#NetSupportRAT

Legitimate NetSupport Manager remote-administration tool abused as a Remote Access Trojan


#NetSupportRAT

NetSupport Manager abused as RAT

IOCs by window

Today

0

IOCs tagged #NetSupportRAT

Week

0

IOCs tagged #NetSupportRAT

Month

0

IOCs tagged #NetSupportRAT

Year

1,778

IOCs tagged #NetSupportRAT

Counts as of 2026-04-29. Regenerated daily.

About #NetSupportRAT

  • Type: legitimate commercial remote-administration tool (NetSupport Manager) by NetSupport Ltd, repurposed by attackers for unauthorised remote access. The original tool is widely deployed in education and IT-support contexts, which helps it blend in to defender telemetry.
  • Abuse pattern: delivered via SocGholish-style fake-browser-update lures, malvertising, and trojanised installers. Provides full RDP-like capabilities (screen, file, process, registry control) without the binary being immediately classified as malicious by default AV.
  • Detection signals: client32.exe, presentationsettings.exe and nsm.lic license file in unusual user-profile paths; gateway connections to geo.netsupportsoftware.com from non-IT user accounts; HTTP POSTs to fastpath/Gateway32.aspx.
  • References: MITRE ATT&CK S0480 · Malpedia.

Recent IOCs tagged #NetSupportRAT

No IOCs tagged #NetSupportRAT in the past 30 days. Year aggregate: 1,778. For longer-window data, query api.tweetfeed.live/v1/year/netsupportrat.

Related tags

Tags that frequently co-occur with #NetSupportRAT.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is NetSupport RAT?

NetSupport RAT is the security-research label for unauthorised use of the legitimate NetSupport Manager remote-administration product. NetSupport Manager itself is sold by NetSupport Ltd for IT-support and education-sector use; attackers ship the same binary stack (client32.exe, gateway components, license files) as a Remote Access Trojan via fake browser updates, malvertising and trojanised installers. MITRE ATT&CK tracks it as S0480.

How does NetSupport RAT typically arrive on a victim system?

Most commonly via SocGholish-style fake-browser-update lures (a compromised site renders a Chrome / Firefox update prompt that drops the installer), malvertising on lookalike software-download sites, and trojanised installers for popular utilities. Once installed, the operator gets full screen / file / process / registry control.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. NetSupport RAT-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this NetSupport RAT subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

NetSupport RAT IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).