Unpacking NetSupport RAT Loaders Delivered via ClickFix

Oct. 24, 2025, 9:45 a.m.

Description

eSentire's Threat Response Unit observed multiple threat groups utilizing NetSupport Manager for malicious purposes throughout 2025. These groups have shifted from Fake Updates to ClickFix as their primary delivery method. The attack methodology involves social engineering victims to execute malicious commands in the Windows Run Prompt, leading to NetSupport extraction and execution. Three distinct threat groups were identified, each using different loaders and infrastructure. The groups are designated by their licensee names: EVALUSION, FSHGDREE32/SGI, and XMLCTL. The analysis includes details on the PowerShell/JSON-based loader, MSI-based loader, and NetSupport PCAP analysis. An unpacking utility and YARA rule are provided to aid researchers in detecting and analyzing NetSupport variants.

External References

https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix
https://otx.alienvault.com/pulse/68fb00e2b2d0361731cc0f7c
Tags
clickfix
netsupport rat
2025-10-24
remote administration tools

Date

  • Created: Oct. 24, 2025, 4:30 a.m.
  • Published: Oct. 24, 2025, 4:30 a.m.
  • Modified: Oct. 24, 2025, 9:45 a.m.

Attack Patterns

  • NetSupport Manager

Additional Informations

  • Bulgaria
  • Lithuania
  • United Arab Emirates
  • Moldova, Republic of
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America
  • Russian Federation