netsupport-manager-abuse
NetSupport Manager is a legitimate commercial remote-access and classroom-management tool. Threat actors abuse its client installer by bundling it inside masqueraded installers (Inno Setup, IExpress, or custom droppers) and overriding the client32.ini or gateway configuration to point to attacker-controlled infrastructure. Because the binaries are signed by NetSupport Software Ltd. and flagged as legitimate by most AV engines, the abuse evades signature-based detection. Detection must focus on the anomalous installation vector (fake driver update, unexpected email attachment) and the modified gateway string, not the binary's own signature.
Related
- netsupport-inno-dropper — observed Inno Setup bundling technique
- version-info-masquerade — masquerade vector used to deliver NetSupport
- iexpress-sfx-dropper — alternative bundling technique for NetSupport