Last seven days
- First activity
- Jul 14, 2026
- Last activity
- Jul 19, 2026
- Feed role
- C2
- Host form
- 2 IP / 0 hostnames
NetSupport RAT is a malicious remote-access trojan derived from abuse of the legitimate NetSupport Manager remote administration product.
Profile source: Mallory opens in a new tabNetSupport RAT
NetSupport RAT is a malicious remote-access trojan derived from abuse of the legitimate NetSupport Manager remote administration product. It is used to provide operators with interactive access to compromised Windows systems and has been observed as a second-stage payload in multiple criminal intrusion chains. Reported capabilities include remote control of infected hosts, file exfiltration, loading of additional payloads, and enabling sustained hands-on-keyboard activity associated with persistence and follow-on compromise.
The malware is frequently delivered through social-engineering-driven initial access chains rather than direct exploitation. It has been repeatedly observed in ClickFix campaigns that trick users into executing attacker-supplied commands through trusted Windows interfaces and utilities. It has also been delivered through phishing email chains using redirect-heavy links and JavaScript downloaders, through DLL sideloading in multi-stage infections, and as a follow-on payload from other malware delivery ecosystems including SocGholish/FakeUpdates and Hancitor. Broader reporting also associates NetSupport RAT use with abuse of remote monitoring and management tooling by financially motivated threat actors, including campaigns linked to FIN7.
Operationally, NetSupport RAT is used to establish covert remote access on victim endpoints, often as part of intrusion sequences that also involve loaders, stealers, or ransomware. In observed campaigns it has targeted enterprise users and organizations in sectors including technology, and it has appeared in wider opportunistic web-based malware distribution affecting schools, healthcare, legal, media, retail, nonprofits, and real estate. Its recurring role as a post-compromise access mechanism makes it a common bridge between initial social engineering and later-stage credential theft, data theft, additional malware deployment, or ransomware activity.
C2 tracking
Derp observations, rolling seven-day window
Samples
Reported operators
На компьютерах под управлением Windows атакующие пытались установить NetSupport RAT. Этот троян злоупотребляет легитимным инструментом удаленного администрирования NetSupport Manager и предоставляет своим операторам доступ к зараженной системе.
Similar to other RMM tools, NetSupport manager has been exploited to be used maliciously, to a point of a malicious by-product of the platform being created - aptly named NetSupport RAT.
Similar to other RMM tools, NetSupport manager has been exploited to be used maliciously, to a point of a malicious by-product of the platform being created - aptly named NetSupport RAT.
The group has been linked to past campaigns that delivered dangerous tools including NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.
The TA571 campaign contained at least two different command lines running different PowerShell scripts, one leading to DarkGate via a downloaded HTA-file that ran another PowerShell script and one leading to NetSupport RAT via a downloaded ZIP file.
Scarlet Goldfinch is a cluster of activity that Red Canary first observed in June 2023. This threat deceives users into downloading a file masquerading as a browser update, which starts a chain of activity eventually leading to the installation of NetSupport Manager. NetSupport Manager is an RMM tool that provides the adversary remote control over a system.
Scarlet Goldfinch is a cluster of activity that Red Canary first observed in June 2023. This threat deceives users into downloading a file masquerading as a browser update, which starts a chain of activity eventually leading to the installation of NetSupport Manager. NetSupport Manager is an RMM tool that provides the adversary remote control over a system.
Insikt Group discovered a custom PowerShell loader named PowerNet, which decompresses and executes NetSupport RAT.
Such findings follow a report by Symantec detailing a Rogue Raticate phishing campaign involving the utilization of malicious PDFs for NetSupport RAT delivery...
In 2024-2025, that meant Evil Corp affiliates deploying WastedLocker, Cobalt Strike operators establishing persistence, and NetSupport RAT campaigns harvesting credentials at scale.
While NetSupport is less commonly observed in Proofpoint campaign data at this time, there are still a handful of threat actors that distribute it as a first-stage payload via email.
While NetSupport is less commonly observed in Proofpoint campaign data at this time, there are still a handful of threat actors that distribute it as a first-stage payload via email.
NetSupport Manager is a commercial remote administration product developed by NetSupport Ltd. It is widely deployed in enterprise environments for legitimate IT management. However, it has also been repeatedly leveraged by threat actors as a post-compromise persistence mechanism.
The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.
...UNC4108 hacking groups, with the latter spreading the NetSupport RAT and VOLTMARKER payloads.
Since 2023, TA547 typically delivers NetSupport RAT but has occasionally delivered other payloads...
Last year, however, they switched strategies, opting to misuse legitimate software, NetSupport, to maintain control over infected machines.
NetSupport Manager is another client-server remote desktop management application... ra.exe... Our sample is the NetSupportManager RAT
"...including the publicly available NetSupport RAT..."
GrayCharlie ... redirect victims to NetSupport RAT infections delivered via fake browser update pages or ClickFix techniques, ultimately resulting in Stealc and SectopRAT infections.
Exploited software
MITRE ATT&CK
Reporting
Payloads observés # Lumma Stealer (payload le plus fréquent) XWorm, AsyncRAT, NetSupport, SectopRAT, DarkGate (RATs)
Remote access trojans including DarkGate, XWorm, AsyncRAT, NetSupport, and SectopRAT are also in the ClickFix rotation, enabling hands-on-keyboard activity such as lateral movement, persistence, and data exfiltration.
NetSupport RAT3
Remote access Trojans (RATs) including DarkGate, XWorm, AsyncRAT, NetSupport, and SectopRAT are also now in ClickFix rotation.
These campaigns distribute multiple malware families, including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer.
The most common malware variants observed so far in 2026 include CastleLoader (14.3%), NetSupport RAT (6.1%), and Vidar Stealer (3.2%).
NetSupport RAT3
We uncovered multiple campaigns using the same infrastructure to deliver malware including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.