#NetSupportRAT

Legitimate NetSupport Manager remote-administration tool abused as a Remote Access Trojan

Subscribe (RSS)


#NetSupportRAT

NetSupport Manager abused as RAT

Subscribe (RSS)

IOCs by window

Today

0

IOCs tagged #NetSupportRAT

Week

0

IOCs tagged #NetSupportRAT

Month

5

IOCs tagged #NetSupportRAT

Year

1,127

IOCs tagged #NetSupportRAT

Counts as of 2026-06-29. Regenerated daily.

About #NetSupportRAT

  • Type: legitimate commercial remote-administration tool (NetSupport Manager) by NetSupport Ltd, repurposed by attackers for unauthorised remote access. The original tool is widely deployed in education and IT-support contexts, which helps it blend in to defender telemetry.
  • Abuse pattern: delivered via SocGholish-style fake-browser-update lures, malvertising, and trojanised installers. Provides full RDP-like capabilities (screen, file, process, registry control) without the binary being immediately classified as malicious by default AV.
  • Detection signals: client32.exe, presentationsettings.exe and nsm.lic license file in unusual user-profile paths; gateway connections to geo.netsupportsoftware.com from non-IT user accounts; HTTP POSTs to fastpath/Gateway32.aspx.
  • References: MITRE ATT&CK S0480 · Malpedia.

Recent IOCs tagged #NetSupportRAT

Latest 5 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/netsupportrat.

Date Type Value Source
Jun 20, 15:19 domain cdnpro-987.xyz @ffforward
Jun 20, 15:19 url http://cdnpro-987.xyz @ffforward
Jun 20, 15:19 domain cdnportal-us.xyz @ffforward
Jun 20, 15:19 url http://cdnportal-us.xyz @ffforward
Jun 20, 15:19 url http://178.16.55.191 @ffforward

Past-month volume is low; the year aggregate (1,127) reflects historical activity. For a longer window, download the full annual feed api.tweetfeed.live/v1/year (all tags) and filter for #NetSupportRAT client-side.

Related tags

Tags that frequently co-occur with #NetSupportRAT.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is NetSupport RAT?

NetSupport RAT is the security-research label for unauthorised use of the legitimate NetSupport Manager remote-administration product. NetSupport Manager itself is sold by NetSupport Ltd for IT-support and education-sector use; attackers ship the same binary stack (client32.exe, gateway components, license files) as a Remote Access Trojan via fake browser updates, malvertising and trojanised installers. MITRE ATT&CK tracks it as S0480.

How does NetSupport RAT typically arrive on a victim system?

Most commonly via SocGholish-style fake-browser-update lures (a compromised site renders a Chrome / Firefox update prompt that drops the installer), malvertising on lookalike software-download sites, and trojanised installers for popular utilities. Once installed, the operator gets full screen / file / process / registry control.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. NetSupport RAT-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this NetSupport RAT subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

NetSupport RAT IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).