HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Unidentified RAT Deploys NetSupport RAT, Raising Supply‑Chain Threat to Enterprise Endpoints

Researchers spotted an unknown Remote Access Trojan that silently installs NetSupport RAT on victim machines, exposing credentials and proprietary data across multiple industries. The dropper is delivered via phishing and leverages PowerShell, highlighting a new vector for third‑party risk.

LiveThreat™ Intelligence · 📅 June 01, 2026· 📰 isc.sans.edu
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
isc.sans.edu

Unidentified Remote Access Trojan Deploys NetSupport RAT Across Multiple Enterprises

What Happened — Security researchers observed an unknown Remote Access Trojan (RAT) that silently downloads and installs the NetSupport RAT payload on compromised hosts. The activity was first reported on June 1 2024 via the SANS Internet Storm Center.

Why It Matters for TPRM

  • Unauthenticated RAT deployment indicates a breach of endpoint security controls at third‑party vendors.
  • NetSupport RAT can exfiltrate credentials, intellectual property, and operational data, creating downstream supply‑chain risk.
  • The attacker’s use of a “dropper” RAT makes detection harder for traditional AV solutions, raising the bar for vendor risk assessments.

Who Is Affected — Technology service providers, MSPs, SaaS platforms, and any organization that permits remote administration tools on employee workstations.

Recommended Actions

  • Verify that all third‑party vendors enforce strict remote‑access policies and MFA for privileged tools.
  • Conduct endpoint detection and response (EDR) health checks for signs of unknown RAT binaries.
  • Update allow‑list rules to block execution of unsigned NetSupport RAT components.

Technical Notes — The unidentified RAT appears to be delivered via phishing emails with malicious Office macros, then uses PowerShell to fetch the NetSupport RAT from a hard‑coded C2. No CVE is directly referenced, but the payload leverages known Windows COM abuse techniques. Data types at risk include credentials, email archives, and proprietary documents. Source: SANS Internet Storm Center

📰 Original Source
https://isc.sans.edu/diary/rss/33034

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →