{
	"id": "c638a6fe-ecfa-44fc-85ae-2092bd66da35",
	"created_at": "2026-04-06T00:09:15.074142Z",
	"updated_at": "2026-04-10T13:13:00.695764Z",
	"deleted_at": null,
	"sha1_hash": "2037f8c96a28a560fabe38835f67d2160893124c",
	"title": "Distribution of NetSupport RAT Malware Disguised as a Pokemon Game - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2390922,
	"plain_text": "Distribution of NetSupport RAT Malware Disguised as a Pokemon\r\nGame - ASEC\r\nBy ATCP\r\nPublished: 2022-12-29 · Archived: 2026-04-05 20:08:55 UTC\r\nNetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the\r\npurpose of remotely controlling systems. However, it is being abused by many threat actors because it allows\r\nexternal control over specific systems. Unlike backdoors and RATs (Remote Access Trojans), which are mostly\r\nbased on command lines, remote control tools (Remote Administration Tools) place emphasis on user-friendliness,\r\nso they offer remote desktops, also known as GUI environments. Even though they may not have been developed\r\nwith malicious intent, if they are installed on infected systems, they can be used for malicious purposes by threat\r\nactors, such as for the installation of additional malware or information extortion. As most remote control tools are\r\nused by countless users unlike other backdoors, it is easy for them to be recognized as normal programs. Thus,\r\nthey have the advantage of allowing attackers to use remote control tools, which are normal programs, to bypass\r\nthe detection of security software, while simultaneously enabling domination over the infected system in a GUI\r\nenvironment. The following ASEC blog post covers cases where various remote control tools such as AnyDesk,\r\nTeamViewer, Ammyy Admin, and Tmate were used in attacks. \r\nThe ASEC analysis team recently found that the NetSupport RAT malware is being distributed from a phishing\r\npage disguised as one for a Pokemon card game. Additionally, because it was not distributed in a form used for\r\nnormal purposes but rather in a form designed for the threat actor to control the infected system, this blog will\r\nhttps://asec.ahnlab.com/en/45312/\r\nPage 1 of 7\n\nrefer to it as “NetSupport RAT.” NetSupport RAT has been consistently used by threat actors and is still in use\r\neven in recent days. It’s distributed via spam emails or phishing pages disguised as those for original programs.\r\nThe following is the phishing page disguised as one for a Pokemon card game, and you can see the “Play on PC”\r\nbutton down below. When the user clicks this button to install the game, instead of the Pokemon card game,\r\nNetSupport RAT is downloaded.\r\nFigure 1. Forged Pokemon card game page\r\nThe downloaded file has both a disguised icon and version information, so users are prone to mistaking this for a\r\ngame program and running it.\r\nFigure 2. Malware disguised as a Pokemon card game The malware is an installer malware developed with\r\nInnoSetup. When executed, it creates a folder in the %APPDATA% path and creates hidden NetSupport RAT-related files before executing them. It also creates a shortcut in the Startup folder, allowing the malware to be run\r\neven after a reboot. client32.exe, the ultimately executed file in the process tree below, is the NetSupport Manager\r\nclient. \r\nhttps://asec.ahnlab.com/en/45312/\r\nPage 2 of 7\n\nFigure 3. Process tree of NetSupport RAT\r\nWhile it could be said that the installed NetSupport-related programs themselves are normal programs, we can see\r\nthat the threat actor’s C\u0026C server address is included in the “client32.ini” configuration file, as shown below.\r\nWhen NetSupport is executed, it reads this configuration file, access and establishes a connection to the threat\r\nactor’s NetSupport server, and then allows the operator to control the infected system.\r\nFigure 4. Installed NetSupport files and the configuration file\r\nhttps://asec.ahnlab.com/en/45312/\r\nPage 3 of 7\n\nFigure 5. Packet data of NetSupport RAT While relevant files were being examined with our ASD (AhnLab Smart\r\nDefense) infrastructure and VirusTotal, we identified a different phishing page with the same format as a fake\r\nPokemon card game page. Each phishing page has been distributing multiple NetSupport RAT Dropper malware\r\nsince around December 2022. Moreover, while the files themselves are all different, they all include the same\r\nC\u0026C server address in the “client32.ini” configuration file. Among the ones uploaded to VirusTotal, there were\r\nmalware samples with icons disguised as Visual Studio, and just like the original program, NetSupport RAT is\r\ninstalled in the path %APPDATA%\\Developer\\. From this, we can infer that the threat actor is using normal\r\nprograms other than the Pokemon game to distribute malware. \r\nhttps://asec.ahnlab.com/en/45312/\r\nPage 4 of 7\n\nFigure 6. NetSupport RAT dropper disguised as Visual Studio\r\nThere was also a type that creates the file “csvs.exe” disguised as a normal Windows program, svchost.exe,\r\ninstead of installing the NetSupport client, “client32.exe” in the installation directory. While the icon and file size\r\nare different, the internal routine or PDB information shows that this is a “client32.exe” file modified by the threat\r\nactor to bypass detection.\r\nFigure 7. client32.exe seen to have been modified by the threat actor\r\nhttps://asec.ahnlab.com/en/45312/\r\nPage 5 of 7\n\nNetSupport RAT is being used by various threat actors. Major cases show that they are recently being distributed\r\nthrough spam emails disguised as those for invoices, shipment documents, and purchase orders.[1] Additionally,\r\nin the second half of the year, there was a case where users were led to install the malware themselves from a\r\nphishing page disguised as an update page for a software called SocGholish.[2] When NetSupport RAT is\r\ninstalled, the threat actor can gain control over the infected system. Features supported by NetSupport by default\r\ninclude not only remote screen control but also system control features such as screen capture, clipboard sharing,\r\ncollecting web history information, file management, and command execution. This means that the threat actor\r\ncan perform various malicious behaviors such as extorting user credentials and installing additional malware.\r\nFigure 8. Features supported by NetSupport\r\nRecently, threat actors have been abusing remote control tools used by various users such as NetSupport in their\r\nattacks. When infected with such remote control malware, the system is overtaken by the threat actor and becomes\r\nsubject to damages such as information extortion and additional malware installation. When installing externally\r\nsourced software, users are advised to purchase or download them from their official websites and refrain from\r\nopening attachments in suspicious emails. Users should also apply the latest patch to programs such as their OS\r\nand internet browsers and update V3 to the latest version to prevent malware infection in advance. File Detection\r\n– Dropper/Win.NetSupport.C5345365 (2022.12.30.01) – Malware/Win.Generic.C5339867 (2022.12.23.03) –\r\nMalware/Win.Generic.C5335414 (2022.12.17.01) – Malware/Win.Generic.C5333592 (2022.12.15.01) –\r\nMalware/Win.Malware-gen.C5331507 (2022.12.13.02) – Trojan/Win.NetSupport.C5345361 (2022.12.30.01) –\r\nBackdoor/Text.NetSupport (2022.12.30.02) IOC MD5 – 097051905db43d636c3f71f3b2037e02 : NetSupport\r\nRAT dropper (PokemonBetaGame.exe) – 1dc87bfb3613d605c9914d11a67e2c94 : NetSupport RAT dropper\r\ndisguised as a Pokemon card game – 5e6b966167c7fd13433929e774f038ee : NetSupport RAT dropper disguised\r\nas a Pokemon card game – a9dba73b0cf1c26008fc9203684c6c22 : NetSupport RAT dropper disguised as a\r\nPokemon card game – adbe1069f82a076c48f79386812c1409 : NetSupport RAT dropper disguised as a Pokemon\r\ncard game – fcdc884dd581701367b284ad302efe4d : NetSupport RAT dropper disguised as a Pokemon card game\r\n– ed68e69534ebdf6c8aa1398da032c147 : NetSupport RAT dropper disguised as Visual Studio (source.sdf) –\r\ne7792e09b0283b87b9de37b3420f69d5 : NetSupport RAT dropper disguised as a Pokemon card game (creates\r\ncsvs.exe) – 7ca97fe166c4d8a23d7d9505d9fcc1c0 : Patched client32.exe (csvs.exe) –\r\n59048c3248025a7d4c7c643d9cf317a5 : NetSupport configuration file (client32.ini) –\r\nf26b26f6d29a4e584bd85f216b8254b9 : NetSupport configuration file (client32.ini) \r\nMD5\r\nhttps://asec.ahnlab.com/en/45312/\r\nPage 6 of 7\n\n097051905db43d636c3f71f3b2037e02\r\n1dc87bfb3613d605c9914d11a67e2c94\r\n59048c3248025a7d4c7c643d9cf317a5\r\n5e6b966167c7fd13433929e774f038ee\r\n7ca97fe166c4d8a23d7d9505d9fcc1c0\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//tradinghuy[.]duckdns[.]org[:]1488/\r\nhttps[:]//beta-pokemoncards[.]io/\r\nhttps[:]//beta-pokemoncards[.]io/PokemonBetaCard[.]exe\r\nhttps[:]//beta-pokemoncards[.]io/PokemonCardGame[.]exe\r\nhttps[:]//beta-pokemoncards[.]io/PokenoGameCard[.]exe\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/45312/\r\nhttps://asec.ahnlab.com/en/45312/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/45312/"
	],
	"report_names": [
		"45312"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434155,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2037f8c96a28a560fabe38835f67d2160893124c.pdf",
		"text": "https://archive.orkl.eu/2037f8c96a28a560fabe38835f67d2160893124c.txt",
		"img": "https://archive.orkl.eu/2037f8c96a28a560fabe38835f67d2160893124c.jpg"
	}
}