A critical warning has emerged this week, alerting Microsoft Windows users about a dangerous new browser update targeting them. The attack uses social engineering to trick users into making a simple yet regrettable click. Here’s what you need to know.
According to a report from Cyber Security News, the threat originates from a campaign observed by Palo Alto Networks’ Unit 42. The attack involves malicious JavaScript injected into legitimate websites, warning users that their browser module in Chrome, Edge, or Firefox is outdated and needs updating. The warnings are highly realistic, using branding and urgent language such as “Critical Security Update Required.”
By downloading and running the malicious script, users unknowingly allow the malware to fetch the NetSupport RAT (Remote Access Trojan) code, which enables remote control of their device, data exfiltration, and modification of Windows registry entries for persistence. This makes it difficult to remove the malware once it’s running.
Furthermore, researchers revealed that in a recent campaign (observed on February 18, 2025), NetSupport RAT delivered a secondary payload known as StealC, a credential-stealing malware. StealC hunts for key login data and bypasses security mechanisms.
The researchers note that this attack highlights the persistent threat of social engineering, combined with fileless attack techniques. By exploiting trusted software update mechanisms and Windows internals, threat actors gain prolonged access to a network while evading conventional defenses.
Mitigation Strategies
To protect against this threat, the following steps are recommended:
- Block domains associated with SmartApeSG infrastructure (e.g., poormet[.]com, cinaweine[.]shop) using threat intelligence feeds.
- Deploy signatures to detect malicious JavaScript patterns (e.g., long Base64 strings, asynchronous HTTP requests).
- Monitor for unusual process relationships, such as mfpmp.exe spawning network connections or writing to %APPDATA%.
- Restrict PowerShell execution policies and log script activity to detect encoded command sequences.
- Train employees to recognize fake update lures, emphasizing that browsers update automatically and never require manual downloads.
This warning emphasizes the growing risk of fake browser installs and updates, reinforcing the importance of updating browsers through trusted, official means. Always check your browser’s update settings, avoid clicking on popups or website links—even if they seem legitimate—and restart your browser to ensure updates are applied. Browsers should be set to auto-update for maximum security.
