Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Figure 1: An interactive snapshot of Antigena Email’s user interface
Antigena Email recently detected a malicious email sent from a legitimate corporate email account – presumably that of a supplier – that had been subject to an account takeover. The email claimed to be a ShareFile notification, but contained links to malicious domains previously associated with phishing attacks. These webpages are commonly designed to trick users into downloading malware or leaking sensitive corporate information.
Figure 2: A subset of the breached models and associated actions
Why was this attack effective?
This attack combined an account takeover with a typical impersonation attack. At first glance, all of the email’s elements appear legitimate, from the ShareFile notification, to the genuine and trusted corporate email address, to the subject line.
The email contained an additional misleading link featuring an email address seemingly associated with the recipient, but that also redirected a user to a malicious webpage. Believing that the email contained genuine ShareFile content, given past legitimate business interactions with the supplier, a user may have easily clicked on one of the malicious links and entered sensitive information on the phishing page.
Sender information
The sender’s name was listed as “share_file®”, but the email address was associated with a compromised account from a Ukrainian electronic components company.
Why did this attack bypass other email security solutions?
As the email came from a genuine corporation and trusted supplier known to the organization, it would have passed the Sender Policy Framework (SPF) authentication technique and been considered legitimate. The fact that the account sending the email had not yet been reported as compromised meant that the email was not flagged as spam by traditional security solutions, and would have been able to distribute malicious content to employees.
AI email security that evolves with you
Antigena Email recognized that the suspicious link in the email fell outside of both the sender and recipient’s normal ‘patterns of life.’ The AI took the strongest possible action, preventing the targets from engaging with the email and malicious link contained within. Compromised accounts can be some of the most difficult attacks to detect, because of the trusted relationships that exist with other organizations. This attack demonstrates the power of AI email security that continuously evolves with a business.
Thanks to Darktrace analyst Lucas O’Donohue for his insights on the above threat find.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
NetSupport RAT: How Legitimate Tools Can Be as Damaging as Malware
What is NetSupport Manager?
NetSupport Manager is a legitimate IT tool used by system administrators for remote support, monitoring, and management. In use since 1989, NetSupport Manager enables users to remotely access and navigate systems across different platforms and operating systems [1].
What is NetSupport RAT?
Although NetSupport Manager is a legitimate tool that can be used by IT and security professionals, there has been a rising number of cases in which it is abused to gain unauthorized access to victim systems. This misuse has become so prevalent that, in recent years, security researchers have begun referring to NetSupport as a Remote Access Trojan (RAT), a term typically used for malware that enables a threat actor to remotely access or control an infected device [2][3][4].
NetSupport RAT activity summary
The initial stages of NetSupport RAT infection may vary depending on the source of the initial compromise. Using tactics such as the social engineering tactic ClickFix, threat actors attempt to trick users into inadvertently executing malicious PowerShell commands under the guise of resolving a non-existent issue or completing a fake CAPTCHA verification [5]. Other attack vectors such as phishing emails, fake browser updates, malicious websites, search engine optimization (SEO) poisoning, malvertising and drive-by downloads are also employed to direct users to fraudulent pages and fake reCAPTCHA verification checks, ultimately inducing them to execute malicious PowerShell commands [5][6][7]. This leads to the successful installation of NetSupport Manager on the compromised device, which is often placed in non-standard directories such as AppData, ProgramData, or Downloads [3][8].
Once installed, the adversary is able to gain remote access to the affected machine, monitor user activity, exfiltrate data, communicate with the command-and-control (C2) server, and maintain persistence [5]. External research has also highlighted that post-exploitation of NetSupport RAT has involved the additional download of malicious payloads [2][5].
Figure 1: Attack flow diagram highlighting key events across each phase of the attack phase [2][5].
Darktrace coverage
In November of 2025, suspicious behavior indicative of the malicious abuse of NetSupport Manager was observed on multiple customers across Europe, the Middle East, and Africa (EMEA) and the Americas (AMS).
While open-source intelligence (OSINT) has reported that, in a recent campaign, a threat actor impersonated government entities to trick users in organizations in the InformationTechnology, Government and FinancialServices sectors in CentralAsia into downloading NetSupport Manager [8], approximately a third of Darktrace’s affected customers in November were based in the US while the rest were based in EMEA. This contrast underscores how widely NetSupport Manager is leveraged by threat actors and highlights its accessibility as an initial access tool.
The Darktrace customers affected were in sectors including Information andCommunication, Manufacturing and Arts, entertainment and recreation.
The ClickFix social engineering tactic typically used to distribute the NetSupport RAT is known to target multiple industries, including Technology, Manufacturing and Energy sectors [9]. It also reflects activity observed in the campaign targeting Central Asia, where the Information Technology sector was among those affected [8].
The prevalence of affected Education customers highlights NetSupport’s marketing focus on the Education sector [10]. This suggests that threat actors are also aware of this marketing strategy and have exploited the trust it creates to deploy NetSupport Manager and gain access to their targets’ systems. While the execution of the PowerShell commands that led to the installation of NetSupport Manager falls outside of Darktrace's purview in cases identified, Darktrace was still able to identify a pattern of devices making connections to multiple rare external domains and IP addresses associated with the NetSupport RAT, using a wide range of ports over the HTTP protocol. A full list of associated domains and IP addresses is provided in the Appendices of this blog.
Although OSINT identifies multiple malicious domains and IP addresses as used as C2 servers, signature-based detections of NetSupport RAT indicators of compromise (IoCs) may miss broader activity, as new malicious websites linked to the RAT continue to appear.
Darktrace’s anomaly‑based approach allows it to establish a normal ‘pattern of life’ for each device on a network and identify when behavior deviates from this baseline, enabling the detection of unusual activity even when it does not match known IoCs or tactics, techniques and procedures (TTPs).
In one customer environment in late 2025, Darktrace / NETWORK detected a device initiating new connections to the rare external endpoint, thetavaluemetrics[.]com (74.91.125[.]57), along with the use of a previously unseen user agent, which it recognized as highly unusual for the network.
Figure 2: Darktrace’s detection of HTTP POST requests to a suspicious URI and new user agent usage.
Darktrace identified that user agent present in connections to this endpoint was the ‘NetSupport Manager/1.3’, initially suggesting legitimate NetSupport Manager activity. Subsequent investigation, however, revealed that the endpoint was in fact a malicious NetSupportRAT C2 endpoint [12]. Shortly after, Darktrace detected the same device performing HTTP POST requests to the URI fakeurl[.]htm. This pattern of activity is consistent with OSINT reporting that details communication between compromised devices and NetSupport Connectivity Gateways functioning as C2 servers [11].
Conclusion
As seen not only with NetSupport Manager but with any legitimate or open‑source software used by IT and security professionals, the legitimacy of a tool does not prevent it from being abused by threat actors. Open‑source software, especially tools with free or trial versions such as NetSupport Manager, remains readily accessible for malicious use, including network compromise. In an age where remote work is still prevalent, validating any anomalous use of software and remote management tools is essential to reducing opportunities for unauthorized access.
Darktrace’s anomaly‑based detection enables security teams to identify malicious use of legitimate tools, even when clear signatures or indicators of compromise are absent, helping to prevent further impact on a network.
Credit to George Kim (Analyst Consulting Lead – AMS), Anna Gilbertson (Senior Cyber Analyst)
Edited by Ryan Traill (Analyst Content Lead)
Appendices
Darktrace Model Alerts
· Compromise / Suspicious HTTP and Anomalous Activity
· Compromise / New User Agent and POST
· Device / New User Agent
· Anomalous Connection / New User Agent to IP Without Hostname
· Anomalous Connection / Posting HTTP to IP Without Hostname
· Anomalous Connection / Multiple Failed Connections to Rare Endpoint
· Anomalous Connection / Application Protocol on Uncommon Port
· Anomalous Connection / Multiple HTTP POSTs to Rare Hostname
· Compromise / Beaconing Activity To External Rare
· Compromise / HTTP Beaconing to Rare Destination
· Compromise / Agent Beacon (Medium Period)
· Compromise / Agent Beacon (Long Period)
· Compromise / Quick and Regular Windows HTTP Beaconing
· Compromise / Sustained TCP Beaconing Activity To Rare Endpoint
Investigating Cloud Attacks with Forensic Acquisition & Investigation
Darktrace / Forensic Acquisition & Investigation™ is the industry’s first truly automated forensic solution purpose-built for the cloud. This blog will demonstrate how an investigation can be carried out against a compromised cloud server in minutes, rather than hours or days.
The compromised server investigated in this case originates from Darktrace’s Cloudypots system, a global honeypot network designed to observe adversary activity in real time across a wide range of cloud services. Whenever an attacker successfully compromises one of these honeypots, a forensic copy of the virtual server's disk is preserved for later analysis. Using Forensic Acquisition & Investigation, analysts can then investigate further and obtain detailed insights into the compromise including complete attacker timelines and root cause analysis.
Forensic Acquisition & Investigation supports importing artifacts from a variety of sources, including EC2 instances, ECS, S3 buckets, and more. The Cloudypots system produces a raw disk image whenever an attack is detected and stores it in an S3 bucket. This allows the image to be directly imported into Forensic Acquisition & Investigation using the S3 bucket import option.
As Forensic Acquisition & Investigation runs cloud-natively, no additional configuration is required to add a specific S3 bucket. Analysts can browse and acquire forensic assets from any bucket that the configured IAM role is permitted to access. Operators can also add additional IAM credentials, including those from other cloud providers, to extend access across multiple cloud accounts and environments.
Forensic Acquisition & Investigation then retrieves a copy of the file and automatically begins running the analysis pipeline on the artifact. This pipeline performs a full forensic analysis of the disk and builds a timeline of the activity that took place on the compromised asset. By leveraging Forensic Acquisition & Investigation’s cloud-native analysis system, this process condenses hour of manual work into just minutes.
Figure 2: Successful import of a forensic artifact and initiation of the analysis pipeline.
Once processing is complete, the preserved artifact is visible in the Evidence tab, along with a summary of key information obtained during analysis, such as the compromised asset’s hostname, operating system, cloud provider, and key event count.
Figure 3: The Evidence overview showing the acquired disk image.
Clicking on the “Key events” field in the listing opens the timeline view, automatically filtered to show system- generated alarms.
The timeline provides a chronological record of every event that occurred on the system, derived from multiple sources, including:
Parsed log files such as the systemd journal, audit logs, application specific logs, and others.
Parsed history files such as .bash_history, allowing executed commands to be shown on the timeline.
File-specific events, such as files being created, accessed, modified, or executables being run, etc.
This approach allows timestamped information and events from multiple sources to be aggregated and parsed into a single, concise view, greatly simplifying the data review process.
Alarms are created for specific timeline events that match either a built-in system rule, curated by Darktrace’s Threat Research team or an operator-defined created at the project level. These alarms help quickly filter out noise and highlight on events of interest, such as the creation of a file containing known malware, access to sensitive files like Amazon Web Service (AWS) credentials, suspicious arguments or commands, and more.
Figure 4: The timeline view filtered to alarm_severity: “1” OR alarm_severity: “3”, showing only events that matched an alarm rule.
In this case, several alarms were generated for suspicious Base64 arguments being passed to Selenium. Examining the event data, it appears the attacker spawned a Selenium Grid session with the following payload:
This is a common attack vector for Selenium Grid. The chromeOptions object is intended to specify arguments for how Google Chrome should be launched; however, in this case the attacker has abused the binary field to execute the Python3 binary instead of Chrome. Combined with the option to specify command-line arguments, the attacker can use Python3’s -c option to execute arbitrary Python code, in this instance, decoding and executing a Base64 payload.
Selenium’s logs truncate the Arguments field automatically, so an alternate method is required to retrieve the full payload. To do this, the search bar can be used to find all events that occurred around the same time as this flagged event.
Figure 5: Pivoting off the previous event by filtering the timeline to events within the same window using timestamp: [“2026-02-18T09:09:00Z” TO “2026-02-18T09:12:00Z”].
Scrolling through the search results, an entry from Java’s systemd journal can be identified. This log contains the full, unaltered payload. GCHQ’s CyberChef can then be used to decode the Base64 data into the attacker’s script, which will ultimately be executed.[NJ9]
![Pivoting off the previous event by filtering the timeline to events within the same window using timestamp: [“2026-02-18T09:09:00Z” TO “2026-02-18T09:12:00Z”].](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69a8a18526ca3e653316a596_Screenshot%202026-03-04%20at%201.17.50%E2%80%AFPM.png)
