Alert on creation or loading of .exe executables and DLLs from user temporary directories (AppData, Temp, Downloads) instead of Program Files.

How our Adversary-Aware SOC detected and neutralized this attack

Our Adversary-Aware SOC identified and blocked this sophisticated BEC attack through multiple layers of defense:

Merabytes Defense Area How our SOC acted Result obtained
Email behavior analysis Detection of prolonged social engineering: unusual negotiation followed by external link for “order” download. Early alert before users download the malicious executable.
Endpoint threat analysis Detection of Python Loader running from Downloads with immediate C2 connection to foreign VPS. Block loader before downloading the RAT.
Commercial RAT detection Identification of NetSupport Client.exe running from non-standard directories with silent configuration. RAT process termination and endpoint isolation.
Side-Loading monitoring Detection of Client.exe loading malicious DLLs from temporary directories instead of Program Files. Prevention of malicious component loading.
Telegram traffic analysis Detection of unofficial Telegram.exe (.NET) communicating with Telegram API for C2/exfiltration. Block alternative C2 channel and prevent exfiltration.
Vulnerability and IOC analysis Updated database with attack IOCs: hashes, domains (euroads[.]eu, akusa.icu), IPs (173.225.111.189). Proactive blocking of known malicious infrastructure.

Thanks to our adversary-focused approach, the SOC not only identified the technical anomalies, but understood the attacker’s complete tactic: long-term social engineering + Python stager + commercial RAT + alternative C2 via Telegram. This holistic view enabled a coordinated response that cut the attack chain at multiple points.

Lessons learned

  1. Long-duration BEC attacks are more dangerous. 8 days of conversation generate enough trust for the victim to lower their guard.
  2. Legitimate commercial RATs (NetSupport) evade traditional EDR. The binary is digitally signed, but the configuration is malicious.
  3. Side-Loading is a common evasion technique. Legitimate executables + malicious DLLs in temporary directories bypass many defenses.
  4. Telegram as C2 is a growing trend. Legitimate HTTPS traffic to Telegram conceals exfiltration.
  5. Python Loaders are effective against sandboxes. Direct execution from Downloads complicates static analysis.

Conclusion

The attack was detected and neutralized because our SOC implements adaptive defense, continuous monitoring, and behavioral analysis. With Merabytes, the story ended well:

  • Long-term social engineering was detected through email pattern analysis.
  • The Python Loader was identified by its immediate C2 connection to a foreign VPS.
  • NetSupport RAT was detected by execution from non-standard directories and silent configuration.
  • The alternative C2 channel via Telegram was blocked by detection of an unofficial .NET binary.
  • The rapid SOC response cut the attack chain before mass exfiltration or lateral movement.

#cybersecurity #bec #businessemailcompromise #netsupport #rat #logistics #dfir #merabytes

If you are interested in protecting your infrastructure against sophisticated BEC attacks and commercial RATs, visit merabytes.com and request access to our continuous monitoring, endpoint protection, and behavior analysis services.

Tags: bec business-email-compromise netsupport rat telegram python phishing logistics dfir sentinelone

Frequently asked questions

An Adversary-Aware SOC goes beyond traditional security monitoring by understanding attacker tactics, techniques, and procedures (TTPs). We proactively hunt for threats using MITRE ATT&CK framework, behavioral analysis, and threat intelligence to detect attacks that bypass conventional security controls.

Traditional security tools focus on known signatures and indicators. Our behavioral detection analyzes anomalies in user activity, email patterns, network traffic, and system behavior to identify sophisticated attacks that use legitimate tools or bypass authentication controls. This caught the attacks in these case studies before significant damage occurred.

Our SOC operates 24/7 with real-time monitoring and automated response capabilities. Critical alerts trigger immediate investigation and containment actions within minutes. We provide continuous threat hunting, forensic analysis, and coordinated incident response to minimize impact and prevent lateral movement.

We combine global threat intelligence feeds with our own research from real incidents. Every attack we analyze contributes to our detection rules and IOC database, which is immediately shared across all protected environments. This means if we see a new attack pattern targeting one client, all clients are automatically protected within hours.

Absolutely. Our SOC integrates with your existing EDR, XDR, SIEM, firewalls, email security, and identity protection tools. We enhance their effectiveness by correlating events across all sources, applying adversary-aware detection logic, and providing expert human analysis that automated tools alone cannot achieve.