A remote access trojan, known as NetSupport RAT, is actively being used by threat actors to launch attacks on organizations across the education, government, and business services sectors.

“The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns,” as outlined in a report shared with The Hacker News by researchers from VMware Carbon Black.

In the most recent weeks, the cybersecurity company reported discovering at least 15 new infections associated with the NetSupport RAT.

While initially designed as a legitimate remote administration tool for providing technical assistance and support, NetSupport Manager has been co-opted by hostile actors. They exploit it for their advantage, turning it into a beachhead for subsequent attacks.

Deceptive websites and phony browser updates are the most common vectors by which the NetSupport RAT is delivered to a victim’s machine.

In August 2022, Sucuri disclosed specifics about a campaign exploiting compromised WordPress sites to create deceptive Cloudflare DDoS protection pages. This deceptive strategy played a pivotal role in the proliferation of the NetSupport remote access tool.

NetSupport RAT

A significant facet of this operation involves the implementation of a JavaScript-based downloader malware, SocGholish (aka FakeUpdates). This malicious entity has been identified as distributing a loader virus with the codename BLISTER. Notably, this method often capitalizes on the guise of fake web browser updates—a tactic intricately associated with the deployment of fraudulent browser updates.

Following this, the JavaScript payload triggers PowerShell, facilitating a connection to a remote server to retrieve a ZIP archive file containing the NetSupport RAT. Once installed, this RAT consistently transmits beacons to a command-and-control (C2) server.

“Once installed on a victim’s device, NetSupport is able to monitor behavior, transfer files, manipulate computer settings, and move to other devices within the network,” as reported by the investigators.

In conclusion, the surge in NetSupport RAT infections, coupled with the deceptive tactics employed, underscores the evolving landscape of cybersecurity threats. Organizations must remain vigilant as threat actors exploit compromised websites and leverage sophisticated delivery mechanisms. Once infiltrated, NetSupport’s multifaceted capabilities pose significant risks to both individual users and entire networks. Proactive cybersecurity measures, continuous monitoring, and user education are paramount in fortifying defences against such insidious threats, ensuring the resilience of digital ecosystems in the face of evolving cyber threats.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center