Tag: rat
33 attack reports | 0 vulnerabilities
Attack reports
Python RAT with a Nice Screensharing Feature
A Python Remote Access Trojan (RAT) with advanced capabilities, including a notable screensharing feature, has been discovered. The RAT, based on a two-year-old script, has a low detection rate on VirusTotal. It offers numerous functions to control the victim's computer, such as shell access, webca…
Downloadable IOCs 1
Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT
APT36, also known as Transparent Tribe, is a Pakistan-based threat actor targeting Indian government and military entities. Their campaigns utilize ElizaRAT, a Windows Remote Access Tool that has evolved to enhance evasion techniques and C2 communication. Recent campaigns employ cloud services like…
Downloadable IOCs 23
Writing a BugSleep C2 server and detecting its traffic with Snort
This analysis focuses on the BugSleep implant, also known as MuddyRot, a remote access tool that provides reverse shell and file I/O capabilities. The article details the process of reverse engineering BugSleep's protocol, creating a functional C2 server, and developing Snort rules for traffic dete…
Downloadable IOCs 0
DarkComet RAT: Technical Analysis of Attack Chain
This analysis examines the Remote Access Trojan (RAT) DarkComet, detailing its capabilities, distribution methods, and technical operations. The malware alters file attributes, establishes communication with malicious domains, modifies process privileges, and gathers system information. It employs …
Downloadable IOCs 1
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
The Open-Source Builder Behind Malicious Loaders
MisterioLNK is a newly discovered open-source loader builder that generates LNK, BAT, CMD, and VBS loader files designed to download and execute remote files. Available on GitHub, it poses a significant challenge to security defenses due to minimal detection rates. The tool supports multiple loader…
Downloadable IOCs 0
SambaSpy – a new RAT targeting Italian users
A campaign exclusively targeting Italian users was detected in May 2024, delivering a new Remote Access Trojan (RAT) dubbed SambaSpy. The infection chain involves phishing emails impersonating a legitimate Italian real estate company, redirecting victims to a malicious website. The campaign employs…
Downloadable IOCs 24
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining acce…
Downloadable IOCs 16
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Threat Tracking: Analysis of Lilith RAT ported to AutoIt Script
In April 2024, S2W's Threat Research and Intelligence Center TALON analyzed a malicious LNK file disguised as a list of tax evasion explanatory documents. The LNK file executed a PowerShell command to download and run an AutoIt script-based Lilith RAT malware from an attacker's server, which establ…
Downloadable IOCs 33
EastWind campaign: new CloudSorcerer attacks on government organizations in Russia
Kaspersky detected an ongoing targeted cyberattack campaign, dubbed EastWind, targeting Russian government organizations and IT companies. The attackers employed phishing emails with malicious shortcuts to deliver malware that communicated via Dropbox. They utilized tools associated with APT31 and …
Downloadable IOCs 5
PureHVNC Deployed via Python Multi-stage Loader
FortiGuard Labs uncovered a sophisticated attack campaign utilizing multiple obfuscation and evasion techniques to distribute and execute various malware, including VenomRAT, XWorm, AsyncRAT, and PureHVNC. The campaign starts with a phishing email containing a malicious attachment that initiates a …
Downloadable IOCs 18
BingoMod: The new android RAT that steals money and wipes data
In late May 2024, a new Android Remote Access Trojan (RAT) named BingoMod emerged, aiming to initiate fraudulent money transfers from compromised devices using a technique called On-Device Fraud (ODF). After installation, BingoMod steals sensitive information, conducts overlay attacks, and provides…
Downloadable IOCs 3
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT
This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of…
Downloadable IOCs 6
Disarming DarkGate: A Deep Dive into Thwarting the Latest DarkGate Variant
This report analyzes a recent phishing campaign distributing a new DarkGate Remote Access Trojan variant. The malware leverages various obfuscation and anti-analysis techniques, including process hollowing, anti-VM checks, and encoding. It supports numerous malicious functionalities like ransomware…
Downloadable IOCs 4
CVE-2024-4577 Exploits in the Wild One Day After Disclosure
One of the most recent examples of this onslaught lies in a critical vulnerability discovered in PHP (versions 8.1.*, before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8). The vulnerability is caused by the way PHP and CGI handlers parse certain Unicode characters, which can enable an attack…
Downloadable IOCs 17
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
An Android RAT targets Telegram Users
This analysis discusses SpyMax, a Remote Access Trojan (RAT) that targets Android devices and specifically aims at obtaining data from Telegram users. It employs phishing techniques to trick victims into installing a malicious application disguised as the legitimate Telegram app. Once installed, Sp…
Downloadable IOCs 4
espionage group targets government agencies with and more infection techniques
A recently discovered threat actor, dubbed 'SneakyChef,' has been conducting an ongoing espionage campaign targeting government agencies across different regions, primarily utilizing the SugarGh0st malware. The group employs decoy documents impersonating government entities and infects victims thro…
Downloadable IOCs 148
Unveiling SpiceRAT: Latest tool targeting EMEA and Asia
Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, employed by the threat actor SneakyChef in a recent malicious campaign. The campaign targeted government agencies across multiple countries in Europe, the Middle East, Africa, and Asia. SpiceRAT was delivered alongside SugarGh…
Downloadable IOCs 6
RAT Distributed as UUEncoding (UUE) File
This intelligence report describes a malicious operation where the Remcos Remote Access Trojan (RAT) is being disseminated through phishing emails containing an attachment exploiting the Unix-to-Unix Encoding (UUE) technique. The encoded file loads an obfuscated VBScript that fetches additional mal…
Downloadable IOCs 3
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Malicious Campaign Analysis: JScript RAT and CobaltStrike
This report examines a recent malicious campaign involving a JScript-based Remote Access Trojan (RAT) and its connections to the CobaltStrike penetration testing tool. The attack commences with an obfuscated JScript loader distributed through suspected phishing campaigns. Upon execution, it contact…
Downloadable IOCs 4
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
SugarGh0st RAT Used to Target American Artificial Intelligence Experts
This intelligence report provides details about a SugarGh0st RAT campaign conducted by an unattributed threat actor, tracked as UNK_SweetSpecter, targeting organizations in the United States involved in artificial intelligence (AI) efforts across academia, private industry, and government. The camp…
Downloadable IOCs 9
The Overlapping Cyber Strategies Of Transparent Tribe And SideCopy Against India
CRIL's analysis revealed SideCopy APT group's sophisticated malware campaign, employing malicious LNK files and a complex infection chain involving HTAs and loader DLLs to deploy malware like ReverseRAT and Action RAT. SideCopy targets Indian universities and government entities, suggesting potenti…
Downloadable IOCs 21
GoTo Meeting loads RAT via Shellcode Loader
A malicious campaign has been discovered that exploits the legitimate GoTo Meeting online conferencing software to deploy the Remcos remote access trojan (RAT). The attack chain involves utilizing lures like porn downloads, software setup files, and tax forms with Russian and English file names. It…
Downloadable IOCs 17
Malware (XMRig, OrcusRAT, etc.) disguised as MS Office crack
The report details an ongoing malware campaign targeting South Korean users, which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware, including downloaders, coin miners, remote access tools (RATs), pr…
Downloadable IOCs 12
Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four
This comprehensive analysis provides a thorough examination of the REMCOS Remote Access Trojan (RAT), a prominent malware threat that gained significant prevalence in 2024. The analysis delves into the malware's configuration structure, command and control capabilities, persistence mechanisms, and …
Downloadable IOCs 34
HijackLoader Updates
HijackLoader, also known as IDAT Loader, is a modular malware loader capable of executing multiple payloads. It utilizes a variety of modules for code injection, execution, and evasion techniques. This report analyzes the updated version of HijackLoader, which includes new modules for bypassing Win…
Downloadable IOCs 11
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7