Tag: remote access trojan

35 Attack Reports | 0 Vulnerabilities

Attack reports

ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

A ValleyRAT campaign is targeting job seekers through email, disguising itself as a Foxit PDF reader and using DLL side-loading for initial system access. The campaign exploits job seekers' eagerness by using recruitment-related lures in archive files. The attack employs sophisticated techniques, i…
social engineering
data theft
valleyrat
dll side-loading
remote access trojan
job seekers
2025-12-03
foxit pdf reader
Published: December 3, 2025
Downloadable IOCs: 25

New Kimsuky Malware "EndClient RAT": Technical Report and IOCs

A novel Remote Access Trojan (RAT) called 'EndClient RAT' has been discovered targeting North Korean Human Rights Defenders. The malware, attributed to the Kimsuky group, is delivered via a signed Microsoft Installer package disguised as 'StressClear.msi'. It uses AutoIT scripts for execution and e…
north korea
persistence
autoit
remote access trojan
c2 protocol
2025-11-07
code signing
human rights defenders
endclient rat
Published: November 7, 2025
Downloadable IOCs: 3

A Vietnamese threat actor's shift from PXA Stealer to PureRAT

A Vietnamese threat actor has transitioned from using the PXA Stealer to deploying PureRAT, a commercial remote access trojan. The attack chain involves multiple stages, including phishing emails, Python-based infostealers, and .NET loaders. The campaign demonstrates a progression in complexity, ut…
purecrypter
remote access trojan
purerat
pxa stealer
pureminer
2025-10-10
pureclipper
vietnamese threat actor
Published: October 10, 2025
Downloadable IOCs: 4

The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors

A sophisticated cyber intrusion campaign utilizing log poisoning and a new tool called Nezha has been uncovered. The attackers exploited a vulnerable phpMyAdmin interface to deploy a web shell, followed by the installation of Nezha, an open-source server monitoring tool repurposed for malicious act…
china chopper
web shell
remote access trojan
antsword
ghost rat
log poisoning
nezha
2025-10-09
server monitoring
Published: October 9, 2025
Downloadable IOCs: 11

AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories

This intelligence report details a sophisticated attack campaign leveraging trojanized ConnectWise ScreenConnect installers to deliver AsyncRAT payloads. Attackers use open directories as staging points, blending legitimate remote management software abuse with custom loaders and scripts. The campa…
obfuscation
screenconnect
phishing
persistence
asyncrat
remote access trojan
c2 infrastructure
open directories
CVE-2025-3935
powershell rat
2025-09-19
payload staging
Published: September 19, 2025
Downloadable IOCs: 0

Technical Analysis of kkRAT

A malware campaign targeting Chinese-speaking users has been identified, delivering three types of malware: ValleyRAT, FatalRAT, and kkRAT. The campaign uses fake installer pages to distribute the malware. kkRAT, a new Remote Access Trojan, shares similarities with Ghost RAT and Big Bad Wolf. It em…
valleyrat
byovd
remote access trojan
chinese-speaking
fatalrat
ghost rat
2025-09-10
kkrat
big bad wolf
Published: September 10, 2025
Downloadable IOCs: 0

ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT

ZynorRAT is a newly discovered Go-based Remote Access Trojan that provides a full suite of command and control capabilities for Linux and Windows systems. It was first identified in July 2025 and is believed to be of Turkish origin. The malware uses Telegram as its C2 infrastructure and offers feat…
linux
windows
c2
telegram
remote access trojan
go-based
2025-09-10
zynorrat
turkish
Published: September 10, 2025
Downloadable IOCs: 48

Threat Actor Profile: Interlock Ransomware

Interlock, a relatively new ransomware group first observed in September 2024, has gained prominence in 2025 as an opportunistic ransomware operator. Unlike traditional Ransomware-as-a-Service models, Interlock operates without affiliates or public advertisements. The group conducts double extortio…
social engineering
ransomware
powershell
cobalt strike
clickfix
systembc
double extortion
trycloudflare
remote access trojan
compromised websites
interlock rat
2025-08-15
nodesnake rat
Published: August 15, 2025
Downloadable IOCs: 24

Unmasking AsyncRAT: Navigating the labyrinth of forks

AsyncRAT, an open-source remote access trojan, has evolved into a sprawling network of forks and variants since its 2019 release. The article explores its origins, tracing influence from Quasar RAT, and maps out the relationships among various forks. DcRat and VenomRAT emerge as the most widely dep…
asyncrat
dcrat
venomrat
quasar rat
evasion techniques
remote access trojan
2025-07-16
2025-08-12
santarat
boratrat
xiebrorat
noneuclid rat
jasonrat
malware forks
Published: August 12, 2025
Downloadable IOCs: 22

Ghost Crypt Powers PureRAT with Hypnosis

In May 2025, eSentire's Threat Response Unit (TRU) uncovered a targeted attack on a U.S. accounting firm. The attackers used a newly advertised crypter service, Ghost Crypt, to sideload and obfuscate a DLL into a legitimate Windows component (csc.exe), deploying PureRAT, a Remote Access Trojan that…
remote access trojan
2025-07-21
purerat
ghostcrypt
Published: July 21, 2025
Linked vulnerabilities : CVE-2019-18935, CVE-2025-4632 (CVSS 9.8)
Downloadable IOCs: 18

DCRAT Impersonating the Colombian Government

A new email attack distributing DCRAT, a Remote Access Trojan, has been uncovered. The threat actor impersonates a Colombian government entity to target organizations in Colombia. The attack employs multiple evasion techniques, including password-protected archives, obfuscation, steganography, base…
obfuscation
phishing
persistence
steganography
dcrat
credential harvesting
remote access trojan
colombia
2025-07-02
Published: July 2, 2025
Downloadable IOCs: 8

DRAT V2: Updated DRAT Emerges in Arsenal

TAG-140, a threat actor group overlapping with SideCopy, has deployed an updated version of their DRAT remote access trojan, dubbed DRAT V2. This new variant, developed in Delphi, introduces enhanced command and control capabilities, including arbitrary shell command execution and improved C2 obfus…
india
remote access trojan
2025-06-23
delphi
drat
drat v2
c2 obfuscation
broaderaspect
Published: June 23, 2025
Downloadable IOCs: 8

From ClickFix deception to information stealer deployment

The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access troj…
social engineering
infostealer
lumma
clickfix
multi-stage attack
remote access trojan
ghostpulse
arechclient2
eddiestealer
2025-06-18
Published: June 18, 2025
Downloadable IOCs: 47

AsyncRAT Campaign Continues to Evade Endpoint Detection

A wide-ranging phishing campaign has been identified that enables threat actors to bypass traditional security controls and delay detection. The campaign, tracked since 2024, has facilitated remote surveillance, credential theft, lateral movement, data exfiltration, and ransomware across numerous o…
obfuscation
xworm
phishing
remcos
asyncrat
venomrat
purehvnc
cloud services
cybercriminal
trycloudflare
remote access trojan
2025-06-17
python scripts
endpoint evasion
Published: June 17, 2025
Downloadable IOCs: 0

Abusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure

A sophisticated malware campaign has been discovered utilizing paste.ee to distribute XWorm and AsyncRAT. The attackers employ obfuscated JavaScript with Unicode characters to download and execute malicious code from paste.ee URLs. The infrastructure includes multiple C2 servers across Europe and t…
obfuscation
xworm
remcosrat
asyncrat
remote access trojan
c2 infrastructure
2025-06-06
paste.ee
ssl certificates
Published: June 6, 2025
Downloadable IOCs: 12

From Gamer to Malware Developer: Exploring SilverRat and Its Syrian Roots

This analysis delves into the development and capabilities of Silver RAT, a Remote Access Trojan created by a Syrian developer known as 'noradlb1'. The malware, initially observed in November 2023, offers features such as keylogging, UAC bypass, and data encryption. The developer, active on various…
ransomware
keylogger
remote access trojan
antivirus bypass
telegram channels
2025-06-04
syrian developer
hacking forums
silver rat
Published: June 4, 2025
Downloadable IOCs: 0

Malware Analysis Reveals Sophisticated RAT With Corrupted Headers

A sophisticated remote access Trojan (RAT) has been discovered operating within a legitimate Windows process, using advanced evasion techniques. The malware's PE and DOS headers were deliberately corrupted, making traditional analysis difficult. Fortinet's FortiGuard Incident Response Team analyzed…
remote access trojan
2025-05-29
corrupted headers
tls transmission
api mapping
Published: May 29, 2025
Downloadable IOCs: 0

Inside a VenomRAT Malware Campaign

A malicious campaign utilizing VenomRAT, a Remote Access Trojan, is analyzed. The attackers use a fake Bitdefender download website to spread malware, including VenomRAT, StormKitty, and SilentTrinity. These tools work together to provide initial access, steal credentials, and maintain long-term hi…
phishing
credential theft
venomrat
open-source malware
command and control
remote access trojan
stormkitty
silenttrinity
2025-05-29
Published: May 29, 2025
Downloadable IOCs: 35

Reborn in Rust: Attempt to thwart malware analysis

AsyncRAT, a remote access trojan known since 2019, has been rewritten in Rust, marking a shift from its original C# implementation. This change aims to complicate reverse engineering efforts due to limited analysis tool support for Rust. The malware retains its core functionality, including plugin …
plugins
asyncrat
rust
command and control
remote access trojan
reverse engineering
system information
2025-05-26
tls
hardware id
rustyasyncrat
Published: May 26, 2025
Downloadable IOCs: 4

Interlock ransomware evolving under the radar

The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdo…
ransomware
lumma
clickfix
double extortion
remote access trojan
2025-04-16
credential stealer
berserkstealer
interlock rat
interlock ransomware
fake updaters
powershell backdoor
Published: April 16, 2025
Downloadable IOCs: 0

NEPTUNE RAT: An advanced Windows RAT with System Destruction Capabilities and Password Exfiltration from 270+ Applications

Neptune RAT, a sophisticated Windows-based remote access trojan, has emerged with advanced capabilities including system destruction and password exfiltration from over 270 applications. It employs PowerShell commands for deployment, leveraging catbox.moe for hosting malicious scripts. The malware …
anti-analysis
remote access trojan
2025-04-09
neptune rat
Published: April 9, 2025
Downloadable IOCs: 24

Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques

Konni RAT, a sophisticated remote access Trojan targeting Windows systems, employs a multi-stage attack process using batch files, PowerShell scripts, and VBScript. It exploits Windows Explorer limitations, obfuscates file paths, dynamically generates URLs, and uses temporary files to erase activit…
windows
persistence
anti-analysis
data exfiltration
multi-stage attack
stealth techniques
remote access trojan
2025-04-01
konni rat
Published: April 1, 2025
Downloadable IOCs: 0

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft

Microsoft Incident Response researchers discovered a novel remote access trojan named StilachiRAT, demonstrating sophisticated evasion, persistence, and data exfiltration techniques. The malware collects extensive system information, targets cryptocurrency wallet extensions, steals browser credenti…
persistence
credential theft
cryptocurrency theft
command and control
remote access trojan
2025-03-17
stilachirat
system reconnaissance
anti-forensics
rdp monitoring
Published: March 17, 2025
Linked vulnerabilities : CVE-2023-36884
Downloadable IOCs: 2

New Steganographic Campaign Distributing Multiple Malware Variants

A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HT…
obfuscation
phishing
remcos
steganography
asyncrat
dcrat
CVE-2017-0199
process hollowing
remote access trojan
agenttesla
vipkeylogger
2025-03-17
Published: March 17, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 13

Unmasking GrassCall Campaign: The Hackers Behind Job Recruitment Cyber Scams

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferenci…
social engineering
rhadamanthys
cryptocurrency
atomic macos stealer
remote access trojan
web3
grasscall
2025-03-13
job recruitment scam
russian-speaking cybercriminals
Published: March 13, 2025
Downloadable IOCs: 0

APT37 - RokRat

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing email…
phishing
north korea
powershell
rokrat
cloud services
lnk files
remote access trojan
2025-03-12
Published: March 12, 2025
Downloadable IOCs: 9

Trump Cryptocurrency Delivers ConnectWise RAT

An email campaign impersonating Binance is offering fake TRUMP coins to lure victims into downloading a malicious 'Binance Desktop' application, which actually installs ConnectWise RAT. The attackers have created a convincing web page mimicking Binance's interface to host the malware download. Once…
phishing
social engineering
remote access trojan
2025-03-11
cryptocurrency scam
password theft
binance impersonation
connectwise rat
Published: March 11, 2025
Downloadable IOCs: 1

From Credit Card Skimming to Exploiting Zero-Days

XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sec…
powershell
zero-day
meterpreter
aspxspy
webshell
supply-chain-attack
2025-02-03
CVE-2024-57968
CVE-2025-25181
information-theft
remote-access-trojan
sql-injection
persistent-access
Published: February 3, 2025
Linked vulnerabilities : CVE-2024-57968 (CVSS 9.9), CVE-2025-25181 (CVSS 5.8), CVE-2019-18935, CVE-2017-9248
Downloadable IOCs: 17

AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again

A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of dow…
xworm
phishing
python
dropbox
asyncrat
venomrat
process injection
evasion techniques
trycloudflare
remote access trojan
2025-02-01
Published: February 1, 2025
Downloadable IOCs: 0

Analysis of AsyncRAT's Infection Tactics via Open Directories

This analysis explores two distinct methods used to infect systems with AsyncRAT through open directories. The first technique involves a multi-stage process using various obfuscated scripts (VBS, BAT, PowerShell) and disguised files to download and execute the AsyncRAT payload. The second method e…
obfuscation
powershell
asyncrat
remote access trojan
multi-stage infection
2024-11-07
vbs
scheduled tasks
bat
open directories
Published: November 7, 2024
Downloadable IOCs: 15

RunningRAT’s Next Move: From Remote Access to Crypto Mining for Profit

RunningRAT, a remote access trojan initially observed in 2018 targeting the Pyeongchang Winter Olympics, has evolved its capabilities to include cryptocurrency mining. This shift indicates an expansion of the malware's operational focus. The analysis reveals the discovery of RunningRAT samples in o…
xmrig
cryptocurrency mining
remote access trojan
2024-11-06
runningrat
Published: November 6, 2024
Downloadable IOCs: 11

ValleyRAT Insights: Tactics, Techniques, and Detection Methods

ValleyRAT is a remote access Trojan targeting Chinese-speaking users through phishing campaigns. It employs multi-stage, multi-component tactics to evade detection and maintain persistence. The malware uses various techniques including process injection, registry manipulation, and UAC bypass. It at…
phishing
evasion
persistence
valleyrat
remote access trojan
2024-10-25
uac bypass
chinese-speaking targets
Published: October 25, 2024
Downloadable IOCs: 3

DarkComet RAT: Technical Analysis of Attack Chain

This analysis examines the Remote Access Trojan (RAT) DarkComet, detailing its capabilities, distribution methods, and technical operations. The malware alters file attributes, establishes communication with malicious domains, modifies process privileges, and gathers system information. It employs …
rat
evasion
persistence
keylogging
privilege escalation
command and control
remote access trojan
2024-10-23
darkcomet
Published: October 23, 2024
Downloadable IOCs: 1

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

A new phishing campaign targeting Russian-speaking users employs the open-source Gophish framework to deliver DarkCrystal RAT and a novel remote access trojan called PowerRAT. The attack utilizes modular infection chains, either through malicious Microsoft Word documents or HTML files with embedded…
phishing
dcrat
html smuggling
darkcrystal rat
russian-speaking
remote access trojan
2024-10-22
powerrat
gophish
Published: October 22, 2024
Downloadable IOCs: 2

DarkVision RAT

DarkVision RAT is a customizable remote access trojan that first appeared in 2020, offered on Hack Forums for $60. Written in C/C++ and assembly, it offers features like keylogging, screenshots, file manipulation, process injection, remote code execution, and password theft. The analysis reveals a …
purecrypter
c2 communication
multi-stage attack
2024-10-10
remote access trojan
darkvision rat
Published: October 10, 2024
Downloadable IOCs: 0
Click here to see more Attack Reports