netsupport-inno-dropper

Overview

Threat actor cluster that repackages legitimate remote-access software (NetSupport Manager) inside Inno Setup installers masquerading as hardware driver updates. The installer decrypts and drops NetSupport client binaries with attacker-controlled gateway configuration, providing persistent remote access without custom malware. The evasion is toolchain legitimacy: the binary itself is benign software repurposed for malicious installation.

Build Stack

• Toolchain: Inno Setup 6.7.0 (Delphi/Object Pascal compiler) ^[sample 177bfc84/strings.txt:7552]
• Arch: PE32 (x86), Windows GUI subsystem ^[sample 177bfc84/file.txt]
• Import Table: Standard IAT intact; delay-imports for kernel32.dll and user32.dll ^[sample 177bfc84/pefile.txt:DelayImport]
• Overlay: 3.07 MB encrypted LZMA-compressed Inno Setup archive ^[sample 177bfc84/binwalk.txt]
• Signing: Unsigned ^[sample 177bfc84/rabin2-info.txt:signed=false]
• Masquerade: Rotates hardware-vendor identity per sample (Intel Graphics Driver, NVIDIA, AMD, etc.) ^[sample 177bfc84/exiftool.json]

Capabilities

• inno-setup-legitimate-installer-abuse
• lzma-encrypted-overlay-archive
• netsupport-manager-client-deployment
• version-info-masquerade
• driver-update-social-engineering
• gateway-config-override

Deploy / TTPs

Variants / Aliases

• netsupport-inno-dropper — this wiki label
• hippamsascom / sunwukong — OpenCTI false-positive co-labels (structurally unrelated)
• IntelGraphicsHelper.exe — observed filename

Notable Analyses

• /intel/analyses/177bfc846a77617931f7e6651a26df92511c7f60c0170001d67b982c09a677d1.html — 177bfc84, Intel masquerade, Inno Setup 6.7.0, static-only

Related

• version-info-masquerade — generic masquerade technique
• netsupport-manager-abuse — concept page for NetSupport-as-C2-tool