NetSystemsResearch
Search Engine User-Agent:netsystemsresearch
⚠️ Overview
NetSystemsResearch is a malicious web vulnerability scanner that originated from a legitimate commercial product developed by the company Net Systems Research, but has since been repurposed by threat actors for unauthorized reconnaissance. The tool is widely documented in security incident reports from sources such as SANS ISC and Talos Intelligence as a persistent threat targeting enterprise web applications. It first gained notoriety in 2016 during large-scale scanning campaigns against Apache Struts and Oracle WebLogic deployments.
🔧 Technical Capabilities
The scanner performs automated probing for SQL injection, cross-site scripting (XSS), remote file inclusion (RFI), and directory traversal vulnerabilities, using a library of payloads optimized for rapid exploitation. It specifically targets known critical CVEs including CVE-2017-5638 (Apache Struts2 Jakarta Multipart parser RCE), CVE-2019-2725 (Oracle WebLogic Deserialization RCE), and CVE-2020-14882 (WebLogic Console RCE). Requests are crafted with distinct headers such as User-Agent: NetSystemsResearch/1.0 and Connection: close, and are sent to endpoints like /struts2-showcase/, /weblogic/console/, and /manager/html/. The bot also conducts credential brute-forcing against login panels with common default accounts, and uses multi-threaded scanning to probe entire IP ranges in minutes. Traffic patterns show bursts of sequential requests with no referrer or caching headers, making it distinguishable from legitimate crawlers.
📜 History & Notable Incidents
First observed in mid-2016, NetSystemsResearch saw a spike in usage following the disclosure of CVE-2017-5638, with many scans targeting organizations before patches were applied. A notable incident in 2017 involved waves of scanning against financial institutions and e‑commerce sites, later linked to pre‑exploitation activity for Struts2 attacks. The scanner has also been associated with CVE-2019-2725 campaigns against unpatched Oracle WebLogic servers, as reported by Talos and SANS ISC in their threat intelligence bulletins. Multiple CVEs such as CVE-2017-9791 (S2-048) and CVE-2020-14882 are frequently targeted in its payload sets.
🔍 Detection Indicators
The primary fingerprint is the User-Agent string "NetSystemsResearch/1.0" or simply "NetSystemsResearch". Additionally, the scanner omits typical browser headers like Accept-Encoding and Accept-Language, while always including Connection: close. Behavioral indicators include rapid, sequential requests to multiple high‑risk endpoints without any referrer or cookie data, often from IP addresses listed in AlienVault OTX and AbuseIPDB threat feeds. Traffic logs show identical request intervals and payload patterns across different targets.
☠️ Risk & Impact
If allowed, NetSystemsResearch can identify exploitable vulnerabilities within minutes, providing attackers a detailed map for remote code execution, data exfiltration, or full server compromise. The bot’s aggressive scanning may degrade web server performance and trigger false positives in Web Application Firewalls (WAFs), but its primary danger lies in enabling follow‑on attacks such as ransomware deployment or lateral movement. Unblocked scans have historically led to major breaches, including those involving Equifax‑related infrastructure post‑2017.
🛡️ Mitigation
This bot is blocked immediately upon detection because it has no legitimate business use; it is exclusively employed for malicious reconnaissance and pre‑attack probing. WAF rules and reverse proxy configurations should deny any request containing the User-Agent string "NetSystemsResearch" or "NetSystemsResearch/1.0", and rate‑limiting should be applied to scanning‑like behavioral patterns.
🛡️
Stop Bots. Save Bandwidth. Protect Revenue.
Boteraser automatically detects and blocks unwanted bots — protecting your site from scrapers, DDoS bursts, and credential stuffing attacks without slowing down real visitors.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.