MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access

Sept. 9, 2025, 12:08 p.m.

Description

A sophisticated phishing campaign targeting Japanese users employs MostereRAT, a Remote Access Trojan that utilizes advanced evasion techniques. The attack chain involves multiple stages, including an Easy Programming Language (EPL) payload, security tool disabling, and mTLS-secured C2 communications. The malware can deploy popular remote access tools like AnyDesk and TightVNC, granting attackers full system control. It employs techniques such as running as TrustedInstaller, blocking AV traffic, and creating hidden administrator accounts. The campaign's complexity and use of legitimate tools make detection and prevention challenging, highlighting the importance of user education and up-to-date security solutions.

External References

https://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access
https://otx.alienvault.com/pulse/68bfb1a471409d34dfdf3279
Tags
phishing
anydesk
remote access
evasion techniques
2025-09-09
tightvnc
mostererat
epl
mtls

Date

  • Created: Sept. 9, 2025, 4:48 a.m.
  • Published: Sept. 9, 2025, 4:48 a.m.
  • Modified: Sept. 9, 2025, 12:08 p.m.

Indicators

  • d281e41521ea88f923cf11389943a046557a2d73c20d30b64e02af1c04c64ed1
  • 926b2b9349dbd4704e117304c2f0edfd266e4c91fb9325ecb11ba83fe17bc383
  • 546a3418a26f2a83a2619d6c808985c149a0a1e22656553ce8172ca15622fd9b
  • 4e3cdeba19e5749aa88329bc3ac67acd777ea7925ba0825a421cada083706a4e
  • 3c621b0c91b758767f883cbd041c8ef701b9806a78f2ae1e08f932b43fb433bb
  • www.efu66.com
  • zzzzzzz0379098305467195353458278.com
  • xxxxxx25433693728080140850916444.com
  • mostere.com
  • osjfd923bk78735547771x3690026ddl.com
  • idkua93dkh9590764478t18822056bck.com
  • huanyu3333.com
Download all indicators here!

Attack Patterns

  • MostereRAT

Additional Informations

  • Japan