4 malware families

ZPHP

Also known asZPHP

ZPHP is a Proofpoint-tracked threat cluster first identified in June 2023. Proofpoint describes it as conducting fake browser update campaigns that lead to NetSupport RAT, with activity ongoing in weekly campaigns. Proofpoint observed that beginning in June 2024, ZPHP campaigns used a NetSupport configuration with licensee XMLCTL and serial number NSM303008. Proofpoint also noted overlap between ZPHP and UAC-0050 in similar JavaScript-based delivery mechanisms and overlapping NetSupport configuration, but explicitly stated that this overlap does not necessarily demonstrate they are the same actor. Alias: zphp.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

26 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics38 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1189

Drive-by Compromise

T1566

Phishing

T1566.001

Spearphishing Attachment

T1566.003

Spearphishing via Service

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1059.003

Windows Command Shell

T1059.005

Visual Basic

T1059.007

JavaScript

T1204×3

User Execution

T1204.002×2

Malicious File

T1204.004

Malicious Copy and Paste

TA0003

Persistence

2 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1055

Process Injection

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0005

Stealth

6 techniques

T1027

Obfuscated Files or Information

T1027.003

Steganography

T1036

Masquerading

T1055

Process Injection

T1070

Indicator Removal

T1070.004

File Deletion

T1218

System Binary Proxy Execution

T1218.005×2

Mshta

T1497

Virtualization/Sandbox Evasion

TA0007

Discovery

1 technique

T1497

Virtualization/Sandbox Evasion

TA0009

Collection

1 technique

T1115

Clipboard Data

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1105

Ingress Tool Transfer

T1219

Remote Access Tools

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

NetSupport RATWhile NetSupport is less commonly observed in Proofpoint campaign data at this time, there are still a handful of threat actors that distribute it as a first-stage payload via email.2Apr 23, 2026

RemcosThe campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.1Mar 25, 2026

Sectop RATThe campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.1Mar 25, 2026

StealCThe campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.1Mar 25, 2026

IOCS

Observables

6 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

6 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

proofpoint threat insight blogNews

Mar 5, 2025

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US

Activity cluster conducting fake browser update campaigns that deliver NetSupport RAT, and in some cases Lumma Stealer, via compromised websites.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping26

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables6

Domains, IPs, and hashes tied to this actor, refreshed continuously.