Cybersecurity researchers have reported a significant increase in the use of the NetSupport Remote Access Trojan (RAT) since early January 2025.
Originally developed as a legitimate remote IT support tool under the name NetSupport Manager, this software has been weaponized by threat actors to infiltrate systems, enabling full remote control over compromised devices.
The ongoing campaign, which employs sophisticated social engineering techniques such as “ClickFix,” poses severe threats to organizations across various sectors.
Exploitation Tactics: ClickFix and Beyond
The current wave of attacks leverages the “ClickFix” Initial Access Vector (IAV), a method that tricks users into executing malicious PowerShell commands embedded within fake CAPTCHA pages.
Once executed, these commands download and install the NetSupport RAT client on the victim’s system.
The RAT grants attackers extensive capabilities, including real-time screen monitoring, keyboard and mouse control, file transfers, and the execution of malicious commands.
These functionalities allow for data exfiltration, deployment of additional malware payloads, and even ransomware attacks.
In many cases, the malicious payloads are hosted on URLs disguised with “.png” file extensions to evade detection.
Upon installation, the RAT establishes a Command-and-Control (C2) connection using predefined gateway URLs, often containing strings like “fakeurl.htm.”
This infrastructure enables attackers to maintain persistent access to victim systems.
Threat Actor Involvement
According to the eSentire report, threat actors such as TA569 and SmartApe SG have been linked to these campaigns.
Their tactics include distributing the RAT through phishing emails, fake browser updates, and compromised websites.
Notably, NetSupport RAT has been used in conjunction with other malware families like ransomware and information stealers, amplifying its impact.
The abuse of legitimate tools like NetSupport Manager highlights a growing trend among cybercriminals to exploit trusted software for malicious purposes.
This approach complicates detection efforts as it blends seamlessly with legitimate network traffic.
Organizations are urged to adopt robust security measures to counter the ongoing threat posed by NetSupport RAT.
Key recommendations include:
- Deploying Endpoint Detection and Response (EDR) solutions across all corporate assets.
- Educating employees about social engineering tactics such as ClickFix.
- Restricting user permissions to prevent unauthorized software installations.
- Disabling risky features like the Windows Run prompt and scripting tools (e.g., WScript.exe) via Group Policy or application control mechanisms.
Additionally, security teams should actively monitor for Indicators of Compromise (IoCs) associated with NetSupport RAT campaigns, such as specific domain names and file hashes linked to malicious activity.
The resurgence of NetSupport RAT underscores the evolving tactics employed by cybercriminals to exploit legitimate tools for nefarious purposes.
As these campaigns grow in sophistication, proactive defense strategies and user awareness remain critical in mitigating their impact.
Cybersecurity teams must remain vigilant in detecting and neutralizing such threats before they escalate into more severe breaches.
.){kind=link}