Executive Summary
Twenty-five Internet-exposed NetSupport Manager Gateway services are currently observable across global infrastructure. Detection is based on a distinctive HTTP server header returned by the Gateway heartbeat endpoint. These systems are reachable directly over the public Internet and accept command relay traffic over HTTP.
NetSupport Manager is a commercial remote administration product developed by NetSupport Ltd. It is widely deployed in enterprise environments for legitimate IT management. However, it has also been repeatedly leveraged by threat actors as a post-compromise persistence mechanism. Because operators frequently deploy unmodified, digitally signed binaries, host-based detection can be inconsistent.
Publicly exposed Gateway services represent one of two conditions: legitimate but misconfigured enterprise deployments, or adversary-operated C2 infrastructure. The exposure itself materially increases risk regardless of intent.
Background and Technical Overview
NetSupport Manager is a commercial remote control platform originally released in 1989. The product is composed of three primary components:
- Client – Installed on managed endpoints
- Control – Operator console
- Gateway – HTTP relay service enabling NAT and firewall traversal
The Gateway component allows Clients and Controls to communicate across network boundaries using an HTTP relay architecture. This design eliminates the need for direct inbound connectivity to managed endpoints and enables remote access across NAT devices, firewalls, and proxy environments.
The same architecture that simplifies enterprise deployment also reduces operational friction for threat actors. Operators can deploy pre-configured Clients that beacon to a remote Gateway without developing custom relay infrastructure.
When deployed, NetSupport Manager provides extensive remote administration capabilities including:
- Full remote desktop control
- Bidirectional file transfer
- Process and service management
- Hardware and software inventory collection
- Script execution and command shell access
- Audio monitoring and keystroke capture
- HTTP-based relay through Gateway infrastructure
From an adversary perspective, these capabilities provide immediate persistence, remote control, and lateral movement functionality without custom malware development.
The software has appeared in campaigns attributed to TA569 (SocGholish), TA505, and multiple ransomware precursor intrusions. Distribution frequently occurs through malicious JavaScript loaders, malspam archives, or multi-stage infection chains. In many observed cases, the software itself is unmodified and retains valid digital signatures, complicating host-based detection.
Internet-exposed Gateway services can be reliably identified through their HTTP response behavior. The Gateway heartbeat endpoint returns the following response:
Key network indicators include:
- Server Header: NetSupport Gateway/1.1 (Windows NT)
- Response Body: CMD=HEARTBEAT
- Default Gateway Port: 3085
- Protocol: Plaintext HTTP
- Content-Type: application/x-www-form-urlencoded
Multiple observed instances bind the Gateway service to port 443 while serving plaintext HTTP rather than TLS. This configuration allows traffic to blend with expected HTTPS port usage while avoiding certificate negotiation. TLS-enforcing intermediaries will observe protocol mismatch, meaning port-based filtering alone is insufficient.
Additional commands such as CMD=POLL are transmitted as URL-encoded form data as part of the relay protocol. Gateway traffic therefore appears as structured HTTP form submissions rather than traditional web application content.
Detection in this analysis is derived from HTTP response fingerprinting rather than endpoint telemetry.
Censys Observations
Query:
host.services.threats.name: "NetSupportManager RAT" or web.threats.name: "NetSupportManager RAT"
web.endpoints.http.headers: (key: "Server" and value: "NetSupport Gateway/1.1")
Port Distribution
Gateway exposure is concentrated on ports typically associated with web traffic.
- Port 443 – 10 hosts (40%) – Plaintext HTTP on HTTPS port
- Port 3085 – 5 hosts (20%) – Default Gateway port
- Port 9990 – 3 hosts (12%) – Non-standard
- Port 80 – 2 hosts (8%) – Standard HTTP
- Other ports – 5 hosts (20%) – 447, 5555, 5603, 5609, 9090, 25661, 58573
The fragmentation across non-standard ports suggests operator configuration variance rather than uniform default deployment.
Port 443 exposure is operationally significant. Gateways on this port may evade simplistic filtering policies that assume TLS encryption.
Geographic and Network Distribution
Exposed infrastructure spans 13 countries across 19 ASNs.
Top countries:
- Netherlands – 5 hosts (20%)
- Brazil – 4 hosts (16%)
- Spain – 4 hosts (16%)
ASN distribution is fragmented. Telefonica Brasil and UNI2-AS (Spain) each host three instances. KDDI and Telecom Argentina host two each. Fifteen additional ASNs host single instances.
This pattern differs from typical commodity RAT infrastructure, which often clusters on low-cost VPS providers. The presence of residential and enterprise ISP ranges alongside hosting providers suggests a mix of legitimate enterprise deployments and potential malicious use.
Exposure alone does not imply adversary ownership. Context is required.
NetSupport Manager’s legitimacy complicates conventional blocking strategies. Detection must focus on deployment/connection context and exposure posture rather than binary presence alone.
Host-Based Monitoring
- Alert on unexpected execution of client32.exe, client32u.exe, or PCICTLUI.EXE
- Monitor for installations outside Program Files
- Inspect registry paths under HKLM\SOFTWARE\NetSupport and HKCU\SOFTWARE\NetSupport
- Flag configurations referencing external Gateway addresses
Network-Based Detection
- Alert and Hunt on HTTP responses containing “Server: NetSupport Gateway/”
- Monitor outbound traffic to port 3085
- Inspect HTTP bodies for CMD=HEARTBEAT or CMD=POLL
- Identify plaintext HTTP served on port 443
The HTTP server header remains the most reliable external network indicator.
Conclusion
Twenty-five Internet-exposed NetSupport Manager Gateways are currently observable across globally distributed infrastructure. Some likely represent legitimate deployments. Others exhibit characteristics consistent with adversary-operated C2.
The risk lies not in the product itself, but in abuse and unauthorized deployment.
Defenders should validate ownership, restrict access, and monitor for unauthorized installation. Adversaries continue to leverage legitimate tools to reduce operational overhead and evade detection. NetSupport Manager remains a persistent example of that strategy.
