NetSupport RAT Infections on the Rise

Nov 20, 2023NewsroomMalware/Network Security

NetSupport RAT

Threat actors are targeting the education, government and business sectors with a remote access trojan called NetSupport RAT.

“Delivery mechanisms for the NetSupport RAT include fraudulent updates, drive downloads, use of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns,” said the researchers at VMware Carbon Black in a report shared with The Hacker News.

The cybersecurity firm says it has detected no less than 15 new infections related to the NetSupport RAT in the past few weeks.

While NetSupport Manager started out as a legitimate remote administration tool for technical assistance and support, malicious actors used the tool for their own benefit, using it as a beachhead for subsequent attacks.


The NetSupport RAT is usually downloaded onto the victim’s computer via fraudulent websites and fake browser updates.

In August 2022, Sucuri detailed a campaign where compromised WordPress sites were used to display fraudulent Cloudflare DDoS protection pages that led to the distribution of the NetSupport RAT.

NetSupport RAT

The use of fake web browser updates is a tactic often associated with the deployment of JavaScript-based downloader malware known as SocGholish (aka FakeUpdates), which has also been observed to spread loader malware codenamed. BLISTER.

The Javascript payload then makes a PowerShell request to connect to a remote server and retrieve a ZIP archive file containing the NetSupport RAT which, upon installation, beacons to a command-and-control (C2) server .

“Once installed on a victim’s device, NetSupport can monitor behavior, transfer files, manipulate computer settings, and transfer to other devices within the network,” the researcher said.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment