{ "id": "9ed80c3c-6c18-4946-bd9d-e69850aab4d9", "created_at": "2026-04-06T00:06:36.139423Z", "updated_at": "2026-04-10T03:36:37.149097Z", "deleted_at": null, "sha1_hash": "9da129c5462b39b82b3ccd2aa70a7e8b3cfe525a", "title": "NetSupportManager RAT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 104293, "plain_text": "NetSupportManager RAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:11:10 UTC\r\nEnigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty\r\nyears ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or\r\nprovide remote computer assistance. However, cyber crooks have hijacked this useful application and\r\nmisappropriated it to use it in their harmful campaigns. The name of the modified version of the NetSupport\r\nManager has been labeled the NetSupport Manager RAT.\r\n2025-11-12 ⋅ ISC ⋅\r\nSmartApeSG campaign uses ClickFix page to push NetSupport RAT\r\nSmartApeSG NetSupportManager RAT 2025-06-13 ⋅ Recorded Future ⋅ Insikt Group\r\nGrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT\r\nEugenLoader POWERTRASH NetSupportManager RAT 2025-03-28 ⋅ Intrinsec ⋅ David Sardinha\r\nFrom espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025\r\nsLoad NetSupportManager RAT Remcos SmokeLoader 2025-03-12 ⋅ Red Canary ⋅ Red Canary\r\n2025 Threat Detection Report\r\nHijackLoader Lumma Stealer NetSupportManager RAT 2025-02-04 ⋅ Team Cymru ⋅ S2 Research Team\r\nTracing the Path From SmartApeSG to NetSupport RAT\r\nSmartApeSG NetSupportManager RAT Quasar RAT 2024-12-02 ⋅ Kaspersky Labs ⋅ Artem Ushkov\r\nHorns\u0026Hooves campaign delivers NetSupport RAT and BurnsRAT\r\nNetSupportManager RAT RMS 2024-11-18 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team, Selena Larson, Tommy Madjar\r\nSecurity Brief: ClickFix Social Engineering Technique Floods Threat Landscape\r\nAsyncRAT Brute Ratel C4 DanaBot DarkGate Latrodectus Lumma Stealer NetSupportManager RAT XWorm\r\n2024-07-25 ⋅ Symantec ⋅ Symantec\r\nGrowing Number of Threats Leveraging AI\r\nBroomstick DBatLoader NetSupportManager RAT Rhadamanthys 2024-07-02 ⋅ Sekoia ⋅ Quentin Bourgue\r\nExposing FakeBat loader: distribution methods and adversary infrastructure\r\nBlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer\r\nNetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar 2024-06-17 ⋅ Proofpoint ⋅\r\nProofpoint\r\nFrom Clipboard to Compromise: A PowerShell Self-Pwn\r\nDarkGate HijackLoader Lumma Stealer Matanbuchus NetSupportManager RAT TA571 2024-06-11 ⋅ ThreatDown ⋅\r\nJérôme Segura\r\nSmartApeSG walkthrough\r\nSmartApeSG NetSupportManager RAT 2024-05-10 ⋅ Rapid7 Labs ⋅ Evan McCann, Thomas Elkins, Tyler McGraw\r\nOngoing Social Engineering Campaign Linked to Black Basta Ransomware Operators\r\nBlack Basta Black Basta Cobalt Strike NetSupportManager RAT 2024-03-18 ⋅ Perception Point ⋅ Ariel Davidpur, Peleg\r\nCabra\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat\r\nPage 1 of 3\n\nOperation PhantomBlu: New and Evasive Method Delivers NetSupport RAT\r\nNetSupportManager RAT 2024-02-26 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nAdvanced CyberChef Techniques for Configuration Extraction - Detailed Walkthrough and Examples\r\nNetSupportManager RAT 2024-02-25 ⋅ YouTube (Embee Research) ⋅ Embee_research\r\nMy Longest CyberChef Recipe Ever - 22 Operation Configuration Extractor\r\nNetSupportManager RAT 2024-01-23 ⋅ Medium ad12347 ⋅ Ariel Davidpur\r\nNetSupport RAT hits again with new IOCs\r\nNetSupportManager RAT 2023-12-30 ⋅ Rewterz Information Security ⋅ Rewterz Information Security\r\nRewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs\r\nEugenLoader POWERTRASH BATLOADER DarkGate FlawedGrace NetSupportManager RAT SectopRAT\r\nStorm-0506 2023-11-20 ⋅ vmware ⋅ Abe Schneider, Alan Ngo, Alex Murillo, Fae Carlisle, Nikki Benoit\r\nNetSupport RAT: The RAT King Returns\r\nNetSupportManager RAT 2023-10-27 ⋅ Elastic ⋅ Joe Desimone, Salim Bitam\r\nGHOSTPULSE haunts victims using defense evasion bag o' tricks\r\nHijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar 2023-10-26 ⋅ Medium\r\nwalmartglobaltech ⋅ Jonathan Mccay\r\nSmartApeSG\r\nSmartApeSG NetSupportManager RAT 2023-09-06 ⋅ Malwarebytes ⋅ Jérôme Segura\r\nMac users targeted in new malvertising campaign delivering Atomic Stealer\r\nAMOS NetSupportManager RAT 2023-08-10 ⋅ Trellix ⋅ Antonio Ribeiro, Jonell Baltazar\r\nExploring New Techniques of Fake Browser Updates Leading to NetSupport RAT\r\nNetSupportManager RAT 2023-03-29 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C Chen\r\nNew OpcJacker Malware Distributed via Fake VPN Malvertising\r\nNetSupportManager RAT OpcJacker 2023-01-06 ⋅ AhnLab ⋅ ASEC\r\nDistribution of NetSupport RAT Malware Disguised as a Pokemon Game\r\nNetSupportManager RAT 2022-09-15 ⋅ Sekoia ⋅ Threat \u0026 Detection Research Team\r\nPrivateLoader: the loader of the prevalent ruzki PPI service\r\nAgent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT\r\nNymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP\r\nVidar YTStealer 2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nSocGholish Campaigns and Initial Access Kit\r\nFAKEUPDATES Blister Cobalt Strike NetSupportManager RAT 2022-04-11 ⋅ eSentire ⋅ eSentire Threat Response Unit\r\n(TRU)\r\nFake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer\r\nMars Stealer NetSupportManager RAT 2022-04-07 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nMalicious web redirect service infects 16,500 sites to push malware\r\nNetSupportManager RAT 2022-04-07 ⋅ Avast Decoded ⋅ Jan Rubín, Pavel Novák\r\nParrot TDS takes over web servers and threatens millions\r\nFAKEUPDATES Parrot TDS Parrot TDS WebShell NetSupportManager RAT 2020-11-02 ⋅ SUCURI ⋅ Denis Sinegubko\r\nCSS-JS Steganography in Fake Flash Player Update Malware\r\nmagecart NetSupportManager RAT 2020-05-22 ⋅ Positive Technologies ⋅ PT ESC Threat Intelligence\r\nOperation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat\r\nPage 2 of 3\n\nNetSupportManager RAT ServHelper 2020-03-19 ⋅ Prevailion ⋅ Prevailion\r\nThe Curious Case of the Criminal Curriculum Vitae\r\nLALALA Stealer NetSupportManager RAT Rekt Loader 2017-09-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan\r\nEITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware\r\nNetSupportManager RAT 2016-09-30 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nHacked Steam accounts spreading Remote Access Trojan\r\nNetSupportManager RAT 2013-01-01 ⋅ NetSupport Manager ⋅ NetSupport Manager\r\nNetSupport Manager Website\r\nNetSupportManager RAT\r\n[TLP:WHITE] win_netsupportmanager_rat_auto (20251219 | Detects win.netsupportmanager_rat.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat" ], "report_names": [ "win.netsupportmanager_rat" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f994aa54-3581-460a-9c1f-5ca6b1af4aa1", "created_at": "2024-08-20T02:00:04.537819Z", "updated_at": "2026-04-10T02:00:03.686083Z", "deleted_at": null, "main_name": "Storm-0506", "aliases": [], "source_name": "MISPGALAXY:Storm-0506", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "7183913d-9a43-4362-96e1-9af522b6ab84", "created_at": "2024-06-19T02:00:04.377344Z", "updated_at": "2026-04-10T02:00:03.653777Z", "deleted_at": null, "main_name": "TA571", "aliases": [], "source_name": "MISPGALAXY:TA571", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433996, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9da129c5462b39b82b3ccd2aa70a7e8b3cfe525a.pdf", "text": "https://archive.orkl.eu/9da129c5462b39b82b3ccd2aa70a7e8b3cfe525a.txt", "img": "https://archive.orkl.eu/9da129c5462b39b82b3ccd2aa70a7e8b3cfe525a.jpg" } }