NetSupport RAT: Why Legitimate Tools Are as Damaging as Malware

NetSupport Manager is a legitimate remote-support tool that threat actors increasingly abuse as NetSupport RAT to gain unauthorized access, often delivered via social engineering (ClickFix), phishing, fake browser updates, SEO poisoning, malvertising, and drive-by downloads. Darktrace observed anomalous HTTP POSTs, rare external connections, and a distinctive user agent (‘NetSupport Manager/1.3’) contacting C2 domains and IPs, highlighting how anomaly‑based detection can reveal malicious use of legitimate tools. #NetSupportRAT #Darktrace

Keypoints

NetSupport Manager is a legitimate remote administration tool that has been repurposed and widely abused as NetSupport RAT by threat actors to achieve remote access and control.
Initial access commonly involves social engineering (notably the ClickFix tactic), phishing emails, fake browser updates, SEO poisoning, malvertising, and drive-by downloads that trick users into executing malicious PowerShell commands.
Compromised hosts often have NetSupport installed in non-standard directories (e.g., AppData, ProgramData, Downloads) and are used to monitor activity, exfiltrate data, and maintain persistence.
Adversaries communicate with NetSupport C2 infrastructure over HTTP, using HTTP POSTs, rare domains/IPs, and identifiable user agents (e.g., ‘NetSupport Manager/1.3’).
Darktrace observed widespread activity across multiple regions and sectors, detected rare external connections and new user agents, and emphasizes anomaly‑based detection when signature-based IoCs may miss novel C2 domains.
Post-exploitation behavior has included additional payload downloads, underscoring the need to validate anomalous software use and remote-management activity in enterprise environments.

MITRE Techniques

[T1059.001 ] PowerShell – Used to run malicious commands that install NetSupport Manager (‘execute malicious PowerShell commands’)
[T1566 ] Phishing – Phishing emails were used as an initial access vector to direct users to fraudulent pages (‘phishing emails’)
[T1189 ] Drive-by Compromise – Malicious websites and drive-by downloads delivered installers or payloads to victims (‘malicious websites, … and drive-by downloads’)
[T1204 ] User Execution – Social engineering (ClickFix) tricked users into running commands or completing fake CAPTCHAs, causing execution (‘ClickFix… trick users into inadvertently executing malicious PowerShell commands under the guise of resolving a non-existent issue or completing a fake CAPTCHA verification’)
[T1105 ] Ingress Tool Transfer – Adversaries downloaded additional malicious payloads after initial compromise (‘post-exploitation of NetSupport RAT has involved the additional download of malicious payloads’)
[T1071.001 ] Application Layer Protocol: Web Protocols – C2 communication used HTTP POSTs, unusual user agents, and multiple rare external domains/IPs (‘connections to multiple rare external domains and IP addresses associated with the NetSupport RAT, using a wide range of ports over the HTTP protocol’ and ‘HTTP POST requests to a suspicious URI and new user agent usage’)
[T1041 ] Exfiltration Over Command and Control Channel – Compromised hosts were used to monitor and exfiltrate data to C2 infrastructure (‘monitor user activity, exfiltrate data, communicate with the command-and-control (C2) server’)

Indicators of Compromise

[URI ] NetSupportRAT C2 URI – fakeurl.htm
[Domain ] NetSupportRAT C2 hostnames – thetavaluemetrics[.]com, westford-systems[.]icu, and 4 more domains (e.g., holonisz[.]com, heaveydutyl[.]com, nsgatetest1[.]digital, finalnovel[.]com)
[IP Address ] NetSupportRAT C2 endpoints – 74.91.125[.]57, 45.94.47[.]224, and 10 more IPs (e.g., 217.91.235[.]17, 88.214.27[.]48, 104.21.40[.]75)
[User Agent ] Suspicious user agent observed – ‘NetSupport Manager/1.3’ used in HTTP requests to C2 endpoints
[File/Path ] Unusual installation locations observed – AppData, ProgramData (NetSupport placed in non-standard directories)