MalwareUsed by 2 actors

NetSupportRAT

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA571

In addition, TA571 has been associated with the distribution of other malware families, including variants of IcedID, NetSupportRAT, DarkGate and others.

via talosintelligence otherblog.talosintelligence.com

UNC4108

...including WastedLocker, NetSupportRAT, Hades, and Dridex...

via silentpush blogsilentpush.com

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566PhishingEvidence1

For instance, both FIA and SIA groups commonly utilize spear-phishing emails, exploitation of known vulnerabilities and proprietary malware.

T1566.001Spearphishing AttachmentEvidence1

For instance, both FIA and SIA groups commonly utilize spear-phishing emails, exploitation of known vulnerabilities and proprietary malware.

Command and Control

1 technique

T1105Ingress Tool TransferEvidence1

TA571... has been associated with the operation of spam botnets for malware distribution, as well as the use of the 404TDS which is sometimes incorporated into the spam emails.

INDICATORS OF COMPROMISE

IOCs tracked for this family

11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

11 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

silentpush blogNews

Aug 6, 2025

Unmasking SocGholish: Silent Push Untangles the Malware Web behind the “Pioneer of Fake Updates” and Its Operator, TA569

Legitimate remote administration tool frequently abused as a RAT; referenced as a follow-on payload delivered via the SocGholish/TA569 access ecosystem (including via MintsLoader/UNC4108).

talosintelligence otherNews

May 13, 2025

Redefining IABs: Impacts of compartmentalization on threat tracking and modeling

A remote access trojan distributed by TA571.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching11

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.