Date: 06/13/2025
Severity: Medium
Summary
A new version of Neptune RAT, version 5.3, has been observed in the wild as early as May 27, 2025. Developed by the Mason Team, this RAT is also referred to as MasonRAT based on configuration data from our analysis. The infection begins with a JavaScript (.js) file that executes via wscript.exe when double-clicked. This .js file drops a .bat file onto the disk, while subsequent payloads run directly from system memory without being saved to disk.
Indicators of Compromise (IOC) List
URL/Domain | apostlejob3.duckdns.org |
IP Address | 107.172.232.84 |
Hash | 0e5c2dc881698eddca82990a30bb2f734065b2eb9ea329b03fbf454e43a254e8
bd2cc2f1f25b5f520a87068475247dd5611ab9f199ed3264983d720e016acf66
ef7f1ff249b03f69993926e01bb4b5e0055aa897634f8a10f24968b514d96b40
8fa3103bcd5d7d097dddcd0b1d56614b9787a019cfad2af0b5e24cd7f4b49e7a
3d8c31a68e3fab61212af7ebb3024c5ab079cd205a9297333824f342113b6058
9d86ea12e0643cd79f6f97202716d6e7b2a0f2dc81b9255719bb5ca7aaeebd12
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "apostlejob3.duckdns.org" or siteurl like "apostlejob3.duckdns.org" or url like "apostlejob3.duckdns.org" |
Detection Query 2 : | dstipaddress IN ("107.172.232.84") or srcipaddress IN ("107.172.232.84") |
Detection Query 3 : | sha256hash IN ("bd2cc2f1f25b5f520a87068475247dd5611ab9f199ed3264983d720e016acf66","9d86ea12e0643cd79f6f97202716d6e7b2a0f2dc81b9255719bb5ca7aaeebd12","8fa3103bcd5d7d097dddcd0b1d56614b9787a019cfad2af0b5e24cd7f4b49e7a","ef7f1ff249b03f69993926e01bb4b5e0055aa897634f8a10f24968b514d96b40","0e5c2dc881698eddca82990a30bb2f734065b2eb9ea329b03fbf454e43a254e8","3d8c31a68e3fab61212af7ebb3024c5ab079cd205a9297333824f342113b6058")
|
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-06-11-IOCs-for-Neptune-RAT-version-5.3.txt