To take control of Windows computers, hackers push fake Pokemon NFT games

To distribute NetSupport remotely access tools and to take control of victims’ devices, threat actors have created a Pokemon NFT website that allows them to play the card game.

Website “pokemon.go[. The website “pokemon-go[.]io,” still available at the time this article was written, claims that it hosts a brand new NFT card game based around Pokemon. It offers users both strategic entertainment and NFT investment profit.

Given the popularity of NFTs and Pokemon, the malign portal operators shouldn’t have any trouble drawing people to their site via social media, spamm, or other means.

Site promoting a fake Pokemon NFT game


Clicking on “Play on PC”, downloads an executable which looks legitimately like a game installation but actually installs NetSupport remote acces tool (RAT).

Analysts at discovered the operation and reported that there was another site, “beta–pokemoncards[. It was taken offline by ]io”

The campaign first symptoms of activity were detected in December 2022. However, earlier samples retrieved by VirusTotal revealed that these same operators had pushed a false Visual Studio file rather than the Pokemon game.

The NetSupport Rat can be dropped

Install the NetSupport RAT executable (client32.exe) and all its dependencies in a folder under the %APPDATA% directory. To help avoid detection by victims who perform manual file inspections, they are “hidden”.

Dropped files and contents of the configuration file


To ensure that the RAT executes upon system startup, the installer also creates an entry to the Windows Startup directory.

Threat actors often use NetSupport RAT, also known as NetSupport Manager, to try and evade security software.

NetSupport RAT interface


Threat actors are now able to remotely access a user’s phone to install malware or steal data.

Although NetSupport Manager can be used as a legal software product, threat actors often use it in their malicious campaigns.

in 2020 about phishing actors who used COVID-19-themed Excel spreadsheets that dropped NetSupport RAT on the computers of recipients.

A s using fake Cloudflare protection pages. NetSupport RAT installed on the victims. Raccoon Stealer also appeared.

NetSupport Manager allows remote screen control and screen recording. It also supports system monitoring. Remote system grouping is possible for better control. There are many connectivity options available, including encryption of network traffic.

However, such infections can have severe consequences, including unauthorised access to user data, and the possibility of further malware being downloaded.