NetSupport Manager RAT

Victims are typically lured through malicious advertising or SEO poisoning campaigns, believing they are downloading legitimate software such as Grammarly, Microsoft Teams, Notion, or Zoom.

MITRE ATT&CK Mapping Technique ID Context Obtain Capabilities: Tool T1588.002 Legitimate NetSupport Manager repurposed as RAT

MITRE ATT&CK Mapping Technique ID Context Obtain Capabilities: Digital Certificates T1588.004 Stolen/cracked NSM license (2015 vintage)

Victims are typically lured through malicious advertising or SEO poisoning campaigns, believing they are downloading legitimate software such as Grammarly, Microsoft Teams, Notion, or Zoom.

MITRE ATT&CK Mapping Technique ID Context Phishing: Spearphishing Attachment T1566.001 Freight rate confirmation and government lure filenames

A batch script called token.bat handles the extraction and installation, while a VBScript file called processor.vbs triggers the batch script.

Defenders are advised to monitor for unusual PowerShell execution tied to browser events, as this is a clear sign of the ClickFix technique being abused.

A batch script called token.bat handles the extraction and installation... Together, these components install the NetSupport RAT and configure it to run automatically whenever the system restarts.

A VBScript file called processor.vbs triggers the batch script.

The page copies a PowerShell command to the victim's clipboard and instructs them to press Win+R, Ctrl+V, Enter. Standard ClickFix technique -- the victim executes the malware themselves, bypassing email attachment scanning, download warnings, and Mark-of-the-Web protections.

Since mid-2023, multiple threat actors have been observed abusing MSIX files to deliver various malware payloads... When victims open these MSIX packages...

Endpoint : alert on %LOCALAPPDATA%\NetService\ directory creation, on Service.exe running from non-standard paths, and on PCICL32.DLL sideloading events.

Creates a Startup folder LNK for persistence

Creates Client.lnk in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ via WScript.Shell COM object — T1547.001

fal.php drops NetSupport Manager 12.01 with a v10.60 loader stub, installs into %LOCALAPPDATA%\NetService\ , launches Service.exe through explorer.exe for PPID spoofing, and drops service.lnk into the Startup folder for persistence.

launches Service.exe via explorer.exe (PPID spoof)

launches Service.exe via explorer.exe (PPID spoof)

Creates a Startup folder LNK for persistence

Creates Client.lnk in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ via WScript.Shell COM object — T1547.001

fal.php drops NetSupport Manager 12.01 with a v10.60 loader stub, installs into %LOCALAPPDATA%\NetService\ , launches Service.exe through explorer.exe for PPID spoofing, and drops service.lnk into the Startup folder for persistence.

That loader uses variable indirection to construct the string iex : sv o ie # $o = 'ie' .((gv o).Value + 'X') # invoke ('ie' + 'X') = iex

MITRE ATT&CK Mapping Technique ID Context Obfuscated Files: Software Packing T1027.002 PyInstaller packing; XOR encryption with StagerKey16Bytes

a dual-lure NetSupport Manager RAT operation... A CS2 "Iridia Cheats" lure at iridiacheats.dev ... A "Polymarket Smart Money Scanner" whale-tracker lure at polymarketscanner.dev

Registers as "Windows Update Assistant" (v10.0.19045.3448, "Microsoft Corporation") — T1036.005

After the NetSupport RAT is installed and made persistent on the host, the scripts used to set it up are deleted automatically, removing traces of the initial compromise.

launches Service.exe via explorer.exe (PPID spoof)

launches Service.exe via explorer.exe (PPID spoof)

fal.php drops NetSupport Manager 12.01 with a v10.60 loader stub, installs into %LOCALAPPDATA%\NetService\, launches Service.exe through explorer.exe for PPID spoofing

Endpoint : alert on %LOCALAPPDATA%\NetService\ directory creation, on Service.exe running from non-standard paths, and on PCICL32.DLL sideloading events.

downloads gggs.7z (pw: falos), lin.7z (pw: ilil), 7z.exe, 7z.dll

The first stage drops an unidentified RAT that sends encoded traffic to its C2 server over TCP port 443, making it blend in with regular web traffic.

MITRE ATT&CK Mapping Technique ID Context Application Layer Protocol: Web T1071.001 HTTP gateway ( /fakeurl.htm , /testpage.htm )

Once the script runs, it silently reaches out to attacker-controlled servers and pulls down the first stage of the infection... The script then contacts attacker infrastructure to fetch a ZIP archive containing the initial RAT package from a remote server.

Once the initial RAT is in place, it pulls in a second payload: a malicious package of NetSupport Manager RAT, a legitimate remote access tool that attackers have repurposed to take unauthorized control of infected machines.

MITRE ATT&CK Mapping Technique ID Context Encrypted Channel: Asymmetric Crypto T1573.002 HTTPS C2 on port 443 (custom NSM protocol)