NetSupportManager RAT (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.netsupportmanager_rat (Back to overview)

NetSupportManager RAT

aka: NetSupport

VTCollection URLhaus

Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. However, cyber crooks have hijacked this useful application and misappropriated it to use it in their harmful campaigns. The name of the modified version of the NetSupport Manager has been labeled the NetSupport Manager RAT.

References

2026-02-18 ⋅ Recorded Future ⋅ Insikt Group
GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack
SmartApeSG NetSupportManager RAT SectopRAT GrayCharlie

2025-11-12 ⋅ ISC ⋅ Brad Duncan
SmartApeSG campaign uses ClickFix page to push NetSupport RAT
SmartApeSG NetSupportManager RAT

2025-06-13 ⋅ Recorded Future ⋅ Insikt Group
GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT
EugenLoader POWERTRASH NetSupportManager RAT

2025-03-28 ⋅ Intrinsec ⋅ David Sardinha
From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025
sLoad NetSupportManager RAT Remcos SmokeLoader

2025-03-12 ⋅ Red Canary ⋅ Red Canary
2025 Threat Detection Report
HijackLoader Lumma Stealer NetSupportManager RAT

2025-02-04 ⋅ Team Cymru ⋅ S2 Research Team
Tracing the Path From SmartApeSG to NetSupport RAT
SmartApeSG NetSupportManager RAT Quasar RAT

2024-12-02 ⋅ Kaspersky Labs ⋅ Artem Ushkov
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT
NetSupportManager RAT RMS

2024-11-18 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team, Selena Larson, Tommy Madjar
Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape
AsyncRAT Brute Ratel C4 DanaBot DarkGate Latrodectus Lumma Stealer NetSupportManager RAT XWorm

2024-07-25 ⋅ Symantec ⋅ Symantec
Growing Number of Threats Leveraging AI
Broomstick DBatLoader NetSupportManager RAT Rhadamanthys

2024-07-02 ⋅ Sekoia ⋅ Quentin Bourgue
Exposing FakeBat loader: distribution methods and adversary infrastructure
BlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer NetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar

2024-06-17 ⋅ Proofpoint ⋅ Proofpoint
From Clipboard to Compromise: A PowerShell Self-Pwn
DarkGate HijackLoader Lumma Stealer Matanbuchus NetSupportManager RAT TA571

2024-06-11 ⋅ ThreatDown ⋅ Jérôme Segura
SmartApeSG walkthrough
SmartApeSG NetSupportManager RAT

2024-05-10 ⋅ Rapid7 Labs ⋅ Evan McCann, Thomas Elkins, Tyler McGraw
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Black Basta Black Basta Cobalt Strike NetSupportManager RAT

2024-03-18 ⋅ Perception Point ⋅ Ariel Davidpur, Peleg Cabra
Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT
NetSupportManager RAT

2024-02-26 ⋅ Twitter (@embee_research) ⋅ Embee_research
Advanced CyberChef Techniques for Configuration Extraction - Detailed Walkthrough and Examples
NetSupportManager RAT

2024-02-25 ⋅ YouTube (Embee Research) ⋅ Embee_research
My Longest CyberChef Recipe Ever - 22 Operation Configuration Extractor
NetSupportManager RAT

2024-01-23 ⋅ Medium ad12347 ⋅ Ariel Davidpur
NetSupport RAT hits again with new IOCs
NetSupportManager RAT

2023-12-30 ⋅ Rewterz Information Security ⋅ Rewterz Information Security
Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs
EugenLoader POWERTRASH BATLOADER DarkGate FlawedGrace NetSupportManager RAT SectopRAT Storm-0506

2023-11-20 ⋅ vmware ⋅ Abe Schneider, Alan Ngo, Alex Murillo, Fae Carlisle, Nikki Benoit
NetSupport RAT: The RAT King Returns
NetSupportManager RAT

2023-10-27 ⋅ Elastic ⋅ Joe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar

2023-10-26 ⋅ Medium walmartglobaltech ⋅ Jonathan Mccay
SmartApeSG
SmartApeSG NetSupportManager RAT

2023-09-06 ⋅ Malwarebytes ⋅ Jérôme Segura
Mac users targeted in new malvertising campaign delivering Atomic Stealer
AMOS NetSupportManager RAT

2023-08-10 ⋅ Trellix ⋅ Antonio Ribeiro, Jonell Baltazar
Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT
NetSupportManager RAT

2023-03-29 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C Chen
New OpcJacker Malware Distributed via Fake VPN Malvertising
NetSupportManager RAT OpcJacker

2023-01-06 ⋅ AhnLab ⋅ ASEC
Distribution of NetSupport RAT Malware Disguised as a Pokemon Game
NetSupportManager RAT

2022-09-15 ⋅ Sekoia ⋅ Threat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer

2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT

2022-04-11 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer
Mars Stealer NetSupportManager RAT

2022-04-07 ⋅ Bleeping Computer ⋅ Bill Toulas
Malicious web redirect service infects 16,500 sites to push malware
NetSupportManager RAT

2022-04-07 ⋅ Avast Decoded ⋅ Jan Rubín, Pavel Novák
Parrot TDS takes over web servers and threatens millions
FAKEUPDATES Parrot TDS Parrot TDS WebShell NetSupportManager RAT

2020-11-02 ⋅ SUCURI ⋅ Denis Sinegubko
CSS-JS Steganography in Fake Flash Player Update Malware
magecart NetSupportManager RAT

2020-05-22 ⋅ Positive Technologies ⋅ PT ESC Threat Intelligence
Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.
NetSupportManager RAT ServHelper

2020-03-19 ⋅ Prevailion ⋅ Prevailion
The Curious Case of the Criminal Curriculum Vitae
LALALA Stealer NetSupportManager RAT Rekt Loader

2017-09-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware
NetSupportManager RAT

2016-09-30 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Hacked Steam accounts spreading Remote Access Trojan
NetSupportManager RAT

2013-01-01 ⋅ NetSupport Manager ⋅ NetSupport Manager
NetSupport Manager Website
NetSupportManager RAT

Yara Rules

[TLP:WHITE] win_netsupportmanager_rat_auto (20260504 | Detects win.netsupportmanager_rat.)

rule win_netsupportmanager_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.netsupportmanager_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7869400000000000000 8945ec c70000000000 c70700000000 0f85d5000000 8b4510 85c0 }
            // n = 7, score = 100
            //   c7869400000000000000     | mov    dword ptr [esi + 0x94], 0
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   c70000000000         | mov                 dword ptr [eax], 0
            //   c70700000000         | mov                 dword ptr [edi], 0
            //   0f85d5000000         | jne                 0xdb
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   85c0                 | test                eax, eax

        $sequence_1 = { f2ae f7d1 d1e9 8d55cc 51 52 e8???????? }
            // n = 7, score = 100
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   f7d1                 | not                 ecx
            //   d1e9                 | shr                 ecx, 1
            //   8d55cc               | lea                 edx, [ebp - 0x34]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_2 = { ff5218 6a1e e8???????? a1???????? 83c404 3bc3 0f8595000000 }
            // n = 7, score = 100
            //   ff5218               | call                dword ptr [edx + 0x18]
            //   6a1e                 | push                0x1e
            //   e8????????           |                     
            //   a1????????           |                     
            //   83c404               | add                 esp, 4
            //   3bc3                 | cmp                 eax, ebx
            //   0f8595000000         | jne                 0x9b

        $sequence_3 = { f3ab 8d45f8 8d8df0feffff 50 51 e8???????? 8bf8 }
            // n = 7, score = 100
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   8d8df0feffff         | lea                 ecx, [ebp - 0x110]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_4 = { 8bd9 33ff 8d4dbc 897dec e8???????? 8db30d010000 897dfc }
            // n = 7, score = 100
            //   8bd9                 | mov                 ebx, ecx
            //   33ff                 | xor                 edi, edi
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   e8????????           |                     
            //   8db30d010000         | lea                 esi, [ebx + 0x10d]
            //   897dfc               | mov                 dword ptr [ebp - 4], edi

        $sequence_5 = { e8???????? eb14 3bf7 7410 8bce e8???????? 56 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb14                 | jmp                 0x16
            //   3bf7                 | cmp                 esi, edi
            //   7410                 | je                  0x12
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   56                   | push                esi

        $sequence_6 = { e8???????? 53 894508 e8???????? 8b7ddc 8b1d???????? 83c40c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   53                   | push                ebx
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   e8????????           |                     
            //   8b7ddc               | mov                 edi, dword ptr [ebp - 0x24]
            //   8b1d????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_7 = { ff15???????? 8bf0 85f6 8975f8 0f8488000000 68???????? 56 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   0f8488000000         | je                  0x8e
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_8 = { e8???????? c7865c02000001000000 c7863c02000001000000 5f 5e 8b4df4 64890d00000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c7865c02000001000000     | mov    dword ptr [esi + 0x25c], 1
            //   c7863c02000001000000     | mov    dword ptr [esi + 0x23c], 1
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx

        $sequence_9 = { eb03 895e2c 8b4df4 8bc6 5f 5e 5b }
            // n = 7, score = 100
            //   eb03                 | jmp                 5
            //   895e2c               | mov                 dword ptr [esi + 0x2c], ebx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

    condition:
        7 of them and filesize < 4734976
}

Download all Yara Rules

NetSupportManager RAT Propose Change

References

Yara Rules

NetSupportManager RAT