Listen to this Post
Introduction
In a sophisticated cyber attack chain observed by security researchers, threat actors leveraged a MediaFire-hosted ZIP archive containing a Python setup executable that side-loaded a maliciously padded DLL to gain initial access. The execution chain ultimately delivered three separate persistence mechanisms, including a fake EdgeUpdate scheduled task, a PowerShell-based backdoor, and the NetSupport RMM remote access tool, demonstrating the evolving complexity of modern intrusion campaigns. This article provides a comprehensive technical breakdown of the attack chain, indicators of compromise, and detection strategies for defenders.
Learning Objectives
- Understand the complete execution chain from email phishing to NetSupport RMM deployment
- Learn how DLL sideloading and binary padding techniques are used to evade detection
- Master DFIR triage techniques for identifying malicious artifacts in extracted archives
- Deploy detection rules and hunting queries for the specific IOCs and TTPs
- Implement defensive measures against similar multi-stage attacks
- The Attack Chain: From Phishing Email to NetSupport RMM
Step-by-Step Execution Flow
Step 1: Initial Delivery
The victim receives a phishing email containing a link to a MediaFire-hosted ZIP archive. The archive contains a folder structure designed to appear legitimate.
Step 2: Archive Extraction and Triage
When the victim extracts the ZIP, they find a `Setup` folder containing:
– `Setu.exe` – A legitimate-looking Python setup executable
– VMware utility files (present but not actively used in this attack)
– `python37.dll` – A malicious DLL nearly 400 MB in size
Step 3: DLL Sideloading
The `Setu.exe` executable side-loads the malicious `python37.dll` rather than the legitimate Python DLL. The unusual 400 MB size is the result of repeated `J` byte padding, an obfuscation technique designed to evade signature-based detection and complicate static analysis.
Step 4: Process Injection
Once loaded, the malicious DLL performs process injection into dllhost.exe, a legitimate Windows COM surrogate process. This injected code then establishes communication with the first command-and-control (C2) server at 138[.]124[.]186[.]2:7000.
Step 5: Persistence Deployment
By the end of the infection chain, the actor had deployed three separate persistence mechanisms:
– PowerShell-based path – A PowerShell script establishing backdoor communication
– Fake EdgeUpdate path – A scheduled task伪装成 Microsoft Edge Update, executing `pythonw.exe` from `%LOCALAPPDATA%\Microsoft\EdgeUpdate\{GUID}\1.3.467.47\`
– NetSupport RMM path – The NetSupport remote management tool installed at `%APPDATA%\Microsoft\Image\SQLTool\46a05ef1a89e0c8a\century.exe`
DFIR Triage Note
When reviewing dropped artifacts from a ZIP, compare modified dates across files and directories. In this case, timestamp differences helped highlight which artifact deserved attention first—a quick win during triage.
2. Indicators of Compromise (IOCs)
Network IOCs
| Type | Indicator |
||–|
| Domain | `pub-2f1bcdf12a2e44408e7a58efe6006d43.r2.dev` |
| URL | `hxxps://pub-2f1bcdf12a2e44408e7a58efe6006d43[.]r2[.]dev/LICENSES.chromium.dat` |
| Domain | `bsc[.]blockrazor[.]xyz` |
| Domain | `mgo[.]gstats-api-contact[.]cc` |
| Domain | `xn--fiqq24b9hejs1c[.]clickvector[.]tech` |
| IP:Port | `138[.]124[.]186[.]2:7000` |
| IP:Port | `185[.]76[.]243[.]85:443` |
File System IOCs
– `%LOCALAPPDATA%\Microsoft\EdgeUpdate\{GUID}\1.3.467.47\pythonw.exe`
– `%APPDATA%\Microsoft\Image\SQLTool\46a05ef1a89e0c8a\century.exe`
Scheduled Task IOCs
– `MicrosoftEdgeUpdateTaskUserUA{GUID}-
3. Detection and Hunting Commands
Windows PowerShell Detection Scripts
Search for the malicious EdgeUpdate persistence:
Find fake EdgeUpdate directories
Get-ChildItem -Path "$env:LOCALAPPDATA\Microsoft\EdgeUpdate\" -Recurse -Directory | Where-Object { $_.Name -match '^{[A-F0-9-]+}$' }
Check for pythonw.exe in EdgeUpdate paths
Get-ChildItem -Path "$env:LOCALAPPDATA\Microsoft\EdgeUpdate\" -Recurse -File -Filter "pythonw.exe"
Examine scheduled tasks for suspicious EdgeUpdate entries
Get-ScheduledTask | Where-Object { $_.TaskName -like "MicrosoftEdgeUpdateTaskUserUA" } | Format-List
Search for NetSupport RMM installation:
Check for NetSupport executable in suspicious path Test-Path "$env:APPDATA\Microsoft\Image\SQLTool\century.exe" Get detailed file information Get-ChildItem -Path "$env:APPDATA\Microsoft\Image\SQLTool\" -Recurse -File -Filter "century.exe" | Get-Item | Format-List
Process injection detection (dllhost.exe anomaly):
Check for dllhost.exe with unusual parent processes or network connections
Get-Process -1ame dllhost | Where-Object { $_.StartInfo.EnvironmentVariables -match "C2" }
Network connections from dllhost.exe
netstat -ano | findstr dllhost
Linux-based Log Analysis (for SIEM/SOAR)
Extract suspicious EdgeUpdate paths from Windows Event Logs (exported to Linux for analysis):
Search for EdgeUpdate GUID patterns in EVTX exports
grep -rE '{[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}}' /mnt/windows_logs/
Look for pythonw.exe executions with suspicious command lines
grep -r "pythonw.exe" /mnt/windows_logs/ | grep -E "(EdgeUpdate|1.3.467.47)"
Extract network connections to C2 IPs
grep -E "(138.124.186.2|185.76.243.85)" /mnt/windows_logs/security_logs/
YARA Rule for Malicious DLL Detection
rule Malicious_Python37_DLL_Padding {
meta:
description = "Detects python37.dll with excessive J byte padding"
author = "Threat Hunter"
date = "2026-06-17"
reference = "NetSupport RMM Attack Chain"
strings:
$padding = /J{100,}/ // Repeated J bytes
$python_ref = "python37" nocase
$dll_mz = "MZ" at 0
condition:
$dll_mz and $python_ref and padding > 10
}
4. Network Traffic Analysis and C2 Communication
C2 Communication Patterns
First C2: `138[.]124[.]186[.]2:7000`
- Injected `dllhost.exe` initiates outbound connection on port 7000
- Likely used for initial beaconing and command retrieval
- Non-standard port suggests deliberate evasion of perimeter monitoring
Second C2: `185[.]76[.]243[.]85:443`
- HTTPS-based communication (port 443)
- May blend with legitimate SSL/TLS traffic
- Potential domain fronting or certificate impersonation
Network Detection Rules
Snort/Suricata Rule:
alert tcp $HOME_NET any -> 138.124.186.2 7000 (msg:"NetSupport RMM C2 Beacon Detected"; flow:to_server,established; content:"|00|"; within:2; classtype:trojan-activity; sid:1000001; rev:1;)
Zeek (Bro) Script Snippet:
event connection_established(c: connection)
{
if (c$id$resp_h == 138.124.186.2 && c$id$resp_p == 7000/tcp)
{
print fmt("Potential C2 connection from %s to %s:%d", c$id$orig_h, c$id$resp_h, c$id$resp_p);
}
}
5. Mitigation and Hardening Strategies
Endpoint Hardening
Disable DLL Sideloading Vectors:
- Enable Windows Defender Application Control (WDAC) to restrict DLL loading paths
- Implement Microsoft recommended mitigation: `Set-ProcessMitigation -System -EnableDllSearchOrderRestriction`
PowerShell Command to Harden DLL Search Order:
Enable DLL search order restriction globally Set-ProcessMitigation -System -EnableDllSearchOrderRestriction Audit current DLL loading behavior Get-ProcessMitigation -System | Select-Object -ExpandProperty DllSearchOrderRestriction
Application Whitelisting
Deploy AppLocker or WDAC policies:
- Block execution from `%LOCALAPPDATA%\Microsoft\EdgeUpdate\{GUID}\` unless explicitly approved
- Restrict `pythonw.exe` execution to known good paths only
- Monitor and restrict `dllhost.exe` spawning of child processes
Sample AppLocker Rule (PowerShell):
Create a rule to block pythonw.exe from EdgeUpdate paths $Rule = New-AppLockerPolicy -RuleType Exe -User Everyone -Action Deny -Path "$env:LOCALAPPDATA\Microsoft\EdgeUpdate\\pythonw.exe" Set-AppLockerPolicy -Policy $Rule -Merge
Network Segmentation
- Isolate endpoints running NetSupport RMM (legitimate or otherwise)
- Block outbound connections to port 7000 and suspicious IP ranges
- Implement TLS inspection for HTTPS traffic to detect domain anomalies
6. Advanced Hunting Queries
KQL for Microsoft Sentinel/Defender
// Hunt for suspicious EdgeUpdate paths
DeviceFileEvents
| where FolderPath contains @"\Microsoft\EdgeUpdate\"
| where FileName == "pythonw.exe"
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessAccountName
// Hunt for dllhost.exe with network connections to suspicious IPs
DeviceNetworkEvents
| where RemoteIP in ("138.124.186.2", "185.76.243.85")
| where InitiatingProcessFileName == "dllhost.exe"
| project Timestamp, DeviceName, RemoteIP, RemotePort, LocalIP, InitiatingProcessCommandLine
// Hunt for NetSupport RMM installation
DeviceFileEvents
| where FolderPath contains @"\Microsoft\Image\SQLTool\"
| where FileName == "century.exe"
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessAccountName
Sigma Rule for SIEM Detection
title: Suspicious EdgeUpdate pythonw.exe Execution id: 12345678-1234-1234-1234-123456789012 status: experimental description: Detects pythonw.exe execution from non-standard EdgeUpdate path references: - https://www.threathuntinglabs.com logsource: product: windows service: sysmon detection: selection: Image|endswith: '\pythonw.exe' ParentImage|contains: '\EdgeUpdate\' CommandLine|contains: '1.3.467.47' condition: selection falsepositives: - Legitimate EdgeUpdate installations (rare) level: high
7. Threat Actor TTPs (MITRE ATT&CK Mapping)
| Technique | MITRE ID | Description |
|–|-|-|
| Phishing | T1566 | Email with MediaFire link to malicious ZIP |
| DLL Sideloading | T1574.002 | Setu.exe loads malicious python37.dll |
| Process Injection | T1055 | Injection into dllhost.exe |
| Scheduled Task | T1053.005 | Fake EdgeUpdate scheduled task |
| Remote Access Software | T1219 | NetSupport RMM deployment |
| Obfuscated Files | T1027 | Repeated J byte padding in DLL |
| C2 Communication | T1071 | HTTP/HTTPS beacons to C2 servers |
What Undercode Say
- DLL sideloading remains a highly effective initial access vector, especially when combined with binary padding techniques that evade signature-based detection. The 400 MB file size—artificially inflated with repeated J bytes—is a clever way to bypass sandbox timeouts and static analysis.
-
Timestamp analysis during DFIR triage is critical. The researchers noted that comparing modified dates across extracted files helped identify the malicious DLL quickly—a simple but often overlooked technique that can save hours of investigation.
-
The triple-persistence strategy (PowerShell + fake EdgeUpdate + NetSupport RMM) indicates a sophisticated actor who values redundancy. Even if one persistence mechanism is discovered and removed, the others remain as fail-safes, ensuring continued access.
-
NetSupport RMM abuse is a growing trend among threat actors, as legitimate remote management tools provide stealthy persistence and are often whitelisted by security products. Defenders must treat any unsigned or unexpected RMM installation as a potential red flag.
-
The use of multiple C2 channels (port 7000 and port 443) suggests the actor is prepared for network-level detection. The first C2 on a non-standard port serves as an initial beacon, while the HTTPS channel provides encrypted fallback communication.
-
Defenders should prioritize hunting for the specific file paths and scheduled task names provided in the IOCs. These are unique enough to yield low false-positive rates while providing high-confidence detection of this specific campaign.
-
The attack chain demonstrates the importance of application whitelisting and DLL search order restrictions. Had WDAC or AppLocker been in place, the sideloaded DLL would have been blocked at execution, preventing the entire infection.
-
Cloud storage services like MediaFire and R2.dev are increasingly used as malware distribution platforms. Organizations should consider blocking or closely monitoring downloads from these services, especially when initiated by email.
-
The fake EdgeUpdate persistence is particularly insidious because it mimics a legitimate Microsoft component. Users and even some security tools may overlook it, assuming it is part of normal Windows Update functionality.
-
This case reinforces that threat hunting is most effective when combining multiple data sources—network logs, endpoint telemetry, file system analysis, and process monitoring. No single data source would have revealed the full scope of this attack.
Prediction
-
+1 Attack chains combining legitimate remote management tools with DLL sideloading will become the new standard for sophisticated threat actors, as they bypass traditional EDR and antivirus solutions while maintaining persistence.
-
-1 The use of binary padding (repeated J bytes) to inflate file sizes will force security vendors to rethink sandbox timeouts and file size thresholds, potentially leading to increased detection latency and resource consumption.
-
+1 DFIR teams will increasingly adopt timestamp analysis as a primary triage technique, recognizing its effectiveness in rapidly identifying malicious artifacts within compressed archives.
-
-1 As cloud storage services become primary malware distribution vectors, organizations will face increased challenges in balancing productivity (legitimate use of these services) with security (blocking malicious downloads).
-
+1 The MITRE ATT&CK framework will continue to evolve with new sub-techniques addressing DLL sideloading variants and RMM abuse, providing defenders with better detection and mitigation guidance.
-
-1 Smaller organizations without dedicated threat hunting teams will remain vulnerable to these multi-stage attacks, as the complexity requires skilled analysts to piece together the full chain from disparate data sources.
This article is based on public threat intelligence shared by Kostas T. and Joshua Speshock. For full context, commands, timeline reconstruction, and detection leads, consider enterprise threat intelligence feeds available through Threat Hunting Labs.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Joshua Speshock – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
