How NetSupport RAT Abuses Legitimate Remote Admin Tool

NetSupport RAT is a malicious repurposing of the legitimate remote administration tool, NetSupport Manager, which has been available for over 30 years. While the original software is designed for valid technical support and system management, threat actors have co-opted its robust feature set to conduct unauthorized surveillance and establish persistent control over victim environments.

The malware is often distributed through complex social engineering campaigns, including drive-by downloads, compromised sites, and phishing schemes that masquerade as browser updates (such as Google Chrome) or popular gaming applications like Pokémon.

Once inside the network, the RAT establishes persistence through registry modifications or scheduled tasks and communicates with Command and Control (C2) servers, using standard HTTP/HTTPS protocols to blend in with normal traffic. Post-compromise activities frequently involve credential harvesting and the deployment of additional payloads, such as ransomware.

In this post, we will explain the technical structure of NetSupport RAT. We will detail its infection lifecycle, utilizing deceptive vectors like "ClickFix" and fake updates. Furthermore, we will analyze its core surveillance capabilities and the specific persistence mechanisms. Finally, we will demonstrate how Picus helps simulate this threat.

How Does NetSupport RAT Work?

The operation of NetSupport RAT follows a distinct lifecycle, moving from initial delivery via social engineering to deep system integration and persistent command and control (C2) communication.

Delivery and Infection Vectors

Threat actors primarily utilize deceptive "lures" to trick users into initiating the infection chain. Common vectors include:

• Fake Browser Updates: Victims visiting compromised websites are presented with overlays claiming their browser (e.g., Chrome) is outdated. Clicking the update button triggers the download of a malicious JavaScript file, such as Update_browser_10.6336.js [1].
• The "ClickFix" Technique: In this variation, compromised sites display a fake CAPTCHA page. Users are instructed to copy a "fix" command to their clipboard and execute it via the Windows Run prompt or PowerShell. This copies a malicious script directly into the system [2].
• Malicious ISO and Game Lures: Campaigns have been observed distributing ISO files (e.g., CLF_security.iso) or disguised installers for games (e.g., Pokémon NFT games). These files often contain the RAT payload hidden within seemingly legitimate directory structures [3].

Components

After the victim executes the lure, the dropped files contain the legitimate NetSupport binaries alongside malicious configuration files:, the dropped files contain the legitimate NetSupport binaries alongside malicious configuration files [4]:

• client32.exe: The main NetSupport Client application.
• client32.ini: The configuration file dictating C2 behavior (i.e. C2 server adress).
• NSM.lic: A license file to validate the software.
• DLL Dependencies: Essential libraries such as HTCTL32.DLL, PCICL32.DLL, and msvcr100.dll.

Core Capabilities

Threat actors utilizing NetSupport RAT possess extensive capabilities for input manipulation and surveillance, including the ability to lock a victim's mouse and keyboard and execute system commands like shutdowns or reboots. The malware is also capable of capturing audio, video, and screenshots from the infected machine to monitor user activity [3].

Regarding system administration, the RAT facilitates robust file management, enabling file transfers and the general ability to upload, download, run, and view files. Attackers can further manipulate computer settings [1].

For post-exploitation activities, the tool serves as a launchpad to deploy additional malware, such as ransomware or other malicious payloads. Once established, it allows for lateral movement to other devices within the network, often utilizing supplementary tools like the Impacket framework. Attackers may also deploy utilities such as ProcDump to extract authentication data and credentials from system memory [4].

Persistence Mechanisms

The malware employs a combination of distinct techniques to maintain persistence on the system. It secures execution by adding an entry to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key [4], as well as placing shortcut (.url) files within the user's Startup directory. Additionally, the malware configures scheduled tasks with various triggers to ensure it is automatically relaunched periodically [3].

How Picus Simulates NetSupport RAT Attacks?

We also strongly suggest simulating NetSupport RAT Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other malware variants, such as BRICKSTORM, VenomRAT, Chinotto, and Rustonotto, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the NetSupport RAT Attacks:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

• NetSupport RAT is a malicious repurposing of the legitimate NetSupport Manager remote administration tool, used by threat actors to conduct unauthorized surveillance and establish persistent control.
• Distribution relies on complex social engineering, including drive-by downloads, compromised sites, and fake browser updates or gaming installers.
• Infection vectors include the "ClickFix" technique, where users are tricked into copying a fix command from a fake CAPTCHA page and executing it via PowerShell or the Windows Run prompt.
• The malware operates by dropping legitimate binaries like client32.exe alongside malicious configuration files such as client32.ini to dictate Command and Control behavior.
• Core capabilities allow attackers to lock mouse and keyboard inputs, capture audio and screenshots, transfer files, and execute system commands like shutdowns.
• Post-compromise activities often involve lateral movement using the Impacket framework, credential harvesting via ProcDump, and the deployment of secondary payloads like ransomware.
• Persistence is achieved through registry modifications, shortcut files placed in the Startup directory, and scheduled tasks that ensure the malware automatically relaunches.

References

[1] A. Ngo, A. Schneider, and F. Carlisle, “NetSupport RAT: The RAT King Returns,” VMware Security Blog. Accessed: Jan. 26, 2026. [Online]. Available: https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html

[2] “Deploying NetSupport RAT via WordPress & ClickFix.” Accessed: Jan. 26, 2026. [Online]. Available: https://www.cybereason.com/blog/net-support-rat-wordpress-clickfix

[3] J. Walter, “Gotta Catch ’Em All,” SentinelOne. Accessed: Jan. 26, 2026. [Online]. Available: https://www.sentinelone.com/blog/gotta-catch-em-all-understanding-the-netsupport-rat-campaigns-hiding-behind-pokemon-lures/

[4] Microsoft Corporation, “Trojan:Win32/NetSupportRat!MTB.” Accessed: Jan. 26, 2026. [Online]. Available: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/NetSupportRat!MTB&ocid=magicti_blog_ency