NETSUPPORT RAT is the malicious abuse of the legitimate NetSupport Manager remote administration tool. Originally designed for IT support, threat actors exploit it to gain unauthorized system access, exfiltrate data, and deploy malware or info‑stealers, turning trusted functionality into a dangerous attack vector, according to Darktrace.
In November 2025, suspicious activity indicative of the abusive use of NetSupport Manager was observed on multiple Darktrace customers across Europe, the Middle East and Africa and the Americas. The blog notes that OSINT reported a campaign where a threat actor impersonated government entities to trick organisations in Central Asia, targeting Information Technology, Government and Financial Services sectors, with a notable mix of US-based and EMEA‑based affected customers.
Darktrace highlights how a tool’s legitimacy does not protect it from abuse, and that its anomaly-based detection can identify malicious activity even when there are no clear IoCs or signatures.