Tag: rat

50 Attack Reports | 0 Vulnerabilities

Attack reports

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Threat actors are exploiting user fatigue with anti-spam mechanisms through a technique called ClickFix. This method involves compromising websites and embedding fraudulent CAPTCHA images, which, when solved by unsuspecting users, lead to the execution of malicious code. The attack chain typically …
rat
social engineering
powershell
infostealer
lumma
netsupport rat
sectoprat
captcha
clipboard injection
2025-05-22
Published: May 22, 2025
Downloadable IOCs: 10

RAT Dropped By Two Layers of AutoIT Code

A malware attack involving multiple layers of AutoIT code has been discovered. The initial file, disguised as a project file, contains AutoIT script that generates and executes a PowerShell script. This script downloads an AutoIT interpreter and another layer of AutoIT code. Persistence is achieved…
rat
asyncrat
autoit
2025-05-19
Published: May 19, 2025
Downloadable IOCs: 4

Yet Another NodeJS Backdoor (YaNB): A Modern Challenge

A resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications has been observed, tricking users into executing NodeJS-based backdoors and deploying sophisticated Remote Access Trojans. The attack begins with a malicious NodeJS script connecting to attacker-controlled infrastructure…
backdoor
rat
persistence
captcha
anti-vm
xor encryption
system reconnaissance
2025-05-16
nodejs
socks5 proxy
nodejs rat
kongtuke
Published: May 16, 2025
Downloadable IOCs: 11

April 2025 Threat Trend Report on APT Attacks (South Korea)

This analysis covers APT attacks detected in South Korea during April 2025. Spear phishing emerged as the primary distribution method for these attacks. Two main types of spear phishing were observed: Type A, which uses LNK files to distribute compressed malicious scripts for information leakage an…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
google drive
2025-05-14
dropbox api
Published: May 14, 2025
Downloadable IOCs: 3

Newly Registered Domains Distributing SpyNote Malware

Cybercriminals are employing deceptive websites on newly registered domains to distribute AndroidOS SpyNote malware. These sites imitate the Google Chrome install page on the Google Play Store, tricking users into downloading SpyNote, a powerful Android remote access trojan. SpyNote is used for sur…
rat
phishing
android
spynote
remote access
keylogging
data exfiltration
spymax
google play store
2025-04-10
apk dropper
androidos
2025-04-15
Published: April 15, 2025
Downloadable IOCs: 0

Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customize…
apt
rat
phishing
dll side-loading
multi-platform
msi
spark rat
2025-04-08
xeno rat
curlback rat
Published: April 8, 2025
Downloadable IOCs: 28

Unmasking GrassCall Campaign: The APT Behind Job Recruitment Cyber Scams

The GrassCall malware campaign is an advanced social engineering attack conducted by a Russian-speaking cybercriminal group called Crazy Evil. Targeting job seekers in the cryptocurrency and Web3 sectors, the campaign uses fake job interviews to compromise victims' systems and steal cryptocurrency …
rat
phishing
social engineering
rhadamanthys
cryptocurrency theft
amos
2025-03-06
job recruitment
atomic macos stealer (amos)
grasscall
Published: March 6, 2025
Downloadable IOCs: 14

The Evolution of Dark Caracal Tools: Campaign Analysis Using the Poco RAT

Attacks using the Poco RAT are a continuation of the Dark Caracal group's campaign. This campaign was launched in 2022 and is aimed at Spanish-speaking countries in Latin America.
rat
phishing
windows
2025-03-05
vmware
bandook
poco rat
ultimate packer
executables
virtualbox
dark caracal
poco c++
Published: March 5, 2025
Downloadable IOCs: 41

Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered

This week, the SonicWall threat research team discovered a new update in the Remcos infection chain aimed at enhancing its stealth by patching AMSI scanning and ETW logging to evade detection. This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remco…
rat
phishing
powershell
remcos
2025-03-05
zip
vb script
Published: March 5, 2025
Downloadable IOCs: 7

The ticket that doesn't exist: a new threat discovered - FakeTicketer

A new threat actor named FakeTicketer has been identified by F.A.C.C.T. Threat Intelligence, operating since June 2024 with a focus on espionage. The actor targets government officials and sports functionaries using malicious software disguised as tickets for Russian Premier League football matches…
espionage
rat
phishing
stealer
dropper
government
2025-01-22
sports
zagrebator
zagrebator.stealer
zagrebator.dropper
zagrebator.rat
Published: January 22, 2025
Downloadable IOCs: 0

December 2024 Threat Trend Report on APT Attacks (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks targeting South Korea in December 2024. The primary method of attack was spear phishing, with a focus on distributing LNK files. Two main types of attacks were identified: Type A, which uses compressed CAB files containing m…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
2025-01-09
decoy documents
Published: January 9, 2025
Downloadable IOCs: 3

Hidden in Plain Sight: New Attack Chain Delivers Espionage RATs

An advanced persistent threat group, TA397, targeted a Turkish defense organization with a sophisticated attack chain. The campaign used a RAR archive containing a decoy PDF, a shortcut file, and an Alternate Data Stream with PowerShell code. The infection process involved creating a scheduled task…
apt
espionage
rat
south asia
defense sector
scheduled tasks
2024-12-17
turkey
miyarat
wmrat
alternate data streams
Published: December 17, 2024
Downloadable IOCs: 0

Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia

An unknown threat actor has deployed a malicious Android sample targeting high-value assets in Southern Asia. The malware, generated using the Spynote Remote Administration Tool, was delivered via WhatsApp in multiple attempts. The payload, concealed and operating in the background, exhibits variou…
rat
android
whatsapp
2024-12-10
Published: December 10, 2024
Downloadable IOCs: 5

The RAT race: What happens when RATs go undetected

This analysis explores a sophisticated cyberattack attempt involving multiple Remote Access Tools (RATs) and a stealer. The attack chain begins with an email containing an exploit for CVE-2024-38213, bypassing Windows' Mark of the Web security feature. The malware uses WebDav directories and Cloudf…
xworm
rat
dcrat
CVE-2024-38213
2024-11-30
purelog stealer
Published: November 30, 2024
Downloadable IOCs: 0

Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chai…
rat
phishing
windows
russia
ukraine
zero-day
CVE-2024-43451
2024-11-14
ntlm
spark rat
pass-the-hash
hash stealing
Published: November 14, 2024
Downloadable IOCs: 24

New Campaign Uses Remcos RAT to Exploit Victims

A phishing campaign utilizing Remcos RAT has been detected. The attack begins with an email containing a malicious Excel document that exploits CVE-2017-0199. When opened, it downloads and executes an HTA file, which in turn downloads and runs a malicious EXE. This EXE uses PowerShell to load and e…
rat
phishing
powershell
remcos
CVE-2017-0199
process hollowing
2024-11-08
Published: November 8, 2024
Downloadable IOCs: 2

Unwrapping the emerging Interlock ransomware attack

A new ransomware group called Interlock has emerged, targeting various sectors with big-game hunting and double extortion attacks. The group uses a sophisticated delivery chain including a RAT disguised as a browser updater, PowerShell scripts, credential stealers, and keyloggers. They primarily mo…
rat
ransomware
azure
rdp
keylogger
double-extortion
rhysida
2024-11-07
credential-stealer
interlock
Published: November 7, 2024
Downloadable IOCs: 2

Python RAT with a Nice Screensharing Feature

A Python Remote Access Trojan (RAT) with advanced capabilities, including a notable screensharing feature, has been discovered. The RAT, based on a two-year-old script, has a low detection rate on VirusTotal. It offers numerous functions to control the victim's computer, such as shell access, webca…
rat
python
2024-11-05
low-detection
remote-control
python rat
vidstream
screensharing
Published: November 5, 2024
Downloadable IOCs: 1

Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT

APT36, also known as Transparent Tribe, is a Pakistan-based threat actor targeting Indian government and military entities. Their campaigns utilize ElizaRAT, a Windows Remote Access Tool that has evolved to enhance evasion techniques and C2 communication. Recent campaigns employ cloud services like…
espionage
rat
stealer
transparent tribe
apt36
cloud services
2024-11-04
apolostealer
Published: November 4, 2024
Downloadable IOCs: 23

Writing a BugSleep C2 server and detecting its traffic with Snort

This analysis focuses on the BugSleep implant, also known as MuddyRot, a remote access tool that provides reverse shell and file I/O capabilities. The article details the process of reverse engineering BugSleep's protocol, creating a functional C2 server, and developing Snort rules for traffic dete…
rat
bugsleep
2024-10-30
reverse engineering
muddyrot
python server
c2 protocol
snort detection
Published: October 30, 2024
Downloadable IOCs: 0

DarkComet RAT: Technical Analysis of Attack Chain

This analysis examines the Remote Access Trojan (RAT) DarkComet, detailing its capabilities, distribution methods, and technical operations. The malware alters file attributes, establishes communication with malicious domains, modifies process privileges, and gathers system information. It employs …
rat
evasion
persistence
keylogging
privilege escalation
command and control
remote access trojan
2024-10-23
darkcomet
Published: October 23, 2024
Downloadable IOCs: 1

Malware by the (Bit)Bucket: Uncovering AsyncRAT

A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
obfuscation
rat
powershell
asyncrat
vbscript
.net
2024-10-10
bitbucket
Published: October 10, 2024
Downloadable IOCs: 0

The Open-Source Builder Behind Malicious Loaders

MisterioLNK is a newly discovered open-source loader builder that generates LNK, BAT, CMD, and VBS loader files designed to download and execute remote files. Available on GitHub, it poses a significant challenge to security defenses due to minimal detection rates. The tool supports multiple loader…
rat
remcos rat
2024-10-08
lnk files
blankstealer
misteriolnk
loader builder
dc rat
Published: October 8, 2024
Downloadable IOCs: 0

SambaSpy – a new RAT targeting Italian users

A campaign exclusively targeting Italian users was detected in May 2024, delivering a new Remote Access Trojan (RAT) dubbed SambaSpy. The infection chain involves phishing emails impersonating a legitimate Italian real estate company, redirecting victims to a malicious website. The campaign employs…
rat
phishing
java
2024-09-19
credential stealing
sambaspy
Published: September 19, 2024
Downloadable IOCs: 24

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining acce…
rat
cryptocurrency
macos
poolrat
pondrat
2024-09-19
applejeus
Published: September 19, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2024-3094
Downloadable IOCs: 16

New macOS malware gives attackers backdoor access to Macs

A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
backdoor
surveillance
rat
macos
malicious
hz rat
2024-09-16
Published: September 16, 2024
Downloadable IOCs: 25

Threat Tracking: Analysis of Lilith RAT ported to AutoIt Script

In April 2024, S2W's Threat Research and Intelligence Center TALON analyzed a malicious LNK file disguised as a list of tax evasion explanatory documents. The LNK file executed a PowerShell command to download and run an AutoIt script-based Lilith RAT malware from an attacker's server, which establ…
obfuscation
rat
autoit
downloader
2024-08-23
lilith
konni
lilith rat
Published: August 23, 2024
Downloadable IOCs: 33

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Kaspersky detected an ongoing targeted cyberattack campaign, dubbed EastWind, targeting Russian government organizations and IT companies. The attackers employed phishing emails with malicious shortcuts to deliver malware that communicated via Dropbox. They utilized tools associated with APT31 and …
rat
phishing
spyware
dll sideloading
cloudsorcerer
2024-08-14
plugy
grewapacha
Published: August 14, 2024
Downloadable IOCs: 5

PureHVNC Deployed via Python Multi-stage Loader

FortiGuard Labs uncovered a sophisticated attack campaign utilizing multiple obfuscation and evasion techniques to distribute and execute various malware, including VenomRAT, XWorm, AsyncRAT, and PureHVNC. The campaign starts with a phishing email containing a malicious attachment that initiates a …
xworm
rat
phishing
asyncrat
venomrat
2024-08-09
purehvnc
Published: August 9, 2024
Downloadable IOCs: 18

BingoMod: The new android RAT that steals money and wipes data

In late May 2024, a new Android Remote Access Trojan (RAT) named BingoMod emerged, aiming to initiate fraudulent money transfers from compromised devices using a technique called On-Device Fraud (ODF). After installation, BingoMod steals sensitive information, conducts overlay attacks, and provides…
rat
android
fraud
banking
2024-08-02
bingomod
Published: August 2, 2024
Downloadable IOCs: 3

Detecting evolving threats: NetSupport RAT campaign

This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
obfuscation
rat
malvertising
powershell
persistence
netsupport rat
2024-08-02
Published: August 2, 2024
Downloadable IOCs: 3

Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT

This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of…
malware
rat
evasion
encryption
dropper
gh0st rat
moudoor
mydoor
2024-07-31
Published: July 31, 2024
Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)
Downloadable IOCs: 6

Disarming DarkGate: A Deep Dive into Thwarting the Latest DarkGate Variant

This report analyzes a recent phishing campaign distributing a new DarkGate Remote Access Trojan variant. The malware leverages various obfuscation and anti-analysis techniques, including process hollowing, anti-VM checks, and encoding. It supports numerous malicious functionalities like ransomware…
rat
darkgate
2024-07-15
Published: July 15, 2024
Downloadable IOCs: 4

CVE-2024-4577 Exploits in the Wild One Day After Disclosure

One of the most recent examples of this onslaught lies in a critical vulnerability discovered in PHP (versions 8.1.*, before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8). The vulnerability is caused by the way PHP and CGI handlers parse certain Unicode characters, which can enable an attack…
rat
xmrig
vulnerability
cryptominer
gh0st rat
muhstik
CVE-2024-4577
2024-07-11
redtail
php injection
Published: July 11, 2024
Downloadable IOCs: 17

Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)

A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
backdoor
exploit
rat
xmrig
vulnerability
plugx
gh0strat
CVE-2024-23692
cobaltstrike
korplug
destroyrat
xenorat
2024-07-03
gothief
Published: July 3, 2024
Linked vulnerabilities : CVE-2024-23692 (CVSS 9.8)
Downloadable IOCs: 14

An Android RAT targets Telegram Users

This analysis discusses SpyMax, a Remote Access Trojan (RAT) that targets Android devices and specifically aims at obtaining data from Telegram users. It employs phishing techniques to trick victims into installing a malicious application disguised as the legitimate Telegram app. Once installed, Sp…
surveillance
rat
phishing
android
keylogger
2024-06-28
spymax
Published: June 28, 2024
Downloadable IOCs: 4

espionage group targets government agencies with and more infection techniques

A recently discovered threat actor, dubbed 'SneakyChef,' has been conducting an ongoing espionage campaign targeting government agencies across different regions, primarily utilizing the SugarGh0st malware. The group employs decoy documents impersonating government entities and infects victims thro…
apt
espionage
rat
phishing
government
sugargh0st
2024-06-24
spicerat
Published: June 24, 2024
Downloadable IOCs: 148

Unveiling SpiceRAT: Latest tool targeting EMEA and Asia

Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, employed by the threat actor SneakyChef in a recent malicious campaign. The campaign targeted government agencies across multiple countries in Europe, the Middle East, Africa, and Asia. SpiceRAT was delivered alongside SugarGh…
rat
phishing
sugargh0st
sideloading
2024-06-24
spicerat
Published: June 24, 2024
Downloadable IOCs: 6

RAT Distributed as UUEncoding (UUE) File

This intelligence report describes a malicious operation where the Remcos Remote Access Trojan (RAT) is being disseminated through phishing emails containing an attachment exploiting the Unix-to-Unix Encoding (UUE) technique. The encoded file loads an obfuscated VBScript that fetches additional mal…
obfuscation
rat
phishing
persistence
remcos
remote access
2024-06-11
Published: June 11, 2024
Downloadable IOCs: 3

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
backdoor
rat
ransomware
blackcat
alphv
cobalt strike
icedid
exfiltration
2024-06-10
noberus
csharp streamer
Published: June 10, 2024
Downloadable IOCs: 33

Malicious Campaign Analysis: JScript RAT and CobaltStrike

This report examines a recent malicious campaign involving a JScript-based Remote Access Trojan (RAT) and its connections to the CobaltStrike penetration testing tool. The attack commences with an obfuscated JScript loader distributed through suspected phishing campaigns. Upon execution, it contact…
obfuscation
rat
encryption
cobaltstrike
2024-06-07
jscript
jscript rat
Published: June 7, 2024
Downloadable IOCs: 4

DarkGate again but... Improved?

The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
obfuscation
pikabot
rat
phishing
autohotkey
darkgate
2024-06-06
Published: June 6, 2024
Downloadable IOCs: 313

DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine

This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
rat
ukraine
cyber
2024-06-06
darkcrystal rat
darkcrystal
targeted
Published: June 6, 2024
Downloadable IOCs: 14

SugarGh0st RAT Used to Target American Artificial Intelligence Experts

This intelligence report provides details about a SugarGh0st RAT campaign conducted by an unattributed threat actor, tracked as UNK_SweetSpecter, targeting organizations in the United States involved in artificial intelligence (AI) efforts across academia, private industry, and government. The camp…
rat
phishing
2024-05-16
2024-05-11
sugargh0st
ai
gh0strat
sugargh0st rat
Published: May 16, 2024
Downloadable IOCs: 9

The Overlapping Cyber Strategies Of Transparent Tribe And SideCopy Against India

CRIL's analysis revealed SideCopy APT group's sophisticated malware campaign, employing malicious LNK files and a complex infection chain involving HTAs and loader DLLs to deploy malware like ReverseRAT and Action RAT. SideCopy targets Indian universities and government entities, suggesting potenti…
malware
apt
rat
action rat
india
infection chain
2024-05-15
2024-05-10
reverserat
Published: May 15, 2024
Downloadable IOCs: 21

GoTo Meeting loads RAT via Shellcode Loader

A malicious campaign has been discovered that exploits the legitimate GoTo Meeting online conferencing software to deploy the Remcos remote access trojan (RAT). The attack chain involves utilizing lures like porn downloads, software setup files, and tax forms with Russian and English file names. It…
rat
remcos
2024-05-08
dll sideloading
shellcode
rust
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 17

Malware (XMRig, OrcusRAT, etc.) disguised as MS Office crack

The report details an ongoing malware campaign targeting South Korean users, which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware, including downloaders, coin miners, remote access tools (RATs), pr…
obfuscation
rat
xmrig
persistence
2024-05-05
2024-05-06
2024-05-07
2024-05-08
purecrypter
cryptominer
3proxy
antiav
orcusrat
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 12

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

This comprehensive analysis provides a thorough examination of the REMCOS Remote Access Trojan (RAT), a prominent malware threat that gained significant prevalence in 2024. The analysis delves into the malware's configuration structure, command and control capabilities, persistence mechanisms, and …
rat
evasion
persistence
remcos
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
remote access
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 34

HijackLoader Updates

HijackLoader, also known as IDAT Loader, is a modular malware loader capable of executing multiple payloads. It utilizes a variety of modules for code injection, execution, and evasion techniques. This report analyzes the updated version of HijackLoader, which includes new modules for bypassing Win…
rat
evasion
rhadamanthys
stealer
remcos
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
amadey
lumma stealer
injection
modular
racoon stealer v2
malware loader
meta stealer
Published: May 7, 2024
Downloadable IOCs: 11

Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors

This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
rat
social engineering
python
developers
python-based rat
dev#popper
Published: April 29, 2024
Downloadable IOCs: 7
Click here to see more Attack Reports