Back to Intelligence

NetSupport RMM via Python Side-Loading: MediaFire ZIP Attack Chain Analysis

SA
Security Arsenal Team
July 17, 2026
5 min read

Threat Summary

Recent intelligence from OTX pulses reveals an active campaign utilizing a sophisticated infection chain to deliver NetSupport Manager, a legitimate remote administration tool frequently abused by threat actors as RAT (Remote Access Trojan). The attack vector begins with phishing emails distributing a ZIP file hosted on MediaFire. Upon execution, the payload utilizes a Python setup executable (Setu.exe) to side-load a malicious, padded python37.dll (approx. 400MB). This technique is employed to bypass heuristic scanning and evade static analysis. The malware ultimately injects into dllhost.exe to establish persistence and communicate with Command and Control (C2) infrastructure over port 7000.

The objective of this campaign appears to be gaining unauthorized remote access to victim machines for data theft, lateral movement, or deployment of secondary payloads. The use of large, padded DLLs suggests a specific effort to overwhelm or confuse automated analysis sandboxes.

Threat Actor / Malware Profile

Malware Family: NetSupport RMM (Remote Access Trojan)

  • Distribution Method: Email-based delivery directing users to download a ZIP archive from MediaFire. The archive contains a fraudulent Python installer.
  • Payload Behavior:
    • DLL Side-loading: The campaign leverages the Setu.exe (Python setup) to load a malicious python37.dll located in the same directory.
    • Process Injection: The malicious DLL injects code into dllhost.exe (COM Surrogate) to mask malicious activity under a legitimate Windows process.
  • C2 Communication: Establishes connection to 138.124.186.2 on port 7000. Secondary C2 domains include bsc.blockrazor.xyz and xn--fiqq24b9hejs1c.clickvector.tech.
  • Persistence Mechanism: Utilizes Scheduled Tasks to maintain access across reboots.
  • Anti-Analysis Techniques: The payload DLL uses repeated byte padding to bloat the file size to ~400MB. This "fat DLL" technique is designed to crash or timeout automated sandbox analysis tools that attempt to scan the full file.

IOC Analysis

The current pulse provides specific network indicators and filenames associated with this campaign.

  • IP Address: 138.124.186.2 (C2 Server)
  • Domains:
    • bsc.blockrazor.xyz
    • xn--fiqq24b9hejs1c.clickvector.tech
  • Filenames: Setu.exe, python37.dll
  • Process: dllhost.exe (often abused for injection in this context)

Operational Guidance: SOC teams should immediately block the listed IP and domains at the perimeter firewall and proxy servers. EDR solutions should be configured to alert on outbound connections to port 7000 from non-browsers, specifically involving dllhost.exe. Due to the nature of the DLL side-loading, file reputation checks for python37.dll are less effective; instead, focus on the parent process Setu.exe and the origin of the download (MediaFire).

Detection Engineering

Sigma Rules

YAML
---
title: Potential NetSupport RMM Python Side-Loading
description: Detects the execution of Setu.exe loading a suspicious python37.dll, indicative of the side-loading technique observed in the NetSupport campaign.
status: experimental
date: 2026/07/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.defense_evasion
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\Setu.exe'
        ImageLoaded|endswith: '\python37.dll'
    condition: selection
falsepositives:
    - Legitimate Python software installation
level: high
---
title: Suspicious dllhost.exe Network Activity on Port 7000
description: Detects dllhost.exe making outbound connections to non-standard ports, specifically port 7000, associated with NetSupport C2.
status: experimental
date: 2026/07/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\dllhost.exe'
        DestinationPort: 7000
    condition: selection
falsepositives:
    - Rare legitimate COM+ activity on non-standard ports
level: critical
---
title: Large Python DLL File Creation
description: Detects the creation of python37.dll files larger than 100MB, a technique used to pad malware and evade analysis.
status: experimental
date: 2026/07/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.defense_evasion
    - attack.t1027
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\python37.dll'
        FileSize: > 100000000
    condition: selection
falsepositives:
    - Unlikely, standard Python DLLs are small (MB range)
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for NetSupport C2 Traffic and Initial Access
let IOCs = dynamic(['138.124.186.2', 'bsc.blockrazor.xyz', 'xn--fiqq24b9hejs1c.clickvector.tech']);
DeviceNetworkEvents
| where RemoteIP in (IOCs) or RemoteUrl has_any (IOCs) or RemotePort == 7000
| where InitiatingProcessFileName =~ 'dllhost.exe'
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessParentFileName, RemoteIP, RemotePort, RemoteUrl
| order by Timestamp desc

// Correlate with Process Execution of the setup file
DeviceProcessEvents
| where FileName =~ 'Setu.exe' or (FolderPath contains 'python' and FileName =~ 'setup.exe')
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# Hunt for artifacts associated with the NetSupport Side-Loading campaign
# 1. Check for oversized python37.dll files (sign of padding)
Write-Host "[+] Hunting for oversized python37.dll files..."
Get-ChildItem -Path C:\ -Recurse -Filter "python37.dll" -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 100MB } | 
    Select-Object FullName, Length, CreationTimeUtc, LastWriteTimeUtc

# 2. Check Scheduled Tasks for suspicious entries linked to Python or Scripts
Write-Host "[+] Checking Scheduled Tasks for suspicious persistence..."
Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -match "python|wscript|cscript" -or 
    $_.TaskName -match "Update|Python|Setup" 
} | 
    Select-Object TaskName, State, @{Name='Action';Expression={$_.Actions.Execute}}, @{Name='Arguments';Expression={$_.Actions.Arguments}}

# 3. Check recent network connections to port 7000 (requires admin rights and netstat)
Write-Host "[+] Checking for active connections on port 7000..."
netstat -ano | findstr ":7000"

Response Priorities

  • Immediate:

    • Block all listed IOCs (138.124.186.2, bsc.blockrazor.xyz, xn--fiqq24b9hejs1c.clickvector.tech) at the firewall and proxy.
    • Isolate any endpoints showing alerts for dllhost.exe connecting to port 7000 or executing Setu.exe.
    • Quarantine the malicious email samples and block MediaFire downloads for non-approved business use.
  • 24 Hours:

    • Conduct a scoped hunt for Setu.exe execution events within the last 30 days across all endpoints.
    • Verify the integrity of systems where python37.dll was found in non-standard directories.
    • Review user activity on hosts identified as compromised for signs of lateral movement or data exfiltration.
  • 1 Week:

    • Update email security gateways to block ZIP files containing .exe or .dll files masquerading as installers.
    • Implement Application Control policies to restrict python.exe and installers to specific user baselines.
    • Review and harden the environment against DLL side-loading attacks (e.g., enforce known-good DLL search paths).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarenetsupport-rmmdll-side-loadingmediafireremote-access-trojanemail-threat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.