{
	"id": "eab9fc8f-e696-42d4-89c4-a9b2c777a1c8",
	"created_at": "2026-04-06T00:14:43.9605Z",
	"updated_at": "2026-04-10T03:33:16.47496Z",
	"deleted_at": null,
	"sha1_hash": "faac79b215330f1c3bc5fbabcf25e7cbf0c47768",
	"title": "NetSupport RAT: The RAT King Returns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1774141,
	"plain_text": "NetSupport RAT: The RAT King Returns\r\nBy Alan Ngo, Abe Schneider, Fae Carlisle\r\nPublished: 2023-11-20 · Archived: 2026-04-02 12:06:21 UTC\r\nAuthors: Alex Murillo, Alan Ngo, Abe Schneider, Fae Carlisle\r\nContributors: Nikki Benoit\r\nExecutive Summary\r\nFor years, threat actors have been using legitimate software for illegitimate or malicious purposes.  One such software is\r\nNetSupport Manager – a remote control application used for remote systems management.  In recent years, however, threat\r\nactors have repurposed this software as a Remote Access Trojan (RAT) to infiltrate systems and utilize them as a launching\r\npoint for subsequent attacks.\r\nThe Carbon Black Managed Detection \u0026 Response team, in collaboration with our Threat Analysis Unit, has observed over\r\n15 new infections related to NetSupport RAT in the last few weeks. From the increase we noticed that the majority of the\r\ninfections were from the Education, Government, and Business Services sectors. In this article we will delve into our\r\nmethods for detecting and preventing this malware, along with providing valuable insights and resources for defenders.\r\nHistory\r\nNetSupport Manager began as genuine software 30 years ago for remote technical support use.  The tool allowed file\r\ntransfers, support chat, inventory management, and remote access.  While it is legitimate software, threat actors have been\r\nusing it in recent years as a Remote Access Trojan (RAT) – most notably spread in 2020 via a massive COVID-19 phishing\r\ncampaign.  The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads,\r\nutilization of malware loaders (such as GhostPulse), and various forms of phishing campaigns.\r\nDue to its legitimate nature and widespread availability, NetSupport Manager is not exclusive to a singular threat actor. \r\nMultiple malicious entities, including the notorious TA569 – recognized for its SocGholish malware, incorporate this tool\r\ninto their arsenal.  Its accessibility renders it susceptible to use by a spectrum of threat actors, ranging from novice hackers\r\nto sophisticated adversaries.\r\nOlder variations of NetSupport RAT were seen utilizing .BAT and .VBS files, often used as decoys.  Only one of the many\r\nBAT files being dropped would be responsible for executing the RAT and establishing persistence.  We have not observed\r\nthese newer variants utilizing older methods.\r\nCarbon Black Detection \u0026 Attack Chain \r\nIn recent attacks, the NetSupport RAT has been observed to be downloaded onto a victim’s computer via deceptive websites\r\nand fake browser updates.  Initial infection, however, can vary depending on the threat actor.\r\nThe following infection showcases the victim getting tricked into downloading a fake browser update after visiting a\r\ncompromised website.  These infected websites host a PHP script which displays a seemingly authentic update.  When the\r\nvictim clicks on the download link, an additional Javascript payload is downloaded onto the endpoint.\r\nhttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nPage 1 of 11\n\nFigure 1: Fake chrome browser update presented to victim\r\nIn this example, Update_browser_10.6336.js is the downloaded payload from the fake browser update and can be seen\r\nmaking external network connections to implacavelvideos[.]com\r\nFigure 2: Update_browser_10.6336.js establishing connection to implacavelvideos[.]com\r\nUpdate_browser_10.6336.js then invokes powershell.exe to execute obfuscated commands which then connects to\r\nkgscrew[.]com \r\nhttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nPage 2 of 11\n\nFigure 3: Obfuscated Powershell Command \r\nPowershell.exe is then utilized to pass a Base64 snippet in memory, then decodes and stores the contents in a file called\r\np.zip.\r\nThe contents of p.zip are then extracted into the directory: \\appdata\\roaming\\divx-429\\\r\nFigure 4: PowerShell connecting to the C2 for additional payload and p.zip download.\r\nMultiple NetSupport dependencies/DLL’s as well as the NetSupport Manager are contained within this decompressed file.\r\nOnce installed on a victim’s device, NetSupport is able to monitor behavior, transfer files, manipulate computer settings, and\r\nmove to other devices within the network.\r\nhttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nPage 3 of 11\n\nFigure 5: Numerous NetSupport files being dropped after the connection to kgscrew[.]com\r\nPersistence is then established by adding client32.exe to the HKCU Run registry key in:\r\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\DIVXX or\r\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\DIVX\r\nFigure 6: PowerShell creates persistence in HKCU run registry\r\nPowerShell is then utilized to invoke the NetSupport application, client32.exe, which is then used to make a connection to\r\nNetsupport RAT’s Command and Control server at 5.252.177[.]111(sdjfnvnbbz[.]pw) by executing the PowerShell script\r\nwhich is broken down in detail below.\r\nFigure 7:  client32.exe connecting to sdjfnvnbbz[.]pw \r\nPowerShell Breakdown \r\nhttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nPage 4 of 11\n\nFigure 8: MDR analyst triage\r\nWhen the MDR team received this alert we observed a powershell.exe process with a very suspicious command line.  Given\r\nthat the .JS file was also named “update_browser_10.6336.js”, we immediately identified this as NetSupport RAT.\r\nFurther reviewing the command line, we identify a URL that gets passed to the DownloadString function to download\r\nadditional payloads.  In this particular attack, it’s hXXps://gamefllix[.]com/111.php?9279.\r\nhttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nPage 5 of 11\n\nFigure 9: PowerShell command showing the gameflix[.]com/111 DownloadsString\r\nReverse Engineering PowerShell\r\nWhen an affected endpoint makes a network connection to the compromised URL, the payload is downloaded; observed in\r\nFigure 10.  The downloaded payload is the GET response of the obfuscated script from the compromised URL\r\n(gamefllix.com/111.php). \r\nFigure 10: HTTP GET Response from gamefllix[.]com/111.php\r\nFigure 10 shows the partial script as the full script is too long to share as an image in this article – with over 4.5 million\r\ncharacters.  It appears to be base64 encoded so the next step is to see what it is doing using CyberChef in an attempt to\r\ndecode it.  Unfortunately, the output appears unreadable.  It was also observed that the PK header at the beginning of the file\r\nwas identified as a ZIP archive.\r\nA few file names are seen, such as CacheMD5.dat, CacheURL.dat, client32.exe, as well as an additional URL from the\r\nCyberChef output screenshot below.\r\nFigure 11: CyberChef Base64 decode\r\nWe took the base64 encoded contents from gamefllix[.]com and used PowerShell in a secured environment to reconstruct\r\nthe ZIP archive with a simple custom script.\r\nhttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nPage 6 of 11\n\nFigure 12: .zip file contents\r\nFrom these reconstructed files, we can obtain additional information, such as Client32.ini, that contains a GatewayAddress\r\n(observed in Figure 7) when client32.exe established a network connection on port 443 using the RADIUSSecret for\r\nauthentication.\r\nFigure 13: Client32.ini contents\r\nNetSupport Licensing information was gathered from the file named NSM.LIC.  The name HANEYMANEY (observed in\r\nFigure 14 under the licensee field) has been observed by a threat actor labeled TA569 – who also has a history of delivering\r\npayloads via fake browser updates.   This could be a case of a compromised and leaked license for NetSupport Manager. \r\nThere may not be a direct correlation, but the behavior is suspicious at best.\r\nFigure 14: NetSupport Licensing Information\r\nSummary\r\nhttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nPage 7 of 11\n\nDespite a surge in activity, the Carbon Black MDR team remains vigilant against NetSupport RAT.  Our team is experienced\r\nat detecting and responding to this threat, effectively stopping the attack before it can escalate.  Carbon Black is effective\r\nagainst NetSupport RAT due to its advanced detection and response capabilities including:\r\nBehavioral Analysis: Carbon Black uses behavioral analysis techniques to identify suspicious activities and\r\nbehaviors associated with NetSupport RAT.  This proactive approach allows it to detect new and evolving threats,\r\nincluding those leveraging NetSupport RAT.\r\nThreat Intelligence: Carbon Black integrates threat intelligence feeds into its detection algorithms.  This means it\r\ncan recognize known indicators of compromise associated with NetSupport RAT, enabling quick identification and\r\nmitigation of infected systems.\r\nEndpoint Security: Carbon Black provides robust endpoint security features, ensuring that devices are protected at\r\nthe point of entry.  It can block malicious websites and prevent the execution of malicious files, thwarting attempts to\r\ndownload and install NetSupport RAT.\r\nReal-time Monitoring: Carbon Black offers real-time monitoring and response capabilities.  It can detect suspicious\r\nactivities in real-time, allowing security teams to respond promptly to potential NetSupport RAT infections,\r\nminimizing the damage caused by the malware.\r\nIncident Response: In case of a NetSupport RAT infection, Carbon Black facilitates efficient incident response.  It\r\nprovides detailed insights into the attack, helping security teams understand the extent of the compromise and take\r\nappropriate actions to remediate the situation.\r\nContinuous Updates: Carbon Black regularly updates its threat intelligence databases and detection algorithms. \r\nThis ensures that the system is equipped to detect new variants of NetSupport RAT and other emerging threats\r\neffectively.\r\nBy leveraging these features, Carbon Black enhances organizations’ security posture, making it challenging for threat actors\r\nto successfully operate the NetSupport RAT within their networks or escalate the attack. \r\nSearch Queries:\r\nprocess_name:*\\\\appdata\\\\roaming\\\\*\\\\ctfmon.exe OR process_name:*\\\\appdata\\\\roaming\\\\*\\\\whost.exe OR pr\r\nfilemod_name:\\\\appdata\\\\roaming\\\\divx*\\\\\r\nnetconn_domain:kgscrew.com OR gamefllix.com\r\nIndicators of Compromise (IOC)\r\nHashes\r\nName SHA256 Hash\r\np.zip c5c974b3315602ffaab9066aeaac3a55510db469b483cb85f6c591e948d16cfe\r\np.zip 8c9cd7a1ac6d4cbc641b31a3c55fde5e0e5a48c9bdaf71a59a2c4c9fd98ff9e7\r\nhttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nPage 8 of 11\n\nupdate_browser_10.6336.js 46bb795f28ef33412b83542c88ef17d2a2a207ad3a927ecb4678b4ac9c5a05a5\r\nCacheURL.dat 54b920f5b87019fcf313bec4d9f4639a932b8268e5183b29804e91e29ed6f726\r\nclient32.exe 213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897\r\nclient32.exe 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1\r\nClient32.ini28208baa507b260c2df6637427de82ad0423c20e2bceceb92ba5d76074dcd347\r\nHTCTL32.DLL3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899\r\nHTML_Obj_list.txte3665d8c5030be81a6955965c2928564fe922b9a21f9e712580d04825fa0adf1\r\nnskbfltr.infd96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368\r\nNSM.ini60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92\r\nNSM.LICf4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d\r\nnsm_vpro.ini4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b\r\npcicapi.dll 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703\r\nPCICHEK.DLL956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd\r\nPCICL32.DLL38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5\r\nhttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nPage 9 of 11\n\nputty.exe\r\nfc6f9dbdf4b9f8dd1f5f3a74cb6e55119d3fe2c9db52436e10ba07842e6c3d7c\r\nremcmdstub.exefedd609a16c717db9bea3072bed41e79b564c4bc97f959208bfa52fb3c9fa814\r\nwhost.exe b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad\r\nTCCTL32.DLL6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea\r\nrot-13.pscript2e4bd5557aedd1743da5fab1b6995fbc447d6e9491d9ec59fa93ab889d8bccd1\r\nIPs/Domains\r\nhttps://magydostravel[.]com/cdn/zwmrqqgqnaww[.]php 5.252.177[.]111\r\nsdjfnvnbbz[.]pw:443 91.219.150[.]64\r\nhttps://gamefllix[.]com/111[.]php[?]9279\r\narauas[.]com\r\n91.19.150[.]63\r\nMITRE ATT\u0026CK TIDs\r\nTID Tactics Technique\r\nT1204.002 Execution User Execution: Malicious File\r\nhttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nPage 10 of 11\n\nT1059.001 Execution Command and Scripting Interpreter: PowerShell\r\nT1055 Privilege Escalation Process Injection\r\nT1027 Defense Evasion Obfuscated Files or Information\r\nT1041 Exfiltration Exfiltration Over C2 Channel\r\nT1074.001 Collection Data Staged: Local Data Staging\r\nT1547.001 Persistence, Privilege Escalation Boot or Logon Autostart Execution: Registry Run Keys / Startup F\r\nT1057 Discovery Process Discovery\r\nSource: https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nhttps://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html"
	],
	"report_names": [
		"netsupport-rat-the-rat-king-returns.html"
	],
	"threat_actors": [
		{
			"id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5",
			"created_at": "2024-04-24T02:00:49.453475Z",
			"updated_at": "2026-04-10T02:00:05.321256Z",
			"deleted_at": null,
			"main_name": "Mustard Tempest",
			"aliases": [
				"Mustard Tempest",
				"DEV-0206",
				"TA569",
				"GOLD PRELUDE",
				"UNC1543"
			],
			"source_name": "MITRE:Mustard Tempest",
			"tools": [
				"SocGholish",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34",
			"created_at": "2024-06-19T02:03:08.096988Z",
			"updated_at": "2026-04-10T02:00:03.82859Z",
			"deleted_at": null,
			"main_name": "GOLD PRELUDE",
			"aliases": [
				"Mustard Tempest ",
				"TA569 ",
				"UNC1543 "
			],
			"source_name": "Secureworks:GOLD PRELUDE",
			"tools": [
				"SocGholish"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "544cac23-af15-4100-8f20-46c07962cbfa",
			"created_at": "2023-01-06T13:46:39.484133Z",
			"updated_at": "2026-04-10T02:00:03.34364Z",
			"deleted_at": null,
			"main_name": "GOLD PRELUDE",
			"aliases": [
				"TA569",
				"UNC1543"
			],
			"source_name": "MISPGALAXY:GOLD PRELUDE",
			"tools": [
				"FakeUpdates",
				"FakeUpdate",
				"SocGholish"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434483,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/faac79b215330f1c3bc5fbabcf25e7cbf0c47768.pdf",
		"text": "https://archive.orkl.eu/faac79b215330f1c3bc5fbabcf25e7cbf0c47768.txt",
		"img": "https://archive.orkl.eu/faac79b215330f1c3bc5fbabcf25e7cbf0c47768.jpg"
	}
}