{
	"id": "0a8b8aea-e6e6-4473-97f6-20f5530f8543",
	"created_at": "2026-04-06T00:12:46.715645Z",
	"updated_at": "2026-04-10T13:12:20.983222Z",
	"deleted_at": null,
	"sha1_hash": "054479873723d0b313782dce28df5bfd12665434",
	"title": "NetSupport RAT hits again with new IOCs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2964498,
	"plain_text": "NetSupport RAT hits again with new IOCs\r\nBy Ariel Davidpur\r\nPublished: 2024-01-23 · Archived: 2026-04-05 21:41:37 UTC\r\n5 min read\r\nJan 23, 2024\r\nSummary\r\nThere is a new campaign from the last day that managed to bypass EDRs while using Phishing emails to distribute\r\nthe malware with Safelinks protection of Microsoft to redirect to different sites that host the malware itself.\r\nHow it’s done?\r\nThe attacker mass distributes the malware via email and uses legitimate services to bypass email protection\r\nsystems while targeting the Technology sector companies.\r\nPress enter or click to view image in full size\r\nThe email with the Safelink protection\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 1 of 12\n\nThe URL redirection tree after the safelinks\r\nAs soon as the victim gets the email and clicks on “View Your Invoice” the victim will be redirected to another\r\nsite that leads to click on the “Download Invoice” button.\r\nPress enter or click to view image in full size\r\nthe download page\r\nAs soon as the victim clicks on the button he will be redirected to “googleuserconetnt.com” which uses open-redirect to the actual website that it gets the malware from\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 2 of 12\n\nGoogle user content redirect\r\nWhile observing the JS file that was downloaded, we noticed that the code is obfuscated by a generic JS\r\nobfuscator (Obfuscate.io).\r\nPress enter or click to view image in full size\r\nobfuscated code\r\nAfter making the code clear enough to understand and debug, we can see the actual steps that are being made by\r\nthe JS code, and what are the C2s (Target URL).\r\nPress enter or click to view image in full size\r\ndeobfuscated code\r\nDiving deeper…\r\nWhile the malware is being executed, it’s using the “targetURL” to create an object that runs in “Wscript.shell”,\r\nand runs a hidden encoded command.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 3 of 12\n\nencoded PS code\r\nWe have decoded and cleared the PS code that was in the URL, and now we can see more files that were being\r\ndownloaded, where they were stored, and under what names.\r\nPress enter or click to view image in full size\r\ndecoded PS\r\nNow we can see that it has multiple ZIP files that contain multiple files and how it uses “start-bitstransfer” to\r\nretrieve them from the C2 server to the client(victim’s machine).\r\nWe can also see that all of the files were retrieved from the same domain, and while browsing into it we could find\r\nan open directory.\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 4 of 12\n\nC2 open dir\r\nExecution Flow\r\nWe took the decoded PS command and executed it in the CMD.\r\nThe PS creates a directory in the %AppData% called “aragdrts” and stores it inside all the files.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 5 of 12\n\nmalware directory\r\nAfter storing the files, it executes automatically the “client32.exe” that sets the persistence that takes the\r\nconfiguration of the connection from the “client32.ini” file.\r\npersistence config\r\nNow we can see in the execution tree that the “client32.exe” is always running and has an active connection to the\r\nattacker.\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 6 of 12\n\nprocess tree\r\nThe exe file uses a few techniques for persistence:\r\nScheduled tasks\r\nStartup Menu file saving\r\nRegistry Key\r\nGet Ariel Davidpur’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe scheduled task:\r\nPress enter or click to view image in full size\r\nscheduled task\r\nStartup Menu file:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 7 of 12\n\nstartup menu file\r\nRegistry Key:\r\nPress enter or click to view image in full size\r\nProcmon where it saved\r\nPress enter or click to view image in full size\r\nthe registry key\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 8 of 12\n\nNow that the attacker has persistence, let’s analyze his connection.\r\nUsing the Process Monitor, we can see the TCP packets used by the exe file and what are the IPs used for the\r\nsession and the remote access, using a dedicated port only for the session itself.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nAnalyzing the processes, we can now find all the data that we need in addition to the session of the RAT.\r\nComputer name:\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 9 of 12\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nThe name of the RAT itself!:\r\nPress enter or click to view image in full size\r\nConclusion\r\nThe NetSupport RAT we found was delivered via a phishing email with a URL that has multiple redirects that\r\neventually download JS malware.\r\nThe malware was obfuscated and pulled malicious encoded PS script that was stored on a public URL.\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 10 of 12\n\nThe PS command has the C2s servers and uses BITS transfer to get the malicious files from the attacker’s server\r\nand execute them.\r\nAfter executing the “client32.exe” file it uses the other files as configuration for the remote session for the\r\nNetSupport.\r\nThe malware uses multiple techniques for persistence to make sure that the session won’t terminate.\r\nTTPs\r\nRemote Access Software (T1219) — https://attack.mitre.org/techniques/T1219/\r\nScheduled Task/Job: Scheduled Task(T1053/005) — https://attack.mitre.org/techniques/T1053/005/\r\nWindows Management Instrumentation(T1047) — https://attack.mitre.org/techniques/T1047/\r\nHide Artifacts: Hidden Files and Directories(T1564/003) — https://attack.mitre.org/techniques/T1564/003/\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder(T1547/001) —\r\nhttps://attack.mitre.org/techniques/T1547/001/\r\nHide Artifacts: Hidden Window(T1564/003) — https://attack.mitre.org/techniques/T1564/003/\r\nModify Registry(T1112) — https://attack.mitre.org/techniques/T1112/\r\nObfuscated Files or Information: Software Packing(T1406/002) — https://attack.mitre.org/techniques/T1406/002/\r\nSystem Network Connections Discovery(T1049) — https://attack.mitre.org/techniques/T1049/\r\nFile and Directory Discovery(T1083) — https://attack.mitre.org/techniques/T1083/\r\nProcess Discovery(T1057) — https://attack.mitre.org/techniques/T1057/\r\nQuery Registry(T1012) — https://attack.mitre.org/techniques/T1012/\r\nNon-Standard Port(T1571) — https://attack.mitre.org/techniques/T1571/\r\nIOCs\r\nps1.dropper\r\nhxxps://hsdiagnostico[.]com/readme.php\r\nURLs\r\nexe.dropper\r\nhxxps://core-click[.]net/TVFrontend/NSM.zip\r\nexe.dropper\r\nhxxps://core-click[.]net/TVFrontend/remcmdstub.zip\r\nexe.dropper\r\nhxxps://core-click[.]net/TVFrontend/DLAA1view.zip\r\nexe.dropper\r\nhxxps://core-click[.]net/TVFrontend/mock/\r\nDomains:\r\nhelasirasi[.]com [ Client32 ]\r\ngeo[.]netsupportsoftware[.]com [ Client32 ]\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 11 of 12\n\nhsdiagnostico[.]com [PowerShell]\r\ncore-click[.]net [tls,http2] (edited)\r\nIPs:\r\n74.50.81.180\r\n98.143.147.253\r\n212.113.116.33\r\n104.26.1.231:80\r\nSHA256:\r\n[IN5632.js]\r\n5657AEA8AFD1E0C0BDC4D3ACDBDF4C8C02ABDF4C75D4687083A6F26BAB09610D\r\n[Client32]\r\n42C2D35457ABCE2FEA3897BA5E569F51B74B40302FF15B782E3B20B0AA00B34E\r\nStartUp Folder JS:\r\n3689DDD7D45EA04F13E073F993AFB1B52D576D455D9317F446A31CC282324213\r\nOpenDir:\r\nhxxps://core-click[.]net/TVFrontend/ / hxxps://core-click[.]net/TVFrontend/mock/\r\nfilename pattern(RegEx):IN[0–9]{4}.js\r\nCredits: Idan Tarab, Ariel Davidpur\r\nBlog References:\r\nhttps://www.sentinelone.com/blog/gotta-catch-em-all-understanding-the-netsupport-rat-campaigns-hiding-behind-pokemon-lures/\r\nSource: https://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nhttps://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc"
	],
	"report_names": [
		"netsupport-rat-hits-again-with-new-iocs-37318de44cfc"
	],
	"threat_actors": [],
	"ts_created_at": 1775434366,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/054479873723d0b313782dce28df5bfd12665434.pdf",
		"text": "https://archive.orkl.eu/054479873723d0b313782dce28df5bfd12665434.txt",
		"img": "https://archive.orkl.eu/054479873723d0b313782dce28df5bfd12665434.jpg"
	}
}