2025-02-23 07:47:52 Pacfic
NetSupport RAT Use Surges via ClickFix Distribution - 12d
The eSentire Threat Intelligence team has observed a significant surge in the use of the NetSupport Remote Access Trojan (RAT) since January 2025. This increase is linked to attacks utilizing the emerging "ClickFix" initial access vector, a social engineering technique where users are tricked into executing malicious PowerShell commands. This RAT grants attackers full control over compromised systems, enabling them to monitor screens, control input devices like keyboard and mouse, upload and download files, and execute further malicious commands.
This surge includes a malvertising campaign distributing a fake Cisco AnyConnect installer containing the NetSupport RAT. The RAT, originally a legitimate IT support tool named NetSupport Manager since 1989, has been weaponized by cybercriminals. If left undetected, NetSupport RAT can lead to advanced threats, including ransomware attacks, compromising sensitive data, and disrupting business operations. Organizations are recommended to validate their security controls and educate users on common initial access techniques, such as ClickFix.
eSentire MDR for Network and Endpoint detects NetSupport RAT activity and the eSentire Threat Response Unit is performing threat hunts for known Indicators of Compromise across customer environments. IP addresses associated with real-world attacks are blocked via the eSentire Global Block List and additional Indicators of Compromise have been added to the eSentireThreat Intelligence Feed. The eSentire Tactical Threat Response (TTR) team has developed detections for the Clickfix IAV in eSentire MDR for Network.
ImgSrc: esentire-dot-com-assets.s3.amazonaws.com
References:
- GBHackers Security | #1 Globally Trusted Cyber Security News Platform - The eSentire Threat Response Unit (TRU) has reported a significant rise in incidents involving the NetSupport Remote Access Trojan (RAT) since January 2025. - 12d
- securityonline.info - A new malvertising campaign is distributing a fake Cisco AnyConnect installer that delivers the NetSupport RAT Trojan. - 12d
- www.esentire.com - The eSentire Threat Intelligence team observed a notable spike in the use of NetSupport RAT in multiple recent incidents. The increase was observed in attacks that involved the emerging "ClickFix†- 12d
- gbhackers.com - NetSupport RAT Grant Attackers Full Access to Victims Systems - 11d
- @VirusBulletin - The eSentire Threat Intelligence team observed a notable spike in the use of NetSupport RAT in multiple recent incidents. - 11d
- The Hacker News - Threat Actors Exploit ClickFix to Deploy NetSupport RAT in Latest Cyber Attacks - The Hacker News - 11d
Classification:
- HashTags: RAT Malware RemoteAccess
- Company: NetSupport
- Target: Victim Systems
- Attacker: eSentire
- Product: NetSupport RAT
- Feature: Remote Access
- Type: Malware
- Severity: Major