NetSupport RAT
NetSupport RAT is the malicious use of the legitimate NetSupport Manager remote administration software, most commonly involving the NetSupport client component client32.exe or Client.exe repurposed for unauthorized remote access. Across the provided reporting, it is repeatedly delivered through ClickFix/FakeCAPTCHA social engineering, phishing, malvertising, malicious PDFs, fake software installers, ZIP/MSI payloads, BAT and PowerShell download chains, and trojanized installers such as fake ChromeSetup packages. Observed installation chains download archives containing NetSupport Manager, extract them, establish persistence, and execute client32.exe; persistence mechanisms directly mentioned include HKCU Run keys, Startup-folder LNK files, scheduled tasks with logon triggers, schtasks, and HKCU\Environment\UserInitMprLogonScript.
The malware provides remote access capabilities consistent with weaponized NetSupport Manager deployments, including remote desktop control, remote shell access, file transfer, keylogging, screen capture, audio and webcam capture, process management, and screenshot collection. In multiple campaigns, the signed NetSupport binaries themselves were legitimate NetSupport Ltd components, while malicious behavior was driven by accompanying configuration and license files such as client32.ini, NSM.LIC, PCICL32.DLL, remcmdstub.exe, HTCTL32.DLL, and nskbfltr.inf. Reported configurations enabled silent or hidden execution, HTTP gateway tunneling, beaconing over port 443, and in some cases cleartext communications over port 443 rather than TLS. Specific network behaviors mentioned include POST requests to /fakeurl.htm, GET requests to /testpage.htm, User-Agent "NetSupport Manager/1.3," and gateway/C2 infrastructure including 172.94.9.4:443, 193.24.211.242, poronto[.]com:688, giovettiadv[.]com:688, and 5[.]188[.]87[.]49.
NetSupport RAT appears in a broad range of criminal intrusion ecosystems. It was observed as a payload in Scarlet Goldfinch paste-and-run activity throughout 2025, in ClickFix campaigns documented by Breakglass and Huntress, in phishing campaigns such as Rogue Raticate, in Booking.com-themed fake CAPTCHA activity, and in malware delivery chains involving CastleLoader, Matanbuchus, ACRStealer/Arechclient2, Amatera Stealer, Mars Stealer, LummaC2, StealC, RedLine, Rhadamanthys, DeerStealer, SectopRAT, Cobalt Strike, and Remcos. Historical and contextual reporting also links NetSupport RAT activity to financially motivated ecosystems associated with TA0569/GOLD PRELUDE and Evil Corp affiliates, though the content does not establish a single exclusive operator for the malware.
Targeting in the provided content spans enterprise users broadly, with specific references to finance-sector victims, Italian users targeted via spam, Ukrainian-speaking organizations, freight/logistics and government-themed lure recipients, and credential-harvesting campaigns at scale. Several reports note abuse of bulletproof or abuse-tolerant hosting and rapidly rotated infrastructure. Additional indicators and artifacts directly mentioned include the hostname WIN-J9D866ESIJ2 in attacks involving NetSupport RAT; installation paths such as C:\Users*\AppData\Roaming\WinSupports\client32.exe, %ProgramData%\CeoliauD\Dabkina, and %APPDATA%<GUID_DIR>; the Startup LNK path c:\users*\appdata\roaming\microsoft\windows\start menu\programs\startup\autorunings.ini.lnk; SHA-256 hashes 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268 for a NetSupport Manager v14.10 client32.exe sample, 36ad12ff7efbf323f58d7efd5977880419fc0452061f3ef2ca61cf73bb4bb5c1 for a ZIP payload, and 78a511e1da802149564639d4c3b66f67faee4bb6d762ffae4325075709217275 for an MSI dropper. Versions explicitly referenced in the content include weaponized NetSupport Manager v14.10 and v14.12.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
A legitimately signed NetSupport Manager v14.12 binary -- bearing a valid GlobalSign EV code-signing certificate issued to NETSUPPORT LTD -- is being weaponized as a Remote Access Trojan across two active delivery chains.
Groups observed using it
16 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This BAT script then leveraged PowerShell to: download a ZIP file containing NetSupport Manager extract the contents establish run key persistence execute the NetSupport Manager client32.exe binary
Such findings follow a report by Symantec detailing a Rogue Raticate phishing campaign involving the utilization of malicious PDFs for NetSupport RAT delivery...
In 2024-2025, that meant Evil Corp affiliates deploying WastedLocker, Cobalt Strike operators establishing persistence, and NetSupport RAT campaigns harvesting credentials at scale.
While NetSupport is less commonly observed in Proofpoint campaign data at this time, there are still a handful of threat actors that distribute it as a first-stage payload via email.
While NetSupport is less commonly observed in Proofpoint campaign data at this time, there are still a handful of threat actors that distribute it as a first-stage payload via email.
NetSupport Manager is a commercial remote administration product developed by NetSupport Ltd. It is widely deployed in enterprise environments for legitimate IT management. However, it has also been repeatedly leveraged by threat actors as a post-compromise persistence mechanism.
The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.
The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.
TA571 regularly uses 404 TDS in campaigns to deliver malware, including AsyncRAT, NetSupport, and DarkGate.
...UNC4108 hacking groups, with the latter spreading the NetSupport RAT and VOLTMARKER payloads.
Since 2023, TA547 typically delivers NetSupport RAT but has occasionally delivered other payloads...
The malware then checks if the machine is part of a domain, or in a workgroup... extracts two encrypted 7-Zip archives... and runs an executable... Type: Remote Access Trojan Name: NetSupport RAT C2 infrastructure: 166.88.159[.]37
Last year, however, they switched strategies, opting to misuse legitimate software, NetSupport, to maintain control over infected machines.
NetSupport Manager is another client-server remote desktop management application... ra.exe... Our sample is the NetSupportManager RAT
"...including the publicly available NetSupport RAT..."
GrayCharlie ... redirect victims to NetSupport RAT infections delivered via fake browser update pages or ClickFix techniques, ultimately resulting in Stealc and SectopRAT infections.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesSuch findings follow a report by Symantec detailing a Rogue Raticate phishing campaign involving the utilization of malicious PDFs for NetSupport RAT delivery...
...a Rogue Raticate phishing campaign involving the utilization of malicious PDFs for NetSupport RAT delivery...
Execution
7 techniquesestablished persistence using schtasks and the UserInitMprLogonScript
The second epoch saw Scarlet Goldfinch shift its technique away from curl. It began utilizing a PowerShell download cradle to retrieve and execute a PS1 file, which then installed and ran NetSupport Manager
File location: C:\ProgramData\token.bat File description: Batch scrip that extracts, runs, and makes persistent NetSupport RAT from setub.cab
File location: C:\ProgramData\processor.vbs File description: Initial script that runs token.bat
in epoch four Scarlet Goldfinch dropped a file named run.js and used wscript to execute it
From there, it's pretty self-explanatory, a malicious command gets copied to your clipboard, along with helpful instructions on how to run it.
MITRE ATT&CK TTPs ID Technique Detail T1204.002 User Execution: Malicious File User executes MSI or pastes PowerShell
Persistence
3 techniquesestablished persistence using schtasks and the UserInitMprLogonScript
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "ProgCs1" /t REG_SZ /d "C:\Users\[REDACTED]\AppData\Roaming\APPDirectory\client32.exe" /f
Privilege Escalation
3 techniquesestablished persistence using schtasks and the UserInitMprLogonScript
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "ProgCs1" /t REG_SZ /d "C:\Users\[REDACTED]\AppData\Roaming\APPDirectory\client32.exe" /f
Stealth
8 techniquesthe initial paste command involving curl underwent some changes, as the adversaries experimented with character obfuscation to the command-line execution
Threat actors are using the tools’ legitimately signed certificates to help bypass security mechanisms... Host security bypass: Security tools, such as antivirus or endpoint detection and response tools, often fail to detect remote-access software because it uses legitimate certificates and exclusion paths.
Cleans the Run MRU registry key to remove evidence of the Win+R execution
the files processor.vbs , token.bat , and setup.cab are all deleted by the token.bat script after it installs the malicious NetSupport RAT package and makes it persistent on the infected Windows host.
MITRE ATT&CK Mapping Technique ID Campaign Usage Deobfuscate/Decode Files or Information T1140 Char-array URL obfuscation, ZIP/7z extraction
The new LOLBAS du jour involved the ancient and little used finger command.
They returned in mid-October, abandoning Msiexec and continuing their LOLBAS tour by pivoting to Mshta
activity returned late in the month using a new paste approach altogether—System Binary Proxy Execution: Msiexec
Lateral Movement
1 techniqueAccording to the Shodan search engine, the two hostnames were associated with thousands of internet-facing devices exposing RDP services (TCP port 3389) in December 2025.
Collection
3 techniquesOperator gains full control: - Screen viewing and capture
When the user checks the “I'm not a robot” box, two things happen. First, a payload gets copied to the clipboard via the classic document.execCommand(“copy”).
The ZIP contains the full NetSupport Manager runtime -- 14 files including the signed Service.exe, the core engine DLL (PCICL32.DLL), audio capture capabilities (AudioCapture.dll)
Command and Control
7 techniquesit has consistently been generating encoded (not HTTPS/SSL/TLS) traffic to a command and control (C2) server at 89.110.110[.]119 over TCP port 443 since I first noticed it sometime in April 2026.
Step 5 - C2 Registration + EDR Enumeration T1071.001, T1518.001 | Malware Main module registers with C2 via Protobuf-over-HTTPS (ChaCha20 encrypted, 32-byte key + 12-byte nonce prepended). C2 traffic masquerades as Skype Desktop application.
Many RMM tools provide end-to-end encryption and are accessed through vendor-operated relay servers, obviating the need for traditional command-and-control (C2) infrastructure that can be tracked by researchers and blocked by network security devices.
MITRE ATT&CK TTPs ID Technique Detail T1095 Non-Application Layer Protocol NetSupport binary protocol over TCP 443
Shown above: Follow-up files for NetSupport RAT sent through the initial RAT C2 traffic.
Malware Remcos RAT Remote access trojan used for persistent access ... Malware NetSupport RAT Legitimate RMM tool abused as malware
Uses port 443 WITHOUT TLS (SSL=0) -- cleartext on HTTPS port
Exfiltration
1 techniqueRMM tools often enable file sharing between compromised machines and those of attackers, as well as the execution of arbitrary commands. These features empower attackers to easily drop and execute additional tools or malware, or exfiltrate data.
IOCs tracked for this family
382 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
140 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate remote management tool abused as malware.
Remote access trojan identified as the final payload in the described infection chain.
Remote access trojan mentioned as having been deployed in attacks involving infrastructure later discussed in relation to WantToCry activity.
Remote access trojan observed in attacks involving the same computer name seen in WantToCry-related activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.