Tag: rat

81 Attack Reports | 0 Vulnerabilities

Attack reports

Indian Income Tax-Themed Phishing Campaign Targets Local Businesses

A sophisticated phishing campaign impersonating the Indian Income Tax Department has been targeting local businesses. The attack begins with a spear-phishing email containing a PDF attachment that directs victims to a fake compliance portal. This triggers the download of a malicious ZIP file, which…
rat
phishing
india
nsis installer
remote access trojan
data harvesting
china-linked
2025-12-22
income tax
Published: December 22, 2025
Downloadable IOCs: 3

Kimsuky Distributing Malicious Mobile App via QR Code

A new campaign by Kimsuky involves distributing malicious mobile apps through QR codes and phishing websites. The apps, masquerading as delivery services, VPNs, and cryptocurrency tools, decrypt an embedded APK to deploy a RAT with extensive capabilities. The malware uses a native decryption functi…
rat
phishing
keylogging
apk
dprk
mobile malware
decryption
qr code
docswap
2025-12-16
Published: December 16, 2025
Downloadable IOCs: 12

Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets

Albiriox is a newly identified Android malware offered as Malware-as-a-Service, likely managed by Russian-speaking threat actors. It employs a two-stage deployment chain using dropper applications and packing techniques to evade detection. The malware exhibits advanced On-Device Fraud capabilities,…
rat
android
cryptocurrency
banking trojan
maas
evasion techniques
overlay attacks
on-device fraud
2025-12-03
vnc
albiriox
Published: December 3, 2025
Downloadable IOCs: 4

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use socia…
rat
social engineering
north korea
infostealer
cryptocurrency
beavertail
web3
invisibleferret
ottercookie
trojanized code
2025-11-14
json storage
tsunami payload
Published: November 14, 2025
Downloadable IOCs: 84

DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool

A malware analysis reveals the reemergence of DarkComet RAT disguised as a Bitcoin-related application. The malware, packed with UPX to evade detection, is distributed as a RAR archive containing an executable file. Once unpacked, it installs itself as 'explorer.exe' in the user's AppData folder an…
rat
cryptocurrency
persistence
bitcoin
keylogging
c2 communication
darkcomet
upx packing
2025-11-14
darkcomet rat
Published: November 14, 2025
Downloadable IOCs: 5

Fantasy Hub: Another Russian Based RAT as Malware-as-a-Service

A new Android Remote Access Trojan called Fantasy Hub has been identified, sold on Russian-language channels as a Malware-as-a-Service (MaaS) subscription. The malware offers extensive device control and espionage capabilities, including SMS exfiltration, contact theft, call log access, and bulk im…
rat
android
spyware
banking
russian
maas
financial
sms
2025-11-10
fantasy hub
Published: November 10, 2025
Downloadable IOCs: 169

State-Sponsored Remote Wipe Tactics Targeting Android Devices

A new Android remote data-wipe attack exploiting Google's Find Hub feature has been identified as part of the KONNI APT campaign. The attackers impersonated psychological counselors and human rights activists, distributing malware disguised as stress-relief programs via KakaoTalk messenger. They co…
apt
rat
social engineering
android
remcosrat
quasarrat
spear-phishing
2025-11-10
rftrat
find hub
remote wipe
lilithrat
kakaotalk
endrat
google account
Published: November 10, 2025
Downloadable IOCs: 10

New Python RAT Targets Gamers via Minecraft

A new multi-function Python RAT has been discovered targeting gamers through Minecraft. The malware, posing as a legitimate Minecraft client called 'Nursultan Client', uses the Telegram Bot API for command and control. It has capabilities including screenshot capture, webcam access, Discord token t…
surveillance
rat
python
minecraft
discord
telegram
gaming
2025-10-22
token theft
nursultan client
Published: October 22, 2025
Downloadable IOCs: 1

New Stealit Campaign Abuses Node.js Single Executable Application

A new Stealit malware campaign has been discovered that utilizes Node.js' Single Executable Application feature to distribute payloads. The campaign bundles malicious scripts into standalone binaries, allowing execution without requiring a pre-installed Node.js runtime. The malware is distributed a…
obfuscation
rat
cryptocurrency
anti-analysis
node.js
information theft
2025-10-11
single executable application
stealit
Published: October 11, 2025
Downloadable IOCs: 12

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It …
rat
phishing
infostealer
macos
remote access
clickfix
deerstealer
captcha
odyssey
2025-10-10
clipboard
iuam
clickfix generator
Published: October 10, 2025
Downloadable IOCs: 59

XWorm V6: Exploring Pivotal Plugins

Since the release of XWorm V6.0 on June 4, 2025, we have noted a surge in samples identified as XWorm V6.0 on VirusTotal, reflecting its rapid adoption by threat actors. One prominent campaign illustrates its delivery: a malicious JavaScript (JS) file initiates a PowerShell (PS1) script, which depl…
xworm
rat
phishing
powershell
javascript
remote desktop
amsi bypass
2025-10-06
file manager
Published: October 6, 2025
Downloadable IOCs: 22

Werewolf raids Russia's public sector with trusted relationship attacks

Cavalry Werewolf, a malicious actor group, targeted Russian state agencies and enterprises in the energy, mining, and manufacturing sectors from May to August 2025. The attackers used targeted phishing emails, posing as Kyrgyz government officials, to gain initial access. They employed custom malwa…
rat
phishing
russia
government
asyncrat
mining
telegram
reverse shell
manufacturing
kyrgyzstan
2025-10-02
energy
foalshell
stallionrat
Published: October 2, 2025
Downloadable IOCs: 0

XWorm RAT Delivered via Shellcode: Multi-Stage Attack Analysis

This analysis details a sophisticated multi-stage attack delivering the XWorm RAT. The campaign begins with a phishing email containing a malicious .xlam file. The file harbors embedded shellcode that, when executed, retrieves a secondary payload. This payload is a .NET binary that reflectively loa…
obfuscation
xworm
rat
phishing
steganography
shellcode
.net
multi-stage attack
reflective dll injection
2025-09-29
Published: September 29, 2025
Downloadable IOCs: 8

Malicious PyPI Packages Deliver SilentSync RAT

Two malicious Python packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages, created by the same author, deliver a Remote Access Trojan (RAT) called SilentSync. The RAT is capable of remote command execution, file exfiltration, screen capturin…
rat
python
typosquatting
supply chain
data theft
remote access
pypi
data-exfiltration
supply-chain-attack
browser-data-theft
2025-09-18
silentsync
2025-09-19
python packages
Published: September 19, 2025
Downloadable IOCs: 0

Under the Pure Curtain: From RAT to Builder to Coder

Check Point Research conducted a forensic analysis of a ClickFix campaign that deployed multiple tools, including a Rust Loader, PureHVNC RAT, and the Sliver command-and-control framework. The analysis provided comprehensive insights into PureHVNC RAT, including its commands and plugins. The invest…
rat
cybercrime
purecrypter
github
purelogs
clickfix
purehvnc
purerat
2025-09-16
rust loader
pureminer
purehvnc rat
blue loader
Published: September 16, 2025
Downloadable IOCs: 0

August 2025 APT Attack Trends Report

In August 2025, APT attacks in South Korea primarily utilized spear phishing techniques, with LNK files being the most prevalent method. Two main types of attacks were observed: Type A, which used compressed CAB files containing malicious scripts for information exfiltration and additional malware …
apt
rat
powershell
rokrat
south korea
xenorat
lnk files
spear phishing
cab files
2025-09-16
Published: September 16, 2025
Downloadable IOCs: 5

Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

A sophisticated malware campaign has been uncovered that utilizes various techniques to deliver Remote Access Trojans (RATs) such as XWorm and Remcos. The attack chain begins with a ZIP archive, often hosted on trusted platforms like ImgKit, containing obfuscated BAT scripts. These scripts execute …
obfuscation
xworm
rat
phishing
powershell
remcos
evasion techniques
bat scripts
svg
fileless execution
2025-09-11
Published: September 11, 2025
Downloadable IOCs: 2

The Rise of RatOn: From NFC heists to remote control and ATS

A new Android banking trojan named RatOn has emerged, combining NFC relay attacks with remote access and automated transfer capabilities. Discovered by analysts monitoring the NFSkate threat group, RatOn targets cryptocurrency wallets and banking applications, particularly in the Czech Republic and…
rat
android
cryptocurrency
banking trojan
overlay attacks
nfc relay
2025-09-09
ats
nfskate
raton
Published: September 9, 2025
Downloadable IOCs: 23

Three Lazarus RATs coming for your cheese

This report analyzes three remote access trojans (RATs) used by a Lazarus subgroup targeting financial and cryptocurrency organizations: PondRAT, ThemeForestRAT, and RemotePE. It details an incident response case from 2024 involving social engineering and possible zero-day exploitation. PondRAT is …
rat
social engineering
cryptocurrency
zero-day
poolrat
pondrat
financial
2025-09-02
remotepe
themeforestrat
2025-09-03
Published: September 3, 2025
Downloadable IOCs: 0

AI Waifu RAT: A Ring3 malware-like RAT based on LLM manipulation is circulating in the wild

A niche LLM role-playing community is being targeted by a sophisticated social engineering attack disguised as an AI character enhancement tool. The 'AI Waifu RAT' is a Remote Access Trojan marketed as a feature allowing AI characters to interact with users' computers. The RAT, distributed under th…
backdoor
rat
social engineering
ai
llm
code execution
threat actor
ctf
2025-09-01
ai waifu rat
Published: September 1, 2025
Downloadable IOCs: 7

July 2025 APT Attack Trends Report (South Korea)

The report analyzes Advanced Persistent Threat (APT) attacks in South Korea during July 2025. Spear phishing was the primary attack method, with LNK files being the most common vector. Two types of LNK-based attacks were identified: Type A, which uses compressed CAB files containing malicious scrip…
apt
rat
rokrat
south korea
xenorat
lnk files
spear phishing
google drive
dropbox api
2025-08-19
Published: August 19, 2025
Downloadable IOCs: 0

Threat Bulletin: Fire in the Woods – A New Variant of FireWood

A new, low-detected variant of the FireWood Linux backdoor has been discovered, showing changes in implementation and configuration while maintaining core functionality. This backdoor, linked to the 'Project Wood' malware lineage, operates as a remote access trojan on Linux systems, using kernel-le…
linux
backdoor
rat
kernel rootkit
project wood
firewood
2025-08-15
tea encryption
Published: August 15, 2025
Downloadable IOCs: 0

From ClickFix to Command: A Full PowerShell Attack Chain

A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key …
obfuscation
rat
phishing
social engineering
powershell
lateral movement
c2 communication
2025-08-11
israeli targets
powershell rat
Published: August 11, 2025
Downloadable IOCs: 0

PlayPraetor's evolving threat: How Chinese-speaking actors globally scale an Android RAT

A large-scale Malware-as-a-Service operation, orchestrated by Chinese-speaking threat actors, has infected over 11,000 Android devices globally with the PlayPraetor Remote Access Trojan. The campaign primarily targets Europe, with significant presence in Portugal, Spain, and France, but also affect…
rat
android
cryptocurrency
botnet
banking
maas
accessibility services
2025-08-07
playpraetor
Published: August 7, 2025
Downloadable IOCs: 0

RedHook: A New Android Banking Trojan Targeting Users In Vietnam

A sophisticated Android banking trojan named RedHook has been discovered targeting Vietnamese users through spoofed government and financial websites. The malware uses WebSocket to communicate with its command-and-control server and supports over 30 remote commands, enabling complete control over c…
rat
phishing
android
banking trojan
keylogging
vietnam
aws s3
websocket
2025-07-31
chinese-language
redhook
Published: July 31, 2025
Downloadable IOCs: 13

June 2025 APT Attack Trends Report (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks targeting South Korea in June 2025. Spear phishing emerged as the primary attack vector, with LNK files being the most prevalent method, followed by an increase in HWP file-based attacks. The report details two types of spear phishing …
apt
rat
rokrat
south korea
xenorat
lnk files
spear phishing
2025-07-16
hwp files
Published: July 16, 2025
Downloadable IOCs: 0

Fix the Click: Preventing the ClickFix Attack Vector

This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetS…
rat
social engineering
typosquatting
powershell
infostealer
lumma stealer
latrodectus
autoit
clickfix
netsupport rat
clipboard hijacking
2025-07-10
Published: July 10, 2025
Downloadable IOCs: 65

Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware

The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The …
obfuscation
rat
phishing
asyncrat
webdav
stealth techniques
memory injection
cloudflare tunnels
shellcode loader
2025-06-20
revengerat
python-based malware
donut packer
Published: June 20, 2025
Downloadable IOCs: 147

Famous Chollima deploying Python version of GolangGhost RAT

In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) called 'PylangGhost', used by a North Korean-aligned threat actor. PylangGhost shares similarities with the previously documented GolangGhost RAT. The threat actor, Famous Chollima, has been targeting employees with exper…
rat
cryptocurrency
browser data theft
blockchain
golangghost
2025-06-18
pylangghost
Published: June 18, 2025
Downloadable IOCs: 67

Understanding CyberEYE RAT Builder: Capabilities and Implications

CyberEye is a modular, .NET-based Remote Access Trojan that utilizes Telegram for Command and Control, eliminating the need for attackers to maintain their own infrastructure. It offers a wide array of surveillance and data theft capabilities, including keylogging, file grabbing, and clipboard hija…
rat
persistence
anti-analysis
credential theft
data exfiltration
telegram
2025-06-13
cybereye
windows defender evasion
telegramrat
Published: June 13, 2025
Downloadable IOCs: 0

The strange tale of ischhfd83: When cybercriminals eat their own

This investigation uncovered a large-scale campaign involving backdoored GitHub repositories targeting game cheaters and inexperienced cybercriminals. The threat actor, possibly linked to a Distribution-as-a-Service operation, uses multiple types of backdoors and a convoluted infection chain leadin…
backdoor
obfuscation
rat
infostealer
remcos
lumma stealer
asyncrat
github
telegram
2025-06-04
Published: June 4, 2025
Downloadable IOCs: 52

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Threat actors are exploiting user fatigue with anti-spam mechanisms through a technique called ClickFix. This method involves compromising websites and embedding fraudulent CAPTCHA images, which, when solved by unsuspecting users, lead to the execution of malicious code. The attack chain typically …
rat
social engineering
powershell
infostealer
lumma
netsupport rat
sectoprat
captcha
clipboard injection
2025-05-22
Published: May 22, 2025
Downloadable IOCs: 10

RAT Dropped By Two Layers of AutoIT Code

A malware attack involving multiple layers of AutoIT code has been discovered. The initial file, disguised as a project file, contains AutoIT script that generates and executes a PowerShell script. This script downloads an AutoIT interpreter and another layer of AutoIT code. Persistence is achieved…
rat
asyncrat
autoit
2025-05-19
Published: May 19, 2025
Downloadable IOCs: 4

Yet Another NodeJS Backdoor (YaNB): A Modern Challenge

A resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications has been observed, tricking users into executing NodeJS-based backdoors and deploying sophisticated Remote Access Trojans. The attack begins with a malicious NodeJS script connecting to attacker-controlled infrastructure…
backdoor
rat
persistence
captcha
anti-vm
xor encryption
system reconnaissance
2025-05-16
nodejs
socks5 proxy
nodejs rat
kongtuke
Published: May 16, 2025
Downloadable IOCs: 11

April 2025 Threat Trend Report on APT Attacks (South Korea)

This analysis covers APT attacks detected in South Korea during April 2025. Spear phishing emerged as the primary distribution method for these attacks. Two main types of spear phishing were observed: Type A, which uses LNK files to distribute compressed malicious scripts for information leakage an…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
google drive
2025-05-14
dropbox api
Published: May 14, 2025
Downloadable IOCs: 3

Newly Registered Domains Distributing SpyNote Malware

Cybercriminals are employing deceptive websites on newly registered domains to distribute AndroidOS SpyNote malware. These sites imitate the Google Chrome install page on the Google Play Store, tricking users into downloading SpyNote, a powerful Android remote access trojan. SpyNote is used for sur…
rat
phishing
android
spynote
remote access
keylogging
data exfiltration
spymax
google play store
2025-04-10
apk dropper
androidos
2025-04-15
Published: April 15, 2025
Downloadable IOCs: 0

Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customize…
apt
rat
phishing
dll side-loading
multi-platform
msi
spark rat
2025-04-08
xeno rat
curlback rat
Published: April 8, 2025
Downloadable IOCs: 28

Unmasking GrassCall Campaign: The APT Behind Job Recruitment Cyber Scams

The GrassCall malware campaign is an advanced social engineering attack conducted by a Russian-speaking cybercriminal group called Crazy Evil. Targeting job seekers in the cryptocurrency and Web3 sectors, the campaign uses fake job interviews to compromise victims' systems and steal cryptocurrency …
rat
phishing
social engineering
rhadamanthys
cryptocurrency theft
amos
2025-03-06
job recruitment
atomic macos stealer (amos)
grasscall
Published: March 6, 2025
Downloadable IOCs: 14

The Evolution of Dark Caracal Tools: Campaign Analysis Using the Poco RAT

Attacks using the Poco RAT are a continuation of the Dark Caracal group's campaign. This campaign was launched in 2022 and is aimed at Spanish-speaking countries in Latin America.
rat
phishing
windows
2025-03-05
vmware
bandook
poco rat
ultimate packer
executables
virtualbox
dark caracal
poco c++
Published: March 5, 2025
Downloadable IOCs: 41

Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered

This week, the SonicWall threat research team discovered a new update in the Remcos infection chain aimed at enhancing its stealth by patching AMSI scanning and ETW logging to evade detection. This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remco…
rat
phishing
powershell
remcos
2025-03-05
zip
vb script
Published: March 5, 2025
Downloadable IOCs: 7

The ticket that doesn't exist: a new threat discovered - FakeTicketer

A new threat actor named FakeTicketer has been identified by F.A.C.C.T. Threat Intelligence, operating since June 2024 with a focus on espionage. The actor targets government officials and sports functionaries using malicious software disguised as tickets for Russian Premier League football matches…
espionage
rat
phishing
stealer
dropper
government
2025-01-22
sports
zagrebator
zagrebator.stealer
zagrebator.dropper
zagrebator.rat
Published: January 22, 2025
Downloadable IOCs: 0

December 2024 Threat Trend Report on APT Attacks (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks targeting South Korea in December 2024. The primary method of attack was spear phishing, with a focus on distributing LNK files. Two main types of attacks were identified: Type A, which uses compressed CAB files containing m…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
2025-01-09
decoy documents
Published: January 9, 2025
Downloadable IOCs: 3

Hidden in Plain Sight: New Attack Chain Delivers Espionage RATs

An advanced persistent threat group, TA397, targeted a Turkish defense organization with a sophisticated attack chain. The campaign used a RAR archive containing a decoy PDF, a shortcut file, and an Alternate Data Stream with PowerShell code. The infection process involved creating a scheduled task…
apt
espionage
rat
south asia
defense sector
scheduled tasks
2024-12-17
turkey
miyarat
wmrat
alternate data streams
Published: December 17, 2024
Downloadable IOCs: 0

Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia

An unknown threat actor has deployed a malicious Android sample targeting high-value assets in Southern Asia. The malware, generated using the Spynote Remote Administration Tool, was delivered via WhatsApp in multiple attempts. The payload, concealed and operating in the background, exhibits variou…
rat
android
whatsapp
2024-12-10
Published: December 10, 2024
Downloadable IOCs: 5

The RAT race: What happens when RATs go undetected

This analysis explores a sophisticated cyberattack attempt involving multiple Remote Access Tools (RATs) and a stealer. The attack chain begins with an email containing an exploit for CVE-2024-38213, bypassing Windows' Mark of the Web security feature. The malware uses WebDav directories and Cloudf…
xworm
rat
dcrat
CVE-2024-38213
2024-11-30
purelog stealer
Published: November 30, 2024
Downloadable IOCs: 0

Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chai…
rat
phishing
windows
russia
ukraine
zero-day
CVE-2024-43451
2024-11-14
ntlm
spark rat
pass-the-hash
hash stealing
Published: November 14, 2024
Downloadable IOCs: 24

New Campaign Uses Remcos RAT to Exploit Victims

A phishing campaign utilizing Remcos RAT has been detected. The attack begins with an email containing a malicious Excel document that exploits CVE-2017-0199. When opened, it downloads and executes an HTA file, which in turn downloads and runs a malicious EXE. This EXE uses PowerShell to load and e…
rat
phishing
powershell
remcos
CVE-2017-0199
process hollowing
2024-11-08
Published: November 8, 2024
Downloadable IOCs: 2

Unwrapping the emerging Interlock ransomware attack

A new ransomware group called Interlock has emerged, targeting various sectors with big-game hunting and double extortion attacks. The group uses a sophisticated delivery chain including a RAT disguised as a browser updater, PowerShell scripts, credential stealers, and keyloggers. They primarily mo…
rat
ransomware
azure
rdp
keylogger
double-extortion
rhysida
2024-11-07
credential-stealer
interlock
Published: November 7, 2024
Downloadable IOCs: 2

Python RAT with a Nice Screensharing Feature

A Python Remote Access Trojan (RAT) with advanced capabilities, including a notable screensharing feature, has been discovered. The RAT, based on a two-year-old script, has a low detection rate on VirusTotal. It offers numerous functions to control the victim's computer, such as shell access, webca…
rat
python
2024-11-05
low-detection
remote-control
python rat
vidstream
screensharing
Published: November 5, 2024
Downloadable IOCs: 1

Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT

APT36, also known as Transparent Tribe, is a Pakistan-based threat actor targeting Indian government and military entities. Their campaigns utilize ElizaRAT, a Windows Remote Access Tool that has evolved to enhance evasion techniques and C2 communication. Recent campaigns employ cloud services like…
espionage
rat
stealer
transparent tribe
apt36
cloud services
2024-11-04
apolostealer
Published: November 4, 2024
Downloadable IOCs: 23

Writing a BugSleep C2 server and detecting its traffic with Snort

This analysis focuses on the BugSleep implant, also known as MuddyRot, a remote access tool that provides reverse shell and file I/O capabilities. The article details the process of reverse engineering BugSleep's protocol, creating a functional C2 server, and developing Snort rules for traffic dete…
rat
bugsleep
2024-10-30
reverse engineering
muddyrot
python server
c2 protocol
snort detection
Published: October 30, 2024
Downloadable IOCs: 0

DarkComet RAT: Technical Analysis of Attack Chain

This analysis examines the Remote Access Trojan (RAT) DarkComet, detailing its capabilities, distribution methods, and technical operations. The malware alters file attributes, establishes communication with malicious domains, modifies process privileges, and gathers system information. It employs …
rat
evasion
persistence
keylogging
privilege escalation
command and control
remote access trojan
2024-10-23
darkcomet
Published: October 23, 2024
Downloadable IOCs: 1

Malware by the (Bit)Bucket: Uncovering AsyncRAT

A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
obfuscation
rat
powershell
asyncrat
vbscript
.net
2024-10-10
bitbucket
Published: October 10, 2024
Downloadable IOCs: 0

The Open-Source Builder Behind Malicious Loaders

MisterioLNK is a newly discovered open-source loader builder that generates LNK, BAT, CMD, and VBS loader files designed to download and execute remote files. Available on GitHub, it poses a significant challenge to security defenses due to minimal detection rates. The tool supports multiple loader…
rat
remcos rat
2024-10-08
lnk files
blankstealer
misteriolnk
loader builder
dc rat
Published: October 8, 2024
Downloadable IOCs: 0

SambaSpy – a new RAT targeting Italian users

A campaign exclusively targeting Italian users was detected in May 2024, delivering a new Remote Access Trojan (RAT) dubbed SambaSpy. The infection chain involves phishing emails impersonating a legitimate Italian real estate company, redirecting victims to a malicious website. The campaign employs…
rat
phishing
java
2024-09-19
credential stealing
sambaspy
Published: September 19, 2024
Downloadable IOCs: 24

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining acce…
rat
cryptocurrency
macos
poolrat
pondrat
2024-09-19
applejeus
Published: September 19, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2024-3094
Downloadable IOCs: 16

New macOS malware gives attackers backdoor access to Macs

A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
backdoor
surveillance
rat
macos
malicious
hz rat
2024-09-16
Published: September 16, 2024
Downloadable IOCs: 25

Threat Tracking: Analysis of Lilith RAT ported to AutoIt Script

In April 2024, S2W's Threat Research and Intelligence Center TALON analyzed a malicious LNK file disguised as a list of tax evasion explanatory documents. The LNK file executed a PowerShell command to download and run an AutoIt script-based Lilith RAT malware from an attacker's server, which establ…
obfuscation
rat
autoit
downloader
2024-08-23
lilith
konni
lilith rat
Published: August 23, 2024
Downloadable IOCs: 33

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Kaspersky detected an ongoing targeted cyberattack campaign, dubbed EastWind, targeting Russian government organizations and IT companies. The attackers employed phishing emails with malicious shortcuts to deliver malware that communicated via Dropbox. They utilized tools associated with APT31 and …
rat
phishing
spyware
dll sideloading
cloudsorcerer
2024-08-14
plugy
grewapacha
Published: August 14, 2024
Downloadable IOCs: 5

PureHVNC Deployed via Python Multi-stage Loader

FortiGuard Labs uncovered a sophisticated attack campaign utilizing multiple obfuscation and evasion techniques to distribute and execute various malware, including VenomRAT, XWorm, AsyncRAT, and PureHVNC. The campaign starts with a phishing email containing a malicious attachment that initiates a …
xworm
rat
phishing
asyncrat
venomrat
2024-08-09
purehvnc
Published: August 9, 2024
Downloadable IOCs: 18

BingoMod: The new android RAT that steals money and wipes data

In late May 2024, a new Android Remote Access Trojan (RAT) named BingoMod emerged, aiming to initiate fraudulent money transfers from compromised devices using a technique called On-Device Fraud (ODF). After installation, BingoMod steals sensitive information, conducts overlay attacks, and provides…
rat
android
fraud
banking
2024-08-02
bingomod
Published: August 2, 2024
Downloadable IOCs: 3

Detecting evolving threats: NetSupport RAT campaign

This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
obfuscation
rat
malvertising
powershell
persistence
netsupport rat
2024-08-02
Published: August 2, 2024
Downloadable IOCs: 3

Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT

This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of…
malware
rat
evasion
encryption
dropper
gh0st rat
moudoor
mydoor
2024-07-31
Published: July 31, 2024
Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)
Downloadable IOCs: 6

Disarming DarkGate: A Deep Dive into Thwarting the Latest DarkGate Variant

This report analyzes a recent phishing campaign distributing a new DarkGate Remote Access Trojan variant. The malware leverages various obfuscation and anti-analysis techniques, including process hollowing, anti-VM checks, and encoding. It supports numerous malicious functionalities like ransomware…
rat
darkgate
2024-07-15
Published: July 15, 2024
Downloadable IOCs: 4

CVE-2024-4577 Exploits in the Wild One Day After Disclosure

One of the most recent examples of this onslaught lies in a critical vulnerability discovered in PHP (versions 8.1.*, before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8). The vulnerability is caused by the way PHP and CGI handlers parse certain Unicode characters, which can enable an attack…
rat
xmrig
vulnerability
cryptominer
gh0st rat
muhstik
CVE-2024-4577
2024-07-11
redtail
php injection
Published: July 11, 2024
Downloadable IOCs: 17

Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)

A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
backdoor
exploit
rat
xmrig
vulnerability
plugx
gh0strat
CVE-2024-23692
cobaltstrike
korplug
destroyrat
xenorat
2024-07-03
gothief
Published: July 3, 2024
Linked vulnerabilities : CVE-2024-23692 (CVSS 9.8)
Downloadable IOCs: 14

An Android RAT targets Telegram Users

This analysis discusses SpyMax, a Remote Access Trojan (RAT) that targets Android devices and specifically aims at obtaining data from Telegram users. It employs phishing techniques to trick victims into installing a malicious application disguised as the legitimate Telegram app. Once installed, Sp…
surveillance
rat
phishing
android
keylogger
2024-06-28
spymax
Published: June 28, 2024
Downloadable IOCs: 4

espionage group targets government agencies with and more infection techniques

A recently discovered threat actor, dubbed 'SneakyChef,' has been conducting an ongoing espionage campaign targeting government agencies across different regions, primarily utilizing the SugarGh0st malware. The group employs decoy documents impersonating government entities and infects victims thro…
apt
espionage
rat
phishing
government
sugargh0st
2024-06-24
spicerat
Published: June 24, 2024
Downloadable IOCs: 148

Unveiling SpiceRAT: Latest tool targeting EMEA and Asia

Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, employed by the threat actor SneakyChef in a recent malicious campaign. The campaign targeted government agencies across multiple countries in Europe, the Middle East, Africa, and Asia. SpiceRAT was delivered alongside SugarGh…
rat
phishing
sugargh0st
sideloading
2024-06-24
spicerat
Published: June 24, 2024
Downloadable IOCs: 6

RAT Distributed as UUEncoding (UUE) File

This intelligence report describes a malicious operation where the Remcos Remote Access Trojan (RAT) is being disseminated through phishing emails containing an attachment exploiting the Unix-to-Unix Encoding (UUE) technique. The encoded file loads an obfuscated VBScript that fetches additional mal…
obfuscation
rat
phishing
persistence
remcos
remote access
2024-06-11
Published: June 11, 2024
Downloadable IOCs: 3

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
backdoor
rat
ransomware
blackcat
alphv
cobalt strike
icedid
exfiltration
2024-06-10
noberus
csharp streamer
Published: June 10, 2024
Downloadable IOCs: 33

Malicious Campaign Analysis: JScript RAT and CobaltStrike

This report examines a recent malicious campaign involving a JScript-based Remote Access Trojan (RAT) and its connections to the CobaltStrike penetration testing tool. The attack commences with an obfuscated JScript loader distributed through suspected phishing campaigns. Upon execution, it contact…
obfuscation
rat
encryption
cobaltstrike
2024-06-07
jscript
jscript rat
Published: June 7, 2024
Downloadable IOCs: 4

DarkGate again but... Improved?

The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
obfuscation
pikabot
rat
phishing
autohotkey
darkgate
2024-06-06
Published: June 6, 2024
Downloadable IOCs: 313

DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine

This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
rat
ukraine
cyber
2024-06-06
darkcrystal rat
darkcrystal
targeted
Published: June 6, 2024
Downloadable IOCs: 14

SugarGh0st RAT Used to Target American Artificial Intelligence Experts

This intelligence report provides details about a SugarGh0st RAT campaign conducted by an unattributed threat actor, tracked as UNK_SweetSpecter, targeting organizations in the United States involved in artificial intelligence (AI) efforts across academia, private industry, and government. The camp…
rat
phishing
2024-05-16
2024-05-11
sugargh0st
ai
gh0strat
sugargh0st rat
Published: May 16, 2024
Downloadable IOCs: 9

The Overlapping Cyber Strategies Of Transparent Tribe And SideCopy Against India

CRIL's analysis revealed SideCopy APT group's sophisticated malware campaign, employing malicious LNK files and a complex infection chain involving HTAs and loader DLLs to deploy malware like ReverseRAT and Action RAT. SideCopy targets Indian universities and government entities, suggesting potenti…
malware
apt
rat
action rat
india
infection chain
2024-05-15
2024-05-10
reverserat
Published: May 15, 2024
Downloadable IOCs: 21

GoTo Meeting loads RAT via Shellcode Loader

A malicious campaign has been discovered that exploits the legitimate GoTo Meeting online conferencing software to deploy the Remcos remote access trojan (RAT). The attack chain involves utilizing lures like porn downloads, software setup files, and tax forms with Russian and English file names. It…
rat
remcos
2024-05-08
dll sideloading
shellcode
rust
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 17

Malware (XMRig, OrcusRAT, etc.) disguised as MS Office crack

The report details an ongoing malware campaign targeting South Korean users, which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware, including downloaders, coin miners, remote access tools (RATs), pr…
obfuscation
rat
xmrig
persistence
2024-05-05
2024-05-06
2024-05-07
2024-05-08
purecrypter
cryptominer
3proxy
antiav
orcusrat
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 12

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

This comprehensive analysis provides a thorough examination of the REMCOS Remote Access Trojan (RAT), a prominent malware threat that gained significant prevalence in 2024. The analysis delves into the malware's configuration structure, command and control capabilities, persistence mechanisms, and …
rat
evasion
persistence
remcos
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
remote access
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 34

HijackLoader Updates

HijackLoader, also known as IDAT Loader, is a modular malware loader capable of executing multiple payloads. It utilizes a variety of modules for code injection, execution, and evasion techniques. This report analyzes the updated version of HijackLoader, which includes new modules for bypassing Win…
rat
evasion
rhadamanthys
stealer
remcos
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
amadey
lumma stealer
injection
modular
racoon stealer v2
malware loader
meta stealer
Published: May 7, 2024
Downloadable IOCs: 11

Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors

This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
rat
social engineering
python
developers
python-based rat
dev#popper
Published: April 29, 2024
Downloadable IOCs: 7
Click here to see more Attack Reports