Unknown threat actor distributes NetSupport RAT via secondary infection chain

An unattributed threat actor is actively pushing NetSupport RAT as part of their infection chain. NetSupport Manager is a legitimate remote support application that has become a common post-compromise persistence tool in recent malware campaigns, particularly following increased detection of commodity RAT variants.

The technical significance lies in the layered approach: the initial vector (unspecified in this brief) leads to secondary payload delivery of NetSupport RAT, suggesting a multi-stage attack pattern. This separation of initial compromise from persistence tooling allows attackers to evade signature-based detection and complicates incident response attribution.

Organisations running NetSupport Manager in production environments face risk from both compromise of internet-facing instances and lateral movement scenarios where the RAT can be installed on internal systems. The tool's legitimate business purpose makes it difficult to distinguish malicious from benign usage, particularly in environments where remote support is routine.

Defenders should inventory NetSupport Manager deployments, enforce strict access controls and network segmentation around instances, monitor for unusual outbound connections from NetSupport processes, and review logs for administrative credential usage associated with the tool. EDR systems should flag NetSupport child processes spawning command shells or scripts.

The broader pattern shows threat actors have largely moved past custom malware for post-compromise control in favour of legitimate tools, reducing development overhead and complicating detection. The anonymity of this actor is notable and suggests either a new group, a known actor using fresh infrastructure, or routine operational security measures that have so far prevented attribution.