Beneath the Surface: How Hackers Turn NetSupport Against Users

This McAfee Labs analysis describes multiple NetSupport RAT variants that spread via obfuscated JavaScript which launches wscript.exe and PowerShell (ExecutionPolicy Bypass) to download and execute client32.exe, persist in AppData (e.g., MsEdgeSandbox or D folders) and add registry autoruns; the report includes technical breakdowns, process trees, persistence details, sample hashes, malicious URLs, and C2 information (45.15.158.212:1412).