Unidentified Remote Access Trojan Deploys NetSupport RAT Across Multiple Enterprises
What Happened — Security researchers observed an unknown Remote Access Trojan (RAT) that silently downloads and installs the NetSupport RAT payload on compromised hosts. The activity was first reported on June 1 2024 via the SANS Internet Storm Center.
Why It Matters for TPRM —
- Unauthenticated RAT deployment indicates a breach of endpoint security controls at third‑party vendors.
- NetSupport RAT can exfiltrate credentials, intellectual property, and operational data, creating downstream supply‑chain risk.
- The attacker’s use of a “dropper” RAT makes detection harder for traditional AV solutions, raising the bar for vendor risk assessments.
Who Is Affected — Technology service providers, MSPs, SaaS platforms, and any organization that permits remote administration tools on employee workstations.
Recommended Actions —
- Verify that all third‑party vendors enforce strict remote‑access policies and MFA for privileged tools.
- Conduct endpoint detection and response (EDR) health checks for signs of unknown RAT binaries.
- Update allow‑list rules to block execution of unsigned NetSupport RAT components.
Technical Notes — The unidentified RAT appears to be delivered via phishing emails with malicious Office macros, then uses PowerShell to fetch the NetSupport RAT from a hard‑coded C2. No CVE is directly referenced, but the payload leverages known Windows COM abuse techniques. Data types at risk include credentials, email archives, and proprietary documents. Source: SANS Internet Storm Center