Tag: remote access trojan

54 Attack Reports | 0 Vulnerabilities

Attack reports

That AI Extension Helping You Write Emails? It's Reading Them First

Researchers discovered 18 malicious AI browser extensions masquerading as productivity tools that deliver remote access trojans, meddler-in-the-middle attacks, and infostealers. These extensions exploit the rise of generative AI to target prompts, user behavior, and browser sessions through API int…
genai
remote access trojan
browser extension
2026-04-30
huiyi
search hijacker
Published: April 30, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 10

Not Just Annoying Ads: Adware Bundles Delivering Gh0st RAT

A sophisticated malware campaign is distributing both Gh0st Remote Access Trojan and CloverPlus adware simultaneously through obfuscated loaders. The loader drops encrypted payloads from its resource section, with one being adware and another a Gh0st RAT DLL module executed via rundll32.exe. The RA…
gh0st rat
keylogging
remote access trojan
dns hijacking
2026-04-17
adware bundle
cloverplus
dead drop resolver
registry persistence
Published: April 17, 2026
Linked vulnerabilities : CVE-2023-27350
Downloadable IOCs: 2

From Inbox to Intrusion: Multi‑Stage Remcos RAT and C2‑Delivered Payloads in Network

This multi-stage fileless Remcos RAT attack leverages a phishing-delivered JavaScript dropper to trigger a reflective PowerShell loader that executes payloads entirely in memory. The infection chain utilizes obfuscation techniques like rotational XOR and Base64 encoding to reconstruct .NET payloads…
rat
phishing
remcos
remote access trojan
2026-04-01
js dropper
Published: April 1, 2026
Downloadable IOCs: 2

Supply-Chain Compromise of axios npm Package

A coordinated supply chain attack targeted the axios npm package, compromising two versions (1.14.1 and 0.30.4) by injecting a malicious dependency. The attack delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems. The compromise occurred through the lead maintainer's…
supply-chain
credential-theft
npm
cross-platform
remote access trojan
axios
remote-access-trojan
2026-03-31
Published: March 31, 2026
Downloadable IOCs: 4

Supply-Chain Compromise of axios npm Package

A coordinated supply chain attack targeted the axios npm package, compromising two versions (1.14.1 and 0.30.4) by injecting a malicious dependency. The attack delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems. The compromise occurred through the lead maintainer's…
supply-chain
credential-theft
npm
cross-platform
remote access trojan
axios
remote-access-trojan
2026-03-31
Published: March 31, 2026
Downloadable IOCs: 4

Axios NPM Distribution Compromised in Supply Chain Attack

An unknown threat actor compromised the npm account of an axios maintainer, publishing two malicious versions of the package. These versions introduced a dependency on plain-crypto-js, a newly created malicious package. Despite quick removal, axios's widespread usage led to rapid exposure. The mali…
npm
remote access trojan
supply chain attack
axios
2026-03-31
credential compromise
plain-crypto-js
Published: March 31, 2026
Downloadable IOCs: 6

A cunning predator: How Silver Fox preys on Japanese firms this tax season

Silver Fox, a threat actor, is exploiting Japan's tax filing and organizational change season with a targeted spearphishing campaign against Japanese businesses. The group sends convincing phishing emails related to tax compliance, salary adjustments, and HR matters, tricking recipients into openin…
spearphishing
valleyrat
targeted attacks
remote access trojan
japan
financial lures
tax season
2026-03-28
hr lures
Published: March 28, 2026
Downloadable IOCs: 14

GlassWorm attack installs fake browser extension for surveillance

GlassWorm is a sophisticated malware targeting developers through compromised code repositories and package managers. It executes in stages, starting with a stealthy infection that fingerprints the machine and fetches further payloads via the Solana blockchain. The malware steals sensitive data, in…
infostealer
cryptocurrency
developers
remote access trojan
supply chain attack
blockchain
browser extension
2026-03-26
glassworm
Published: March 26, 2026
Downloadable IOCs: 1

COVERT RAT: Phishing Campaign

A sophisticated multi-stage infection chain targets Argentina's judicial ecosystem using spear-phishing tactics and authentic-looking judicial content. The campaign employs a carefully crafted ZIP archive containing a weaponized LNK shortcut, BAT-based loader script, and judicial-themed PDF decoy. …
phishing
anti-analysis
spear-phishing
remote access trojan
multi-stage infection
argentina
rust-based malware
2026-03-16
covert rat
judicial sector
Published: March 16, 2026
Downloadable IOCs: 6

Abusing Windows File Explorer and WebDAV for Malware Delivery

This analysis details how threat actors are exploiting Windows File Explorer's WebDAV functionality to deliver malware. WebDAV, a legacy protocol, is being used to trick users into downloading malicious files without going through web browsers, potentially bypassing security controls. Campaigns oft…
phishing
dcrat
webdav
lnk file
async rat
remote access trojan
malware delivery
xworm rat
cloudflare tunnel
abuse
2026-03-01
url shortcut
Published: March 1, 2026
Downloadable IOCs: 4

Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences

A new Go-based remote access trojan named Moonrise has been discovered, operating without early static detection and establishing active C2 communication before vendor alerts. The RAT supports credential theft, remote command execution, persistence, and user monitoring, enabling full remote control…
rat
credential theft
c2 communication
remote access trojan
low-detection
go-based
2026-02-24
moonrise
moonrise rat
Published: February 24, 2026
Downloadable IOCs: 7

Fake Huorong security site infects users with ValleyRAT

A sophisticated campaign by the Silver Fox APT group has been discovered using a fake version of the popular Chinese antivirus Huorong Security to distribute ValleyRAT, a Remote Access Trojan. The attackers created a convincing lookalike website with a typosquatted domain to trick users into downlo…
apt
typosquatting
china
dll sideloading
valleyrat
remote access trojan
2026-02-23
antivirus impersonation
huorong security
winos4.0
Published: February 23, 2026
Downloadable IOCs: 7

(Don't) TrustConnect: It's a RAT in an RMM hat

A new malware-as-a-service (MaaS) called TrustConnect has been discovered masquerading as a legitimate remote monitoring and management (RMM) tool. The malware, classified as a remote access trojan (RAT), uses a fake business website as its command and control center and MaaS portal. Priced at $300…
cybercrime
malware-as-a-service
email campaigns
remote access trojan
c2 infrastructure
digital signatures
rmm abuse
2026-02-19
docconnect
trustconnect
trustconnect rat
Published: February 19, 2026
Downloadable IOCs: 10

Remcos Revisited: Inside the RAT's Evolving Command-and-Control Techniques

This analysis examines the evolution of Remcos, a Remote Access Trojan that has become a significant global threat. Originally a commercial tool, Remcos now provides attackers with capabilities such as credential theft, keylogging, screen capture, and webcam control. The latest variant exhibits rea…
rat
persistence
remcos
credential theft
keylogging
data exfiltration
evasion techniques
remote access trojan
command-and-control
2026-02-18
Published: February 18, 2026
Downloadable IOCs: 1

ScreenConnect Attack: SmartScreen Bypass and RMM Abuse

An attack campaign targeting organizations in the US, Canada, UK, and Northern Ireland exploits ConnectWise ScreenConnect vulnerabilities. The attack chain begins with a spoofed email containing a malicious .cmd attachment, which executes silently, escalates privileges, disables Windows SmartScreen…
screenconnect
phishing
social engineering
privilege escalation
remote access trojan
uac bypass
rmm abuse
2026-02-12
smartscreen bypass
Published: February 12, 2026
Downloadable IOCs: 1

Quick, You Need Assistance!

A Microsoft Teams voice-phishing campaign leveraging Quick Assist, a remote administration tool, was tracked in September 2025. The campaign uses help desk scams to gain initial access, followed by user group enumeration and the execution of a PowerShell script to download a command and control pay…
powershell
cybercrime
microsoft teams
remote access trojan
amsi bypass
quick assist
2026-02-02
netsupport manager
powershell web-socket remote access trojan
voice-phishing
Published: February 2, 2026
Downloadable IOCs: 13

PurpleBravo’s Targeting of the IT Software Supply Chain

PurpleBravo, a North Korean state-sponsored threat group, targets software developers through fake recruitment efforts, particularly in cryptocurrency and software development sectors. Their toolkit includes BeaverTail, PyLangGhost, and GolangGhost, designed for stealing browser credentials and cry…
social engineering
north korea
cryptocurrency
github
beavertail
remote access trojan
invisibleferret
software supply chain
astrill vpn
golangghost
pylangghost
2026-01-21
browser credential theft
it services
Published: January 21, 2026
Downloadable IOCs: 187

Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina's Judicial Sector to Deploy a Covert RAT

A sophisticated spear-phishing campaign targeting Argentina's judicial sector has been uncovered. The operation uses a multi-stage infection chain to deploy a stealthy Remote Access Trojan (RAT). Attackers exploit trust in court communications by using authentic-looking judicial decoy documents. Th…
rat
anti-analysis
lnk
rust
spear-phishing
remote access trojan
multi-stage
2026-01-20
argentina
judicial-sector
Published: January 20, 2026
Downloadable IOCs: 6

Indian Income Tax-Themed Phishing Campaign Targets Local Businesses

A sophisticated phishing campaign impersonating the Indian Income Tax Department has been targeting local businesses. The attack begins with a spear-phishing email containing a PDF attachment that directs victims to a fake compliance portal. This triggers the download of a malicious ZIP file, which…
rat
phishing
india
nsis installer
remote access trojan
data harvesting
china-linked
2025-12-22
income tax
Published: December 22, 2025
Downloadable IOCs: 3

ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

A ValleyRAT campaign is targeting job seekers through email, disguising itself as a Foxit PDF reader and using DLL side-loading for initial system access. The campaign exploits job seekers' eagerness by using recruitment-related lures in archive files. The attack employs sophisticated techniques, i…
social engineering
data theft
valleyrat
dll side-loading
remote access trojan
job seekers
2025-12-03
foxit pdf reader
Published: December 3, 2025
Downloadable IOCs: 25

New Kimsuky Malware "EndClient RAT": Technical Report and IOCs

A novel Remote Access Trojan (RAT) called 'EndClient RAT' has been discovered targeting North Korean Human Rights Defenders. The malware, attributed to the Kimsuky group, is delivered via a signed Microsoft Installer package disguised as 'StressClear.msi'. It uses AutoIT scripts for execution and e…
north korea
persistence
autoit
remote access trojan
c2 protocol
2025-11-07
code signing
human rights defenders
endclient rat
Published: November 7, 2025
Downloadable IOCs: 3

A Vietnamese threat actor's shift from PXA Stealer to PureRAT

A Vietnamese threat actor has transitioned from using the PXA Stealer to deploying PureRAT, a commercial remote access trojan. The attack chain involves multiple stages, including phishing emails, Python-based infostealers, and .NET loaders. The campaign demonstrates a progression in complexity, ut…
purecrypter
remote access trojan
purerat
pxa stealer
pureminer
2025-10-10
pureclipper
vietnamese threat actor
Published: October 10, 2025
Downloadable IOCs: 4

The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors

A sophisticated cyber intrusion campaign utilizing log poisoning and a new tool called Nezha has been uncovered. The attackers exploited a vulnerable phpMyAdmin interface to deploy a web shell, followed by the installation of Nezha, an open-source server monitoring tool repurposed for malicious act…
china chopper
web shell
remote access trojan
antsword
ghost rat
log poisoning
nezha
2025-10-09
server monitoring
Published: October 9, 2025
Downloadable IOCs: 11

AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories

This intelligence report details a sophisticated attack campaign leveraging trojanized ConnectWise ScreenConnect installers to deliver AsyncRAT payloads. Attackers use open directories as staging points, blending legitimate remote management software abuse with custom loaders and scripts. The campa…
obfuscation
screenconnect
phishing
persistence
asyncrat
remote access trojan
c2 infrastructure
open directories
CVE-2025-3935
powershell rat
2025-09-19
payload staging
Published: September 19, 2025
Downloadable IOCs: 0

Technical Analysis of kkRAT

A malware campaign targeting Chinese-speaking users has been identified, delivering three types of malware: ValleyRAT, FatalRAT, and kkRAT. The campaign uses fake installer pages to distribute the malware. kkRAT, a new Remote Access Trojan, shares similarities with Ghost RAT and Big Bad Wolf. It em…
valleyrat
byovd
remote access trojan
chinese-speaking
fatalrat
ghost rat
2025-09-10
kkrat
big bad wolf
Published: September 10, 2025
Downloadable IOCs: 0

ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT

ZynorRAT is a newly discovered Go-based Remote Access Trojan that provides a full suite of command and control capabilities for Linux and Windows systems. It was first identified in July 2025 and is believed to be of Turkish origin. The malware uses Telegram as its C2 infrastructure and offers feat…
linux
windows
c2
telegram
remote access trojan
go-based
2025-09-10
zynorrat
turkish
Published: September 10, 2025
Downloadable IOCs: 48

Threat Actor Profile: Interlock Ransomware

Interlock, a relatively new ransomware group first observed in September 2024, has gained prominence in 2025 as an opportunistic ransomware operator. Unlike traditional Ransomware-as-a-Service models, Interlock operates without affiliates or public advertisements. The group conducts double extortio…
social engineering
ransomware
powershell
cobalt strike
clickfix
systembc
double extortion
trycloudflare
remote access trojan
compromised websites
interlock rat
2025-08-15
nodesnake rat
Published: August 15, 2025
Downloadable IOCs: 24

Unmasking AsyncRAT: Navigating the labyrinth of forks

AsyncRAT, an open-source remote access trojan, has evolved into a sprawling network of forks and variants since its 2019 release. The article explores its origins, tracing influence from Quasar RAT, and maps out the relationships among various forks. DcRat and VenomRAT emerge as the most widely dep…
asyncrat
dcrat
venomrat
quasar rat
evasion techniques
remote access trojan
2025-07-16
2025-08-12
santarat
boratrat
xiebrorat
noneuclid rat
jasonrat
malware forks
Published: August 12, 2025
Downloadable IOCs: 22

Ghost Crypt Powers PureRAT with Hypnosis

In May 2025, eSentire's Threat Response Unit (TRU) uncovered a targeted attack on a U.S. accounting firm. The attackers used a newly advertised crypter service, Ghost Crypt, to sideload and obfuscate a DLL into a legitimate Windows component (csc.exe), deploying PureRAT, a Remote Access Trojan that…
remote access trojan
2025-07-21
purerat
ghostcrypt
Published: July 21, 2025
Linked vulnerabilities : CVE-2019-18935, CVE-2025-4632 (CVSS 9.8)
Downloadable IOCs: 18

DCRAT Impersonating the Colombian Government

A new email attack distributing DCRAT, a Remote Access Trojan, has been uncovered. The threat actor impersonates a Colombian government entity to target organizations in Colombia. The attack employs multiple evasion techniques, including password-protected archives, obfuscation, steganography, base…
obfuscation
phishing
persistence
steganography
dcrat
credential harvesting
remote access trojan
colombia
2025-07-02
Published: July 2, 2025
Downloadable IOCs: 8

DRAT V2: Updated DRAT Emerges in Arsenal

TAG-140, a threat actor group overlapping with SideCopy, has deployed an updated version of their DRAT remote access trojan, dubbed DRAT V2. This new variant, developed in Delphi, introduces enhanced command and control capabilities, including arbitrary shell command execution and improved C2 obfus…
india
remote access trojan
2025-06-23
delphi
drat
drat v2
c2 obfuscation
broaderaspect
Published: June 23, 2025
Downloadable IOCs: 8

From ClickFix deception to information stealer deployment

The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access troj…
social engineering
infostealer
lumma
clickfix
multi-stage attack
remote access trojan
ghostpulse
arechclient2
eddiestealer
2025-06-18
Published: June 18, 2025
Downloadable IOCs: 47

AsyncRAT Campaign Continues to Evade Endpoint Detection

A wide-ranging phishing campaign has been identified that enables threat actors to bypass traditional security controls and delay detection. The campaign, tracked since 2024, has facilitated remote surveillance, credential theft, lateral movement, data exfiltration, and ransomware across numerous o…
obfuscation
xworm
phishing
remcos
asyncrat
venomrat
purehvnc
cloud services
cybercriminal
trycloudflare
remote access trojan
2025-06-17
python scripts
endpoint evasion
Published: June 17, 2025
Downloadable IOCs: 0

Abusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure

A sophisticated malware campaign has been discovered utilizing paste.ee to distribute XWorm and AsyncRAT. The attackers employ obfuscated JavaScript with Unicode characters to download and execute malicious code from paste.ee URLs. The infrastructure includes multiple C2 servers across Europe and t…
obfuscation
xworm
remcosrat
asyncrat
remote access trojan
c2 infrastructure
2025-06-06
paste.ee
ssl certificates
Published: June 6, 2025
Downloadable IOCs: 12

From Gamer to Malware Developer: Exploring SilverRat and Its Syrian Roots

This analysis delves into the development and capabilities of Silver RAT, a Remote Access Trojan created by a Syrian developer known as 'noradlb1'. The malware, initially observed in November 2023, offers features such as keylogging, UAC bypass, and data encryption. The developer, active on various…
ransomware
keylogger
remote access trojan
antivirus bypass
telegram channels
2025-06-04
syrian developer
hacking forums
silver rat
Published: June 4, 2025
Downloadable IOCs: 0

Malware Analysis Reveals Sophisticated RAT With Corrupted Headers

A sophisticated remote access Trojan (RAT) has been discovered operating within a legitimate Windows process, using advanced evasion techniques. The malware's PE and DOS headers were deliberately corrupted, making traditional analysis difficult. Fortinet's FortiGuard Incident Response Team analyzed…
remote access trojan
2025-05-29
corrupted headers
tls transmission
api mapping
Published: May 29, 2025
Downloadable IOCs: 0

Inside a VenomRAT Malware Campaign

A malicious campaign utilizing VenomRAT, a Remote Access Trojan, is analyzed. The attackers use a fake Bitdefender download website to spread malware, including VenomRAT, StormKitty, and SilentTrinity. These tools work together to provide initial access, steal credentials, and maintain long-term hi…
phishing
credential theft
venomrat
open-source malware
command and control
remote access trojan
stormkitty
silenttrinity
2025-05-29
Published: May 29, 2025
Downloadable IOCs: 35

Reborn in Rust: Attempt to thwart malware analysis

AsyncRAT, a remote access trojan known since 2019, has been rewritten in Rust, marking a shift from its original C# implementation. This change aims to complicate reverse engineering efforts due to limited analysis tool support for Rust. The malware retains its core functionality, including plugin …
plugins
asyncrat
rust
command and control
remote access trojan
reverse engineering
system information
2025-05-26
tls
hardware id
rustyasyncrat
Published: May 26, 2025
Downloadable IOCs: 4

Interlock ransomware evolving under the radar

The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdo…
ransomware
lumma
clickfix
double extortion
remote access trojan
2025-04-16
credential stealer
berserkstealer
interlock rat
interlock ransomware
fake updaters
powershell backdoor
Published: April 16, 2025
Downloadable IOCs: 0

NEPTUNE RAT: An advanced Windows RAT with System Destruction Capabilities and Password Exfiltration from 270+ Applications

Neptune RAT, a sophisticated Windows-based remote access trojan, has emerged with advanced capabilities including system destruction and password exfiltration from over 270 applications. It employs PowerShell commands for deployment, leveraging catbox.moe for hosting malicious scripts. The malware …
anti-analysis
remote access trojan
2025-04-09
neptune rat
Published: April 9, 2025
Downloadable IOCs: 24

Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques

Konni RAT, a sophisticated remote access Trojan targeting Windows systems, employs a multi-stage attack process using batch files, PowerShell scripts, and VBScript. It exploits Windows Explorer limitations, obfuscates file paths, dynamically generates URLs, and uses temporary files to erase activit…
windows
persistence
anti-analysis
data exfiltration
multi-stage attack
stealth techniques
remote access trojan
2025-04-01
konni rat
Published: April 1, 2025
Downloadable IOCs: 0

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft

Microsoft Incident Response researchers discovered a novel remote access trojan named StilachiRAT, demonstrating sophisticated evasion, persistence, and data exfiltration techniques. The malware collects extensive system information, targets cryptocurrency wallet extensions, steals browser credenti…
persistence
credential theft
cryptocurrency theft
command and control
remote access trojan
2025-03-17
stilachirat
system reconnaissance
anti-forensics
rdp monitoring
Published: March 17, 2025
Linked vulnerabilities : CVE-2023-36884
Downloadable IOCs: 2

New Steganographic Campaign Distributing Multiple Malware Variants

A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HT…
obfuscation
phishing
remcos
steganography
asyncrat
dcrat
CVE-2017-0199
process hollowing
remote access trojan
agenttesla
vipkeylogger
2025-03-17
Published: March 17, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 13

Unmasking GrassCall Campaign: The Hackers Behind Job Recruitment Cyber Scams

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferenci…
social engineering
rhadamanthys
cryptocurrency
atomic macos stealer
remote access trojan
web3
grasscall
2025-03-13
job recruitment scam
russian-speaking cybercriminals
Published: March 13, 2025
Downloadable IOCs: 0

APT37 - RokRat

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing email…
phishing
north korea
powershell
rokrat
cloud services
lnk files
remote access trojan
2025-03-12
Published: March 12, 2025
Downloadable IOCs: 9

Trump Cryptocurrency Delivers ConnectWise RAT

An email campaign impersonating Binance is offering fake TRUMP coins to lure victims into downloading a malicious 'Binance Desktop' application, which actually installs ConnectWise RAT. The attackers have created a convincing web page mimicking Binance's interface to host the malware download. Once…
phishing
social engineering
remote access trojan
2025-03-11
cryptocurrency scam
password theft
binance impersonation
connectwise rat
Published: March 11, 2025
Downloadable IOCs: 1

From Credit Card Skimming to Exploiting Zero-Days

XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sec…
powershell
zero-day
meterpreter
aspxspy
webshell
supply-chain-attack
2025-02-03
CVE-2024-57968
CVE-2025-25181
information-theft
remote-access-trojan
sql-injection
persistent-access
Published: February 3, 2025
Linked vulnerabilities : CVE-2024-57968 (CVSS 9.9), CVE-2025-25181 (CVSS 5.8), CVE-2019-18935, CVE-2017-9248
Downloadable IOCs: 17

AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again

A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of dow…
xworm
phishing
python
dropbox
asyncrat
venomrat
process injection
evasion techniques
trycloudflare
remote access trojan
2025-02-01
Published: February 1, 2025
Downloadable IOCs: 0

Analysis of AsyncRAT's Infection Tactics via Open Directories

This analysis explores two distinct methods used to infect systems with AsyncRAT through open directories. The first technique involves a multi-stage process using various obfuscated scripts (VBS, BAT, PowerShell) and disguised files to download and execute the AsyncRAT payload. The second method e…
obfuscation
powershell
asyncrat
remote access trojan
multi-stage infection
2024-11-07
vbs
scheduled tasks
bat
open directories
Published: November 7, 2024
Downloadable IOCs: 15

RunningRAT’s Next Move: From Remote Access to Crypto Mining for Profit

RunningRAT, a remote access trojan initially observed in 2018 targeting the Pyeongchang Winter Olympics, has evolved its capabilities to include cryptocurrency mining. This shift indicates an expansion of the malware's operational focus. The analysis reveals the discovery of RunningRAT samples in o…
xmrig
cryptocurrency mining
remote access trojan
2024-11-06
runningrat
Published: November 6, 2024
Downloadable IOCs: 11

ValleyRAT Insights: Tactics, Techniques, and Detection Methods

ValleyRAT is a remote access Trojan targeting Chinese-speaking users through phishing campaigns. It employs multi-stage, multi-component tactics to evade detection and maintain persistence. The malware uses various techniques including process injection, registry manipulation, and UAC bypass. It at…
phishing
evasion
persistence
valleyrat
remote access trojan
2024-10-25
uac bypass
chinese-speaking targets
Published: October 25, 2024
Downloadable IOCs: 3

DarkComet RAT: Technical Analysis of Attack Chain

This analysis examines the Remote Access Trojan (RAT) DarkComet, detailing its capabilities, distribution methods, and technical operations. The malware alters file attributes, establishes communication with malicious domains, modifies process privileges, and gathers system information. It employs …
rat
evasion
persistence
keylogging
privilege escalation
command and control
remote access trojan
2024-10-23
darkcomet
Published: October 23, 2024
Downloadable IOCs: 1

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

A new phishing campaign targeting Russian-speaking users employs the open-source Gophish framework to deliver DarkCrystal RAT and a novel remote access trojan called PowerRAT. The attack utilizes modular infection chains, either through malicious Microsoft Word documents or HTML files with embedded…
phishing
dcrat
html smuggling
darkcrystal rat
russian-speaking
remote access trojan
2024-10-22
powerrat
gophish
Published: October 22, 2024
Downloadable IOCs: 2

DarkVision RAT

DarkVision RAT is a customizable remote access trojan that first appeared in 2020, offered on Hack Forums for $60. Written in C/C++ and assembly, it offers features like keylogging, screenshots, file manipulation, process injection, remote code execution, and password theft. The analysis reveals a …
purecrypter
c2 communication
multi-stage attack
2024-10-10
remote access trojan
darkvision rat
Published: October 10, 2024
Downloadable IOCs: 0
Click here to see more Attack Reports