eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Beginning in early January 2025, eSentire Threat Response Unit (TRU) observed an increase in the number of incidents involving the NetSupport Remote Access Trojan (RAT). This activity remains common leading into early February. NetSupport RAT grants the attackers full control over the victim's host, allowing them to monitor the user's screen, control the keyboard and mouse, upload and download files, and launch and execute malicious commands. If left undetected, NetSupport RAT can lead to advanced threats, including ransomware attacks, compromising sensitive data, and disrupting business operations.
The eSentire Threat Intelligence team observed a notable spike in the use of NetSupport RAT in multiple recent incidents. This increase was observed in attacks that involved the emerging "ClickFix” Initial Access Vector (IAV), where end-users are socially engineered into copying and executing attacker-provided PowerShell commands (Refer to Figure.1).
As there is an ongoing NetSupport RAT campaign, organizations are recommended to validate their security controls and educate users on common initial access techniques, such as ClickFix.
What we’re doing about it
eSentire MDR for Network and Endpoint detect NetSupport RAT activity
eSentire's Threat Response Unit is performing threat hunts for known Indicators of Compromise across customer environments
IP addresses associated with real-world attacks are blocked via the eSentire Global Block List and additional Indicators of Compromise have been added to the eSentire Threat Intelligence Feed
The eSentire Tactical Threat Response (TTR) team has developed detections for the Clickfix IAV in eSentire MDR for Network
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
Ensure Endpoint Detection and Response (EDR) agents are deployed to all corporate assets including workstations and servers
Provide security awareness training to users that includes emerging techniques such as ClickFix
Limit user permissions to prevent installation of untrusted or unauthorized software
Provide users with a trusted source to download any approved software
To prevent the ClickFix Initial Access Vector, consider disabling:
The Run prompt via Group Policy Objects (GPO)
WScript.exe via AppLocker GPO or Windows Defender Application Control (WDAC)
Mshta.exe via AppLocker GPO or Windows Defender Application Control (WDAC)
Additional information
NetSupport RAT is a Remote Access Trojan (RAT) that is used by threat actors to gain control of the victim's host. It was originally developed as a remote IT support tool in 1989 and was known as NetSupport Manager but has been weaponized by cybercriminals in recent years. Threat actors, including TA569 and SmartApe SG (also referred to as ZPHP or HANEYMANEY), have been observed delivering the NetSupport Remote Access Trojan (RAT) to target organizations via fake browser update campaigns.
Once the malicious NetSupport client is installed on the victim's host, it enables real-time screen monitoring, full control of the user's screens, capture of screenshots, audio, and video, as well as bulk file upload and download. This gives threat actors the ability to perform data exfiltration and introduce additional malware payloads.
In January 2025, eSentire observed multiple incidents where ClickFix was used to deliver the NetSupport RAT. ClickFix is a technique used by threat actors to inject a fake CAPTCHA webpage on compromised websites, instructing users to follow certain steps to copy and execute malicious PowerShell commands on their host to download and run malware payloads.
In recently observed incidents, the NetSupport RAT payloads were often hosted on a URL that contained “.png” in the URL path. When the PowerShell command is executed by the user, it downloads the NetSupport RAT client (client32.exe) and its configuration file (client32.ini) on the host, which helps to establish Command-and-Control (C2) connections to the NetSupport RAT gateways. The NetSupport RAT C2 gateway URL often contains the string "fakeurl.htm" in its path.
Figure.1: ClickFix Fake Landing Page (Source: Any[.]Run)
Figure2: ClickFix led to Deployment of NetSupport RAT (Source: Any[.]Run)
Figure3: NetSupport RAT Payload Hosting and C2 (Source: VirusTotal)
Figure4: Content of the PowerShell script that downloads the NetSupport RAT components
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
![Figure.1: ClickFix Fake Landing Page (Source: Any[.]Run)](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/NetSupport-RAT-Clickfix-Distribution-Picture1.png)
![Figure2: ClickFix led to Deployment of NetSupport RAT (Source: Any[.]Run)](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/NetSupport-RAT-Clickfix-Distribution-Picture2.png)
