Skip to content
Malware family Windows

NetSupport RAT

NetSupport RAT is a malicious remote-access trojan derived from abuse of the legitimate NetSupport Manager remote administration product.

Profile source: Mallory opens in a new tab

NetSupport RAT

Family profile

NetSupport RAT is a malicious remote-access trojan derived from abuse of the legitimate NetSupport Manager remote administration product. It is used to provide operators with interactive access to compromised Windows systems and has been observed as a second-stage payload in multiple criminal intrusion chains. Reported capabilities include remote control of infected hosts, file exfiltration, loading of additional payloads, and enabling sustained hands-on-keyboard activity associated with persistence and follow-on compromise.

The malware is frequently delivered through social-engineering-driven initial access chains rather than direct exploitation. It has been repeatedly observed in ClickFix campaigns that trick users into executing attacker-supplied commands through trusted Windows interfaces and utilities. It has also been delivered through phishing email chains using redirect-heavy links and JavaScript downloaders, through DLL sideloading in multi-stage infections, and as a follow-on payload from other malware delivery ecosystems including SocGholish/FakeUpdates and Hancitor. Broader reporting also associates NetSupport RAT use with abuse of remote monitoring and management tooling by financially motivated threat actors, including campaigns linked to FIN7.

Operationally, NetSupport RAT is used to establish covert remote access on victim endpoints, often as part of intrusion sequences that also involve loaders, stealers, or ransomware. In observed campaigns it has targeted enterprise users and organizations in sectors including technology, and it has appeared in wider opportunistic web-based malware distribution affecting schools, healthcare, legal, media, retail, nonprofits, and real estate. Its recurring role as a post-compromise access mechanism makes it a common bridge between initial social engineering and later-stage credential theft, data theft, additional malware deployment, or ransomware activity.

Capabilities

  • Defense Evasion
  • Dll Sideloading
  • Exfiltration
  • Persistence
  • Post Exploitation

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 14, 2026
Last activity
Jul 19, 2026
Feed role
C2
Host form
2 IP / 0 hostnames

Leading locations

  • LU1
  • US1

Leading providers

  • DEDIK SERVICES LIMITED1
  • Ghosty Networks LLC1

Infrastructure traits

  • Hosting 2

Samples

Recent associated samples

Reported operators

Threat actors

20 named in public reporting
ErrTraffic

На компьютерах под управлением Windows атакующие пытались установить NetSupport RAT. Этот троян злоупотребляет легитимным инструментом удаленного администрирования NetSupport Manager и предоставляет своим операторам доступ к зараженной системе.

FIN7

Similar to other RMM tools, NetSupport manager has been exploited to be used maliciously, to a point of a malicious by-product of the platform being created - aptly named NetSupport RAT.

Carbanak

Similar to other RMM tools, NetSupport manager has been exploited to be used maliciously, to a point of a malicious by-product of the platform being created - aptly named NetSupport RAT.

SmartApeSG

The group has been linked to past campaigns that delivered dangerous tools including NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.

TA571

The TA571 campaign contained at least two different command lines running different PowerShell scripts, one leading to DarkGate via a downloaded HTA-file that ran another PowerShell script and one leading to NetSupport RAT via a downloaded ZIP file.

Scarlet Goldfinch

Scarlet Goldfinch is a cluster of activity that Red Canary first observed in June 2023. This threat deceives users into downloading a file masquerading as a browser update, which starts a chain of activity eventually leading to the installation of NetSupport Manager. NetSupport Manager is an RMM tool that provides the adversary remote control over a system.

SocGholish

Scarlet Goldfinch is a cluster of activity that Red Canary first observed in June 2023. This threat deceives users into downloading a file masquerading as a browser update, which starts a chain of activity eventually leading to the installation of NetSupport Manager. NetSupport Manager is an RMM tool that provides the adversary remote control over a system.

GrayAlpha

Insikt Group discovered a custom PowerShell loader named PowerNet, which decompresses and executes NetSupport RAT.

Rogue Raticate

Such findings follow a report by Symantec detailing a Rogue Raticate phishing campaign involving the utilization of malicious PDFs for NetSupport RAT delivery...

Indrik Spider

In 2024-2025, that meant Evil Corp affiliates deploying WastedLocker, Cobalt Strike operators establishing persistence, and NetSupport RAT campaigns harvesting credentials at scale.

UAC-0050

While NetSupport is less commonly observed in Proofpoint campaign data at this time, there are still a handful of threat actors that distribute it as a first-stage payload via email.

ZPHP

While NetSupport is less commonly observed in Proofpoint campaign data at this time, there are still a handful of threat actors that distribute it as a first-stage payload via email.

TA505

NetSupport Manager is a commercial remote administration product developed by NetSupport Ltd. It is widely deployed in enterprise environments for legitimate IT management. However, it has also been repeatedly leveraged by threat actors as a post-compromise persistence mechanism.

HANEYMANEY

The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.

UNC4108

...UNC4108 hacking groups, with the latter spreading the NetSupport RAT and VOLTMARKER payloads.

TA547

Since 2023, TA547 typically delivers NetSupport RAT but has occasionally delivered other payloads...

Bloody Wolf

Last year, however, they switched strategies, opting to misuse legitimate software, NetSupport, to maintain control over infected machines.

REF9019

NetSupport Manager is another client-server remote desktop management application... ra.exe... Our sample is the NetSupportManager RAT

RomCom

"...including the publicly available NetSupport RAT..."

GrayCharlie

GrayCharlie ... redirect victims to NetSupport RAT infections delivered via fake browser update pages or ClickFix techniques, ultimately resulting in Stealc and SectopRAT infections.

Exploited software

Vulnerabilities linked to NetSupport RAT

1 CVEs

MITRE ATT&CK

NetSupport RAT in ATT&CK

84 distinct techniques

Techniques

84 techniques
T1566 Phishing T1027.011 Fileless Storage T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment T1059.001 PowerShell T1059 Command and Scripting Interpreter T1219 Remote Access Tools T1036 Masquerading T1105 Ingress Tool Transfer T1583 Acquire Infrastructure T1204 User Execution T1656 Impersonation T1560 Archive Collected Data T1041 Exfiltration Over C2 Channel T1071 Application Layer Protocol T1555.003 Credentials from Web Browsers T1012 Query Registry T1027 Obfuscated Files or Information T1571 Non-Standard Port T1564.001 Hidden Files and Directories T1049 System Network Connections Discovery T1197 BITS Jobs T1564.003 Hidden Window T1112 Modify Registry T1047 Windows Management Instrumentation T1057 Process Discovery T1053.005 Scheduled Task T1083 File and Directory Discovery T1133 External Remote Services T1608.006 SEO Poisoning T1566.003 Spearphishing via Service T1189 Drive-by Compromise T1195 Supply Chain Compromise T1218.005 Mshta T1059.007 JavaScript T1059.003 Windows Command Shell T1021 Remote Services T1204.002 Malicious File T1115 Clipboard Data T1566.002 Spearphishing Link T1205 Traffic Signaling T1586 Compromise Accounts T1059.005 Visual Basic T1021.002 SMB/Windows Admin Shares T1560.001 Archive via Utility T1070.004 File Deletion T1547.009 Shortcut Modification T1218.007 Msiexec T1218 System Binary Proxy Execution T1021.001 Remote Desktop Protocol T1071.001 Web Protocols T1090.002 External Proxy T1123 Audio Capture T1113 Screen Capture T1140 Deobfuscate/Decode Files or Information T1070 Indicator Removal T1095 Non-Application Layer Protocol T1082 System Information Discovery T1056 Input Capture T1547 Boot or Logon Autostart Execution T1036.005 Match Legitimate Resource Name or Location T1008 Fallback Channels T1056.001 Keylogging T1005 Data from Local System T1584.004 Server T1090.004 Domain Fronting T1125 Video Capture T1204.001 Malicious Link T1078 Valid Accounts T1134.004 Parent PID Spoofing T1055 Process Injection T1007 System Service Discovery T1543 Create or Modify System Process T1204.004 Malicious Copy and Paste T1620 Reflective Code Loading T1570 Lateral Tool Transfer T1036.004 Masquerade Task or Service T1003.003 NTDS T1583.008 Malvertising T1021.005 VNC T1053 Scheduled Task/Job T1505.003 Web Shell T1069.002 Domain Groups T1568.002 Domain Generation Algorithms

Reporting

Research mentioning NetSupport RAT

Jul 18
Cyberveille

ClickFix : une méthodologie d'attaque industrialisée invisible aux EDR et antivirus | CyberVeille

Payloads observés # Lumma Stealer (payload le plus fréquent) XWorm, AsyncRAT, NetSupport, SectopRAT, DarkGate (RATs)

Jul 15
Help Net Security

ClickFix is changing the economics of social engineering - Help Net Security

Remote access trojans including DarkGate, XWorm, AsyncRAT, NetSupport, and SectopRAT are also in the ClickFix rotation, enabling hands-on-keyboard activity such as lateral movement, persistence, and data exfiltration.

Jul 14
Gurucul Threat Research

ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul

NetSupport RAT3

Jul 14
Dark Reading

ClickFix's Mushrooming Ecosystem Demands New Defense Tactics

Remote access Trojans (RATs) including DarkGate, XWorm, AsyncRAT, NetSupport, and SectopRAT are also now in ClickFix rotation.

Jul 9
Gurucul Threat Research

Fake Google and Cloudflare Verification Pages Spread Multiple Malware Families | Community Portal | Gurucul

These campaigns distribute multiple malware families, including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer.

Jul 7
Blackpoint Cyber

Blackpoint SOC Threat Pulse: Week of July 6, 2026 - Blackpoint Cyber

The most common malware variants observed so far in 2026 include CastleLoader (14.3%), NetSupport RAT (6.1%), and Vidar Stealer (3.2%).

Jul 7
Gurucul Threat Research

Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul

NetSupport RAT3

Jul 2
Malwarebytes Labs

Fake Google and Cloudflare verification pages spread multiple malware families | Malwarebytes

We uncovered multiple campaigns using the same infrastructure to deliver malware including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.