NetSupport Manager: Tracking Dual-Use Remote Administration Infrastructure

Censys identified 25 Internet-exposed NetSupport Manager Gateway instances that respond with a distinctive HTTP Server header and heartbeat (CMD=HEARTBEAT), indicating plaintext HTTP-based relay infrastructure used for remote control; these Gateways may be legitimate but misconfigured or operated by adversaries (observed in campaigns tied to TA569 and TA505). The report details network and host detection methods, port and geographic distribution, risks of plaintext HTTP on port 443, and recommendations to validate ownership, restrict access, and monitor for unauthorized installations.