Tag: remote access trojan

21 Attack Reports | 0 Vulnerabilities

Attack reports

Abusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure

A sophisticated malware campaign has been discovered utilizing paste.ee to distribute XWorm and AsyncRAT. The attackers employ obfuscated JavaScript with Unicode characters to download and execute malicious code from paste.ee URLs. The infrastructure includes multiple C2 servers across Europe and t…
obfuscation
xworm
remcosrat
asyncrat
remote access trojan
c2 infrastructure
2025-06-06
paste.ee
ssl certificates
Published: June 6, 2025
Downloadable IOCs: 12

From Gamer to Malware Developer: Exploring SilverRat and Its Syrian Roots

This analysis delves into the development and capabilities of Silver RAT, a Remote Access Trojan created by a Syrian developer known as 'noradlb1'. The malware, initially observed in November 2023, offers features such as keylogging, UAC bypass, and data encryption. The developer, active on various…
ransomware
keylogger
remote access trojan
antivirus bypass
telegram channels
2025-06-04
syrian developer
hacking forums
silver rat
Published: June 4, 2025
Downloadable IOCs: 0

Malware Analysis Reveals Sophisticated RAT With Corrupted Headers

A sophisticated remote access Trojan (RAT) has been discovered operating within a legitimate Windows process, using advanced evasion techniques. The malware's PE and DOS headers were deliberately corrupted, making traditional analysis difficult. Fortinet's FortiGuard Incident Response Team analyzed…
remote access trojan
2025-05-29
corrupted headers
tls transmission
api mapping
Published: May 29, 2025
Downloadable IOCs: 0

Inside a VenomRAT Malware Campaign

A malicious campaign utilizing VenomRAT, a Remote Access Trojan, is analyzed. The attackers use a fake Bitdefender download website to spread malware, including VenomRAT, StormKitty, and SilentTrinity. These tools work together to provide initial access, steal credentials, and maintain long-term hi…
phishing
credential theft
venomrat
open-source malware
command and control
remote access trojan
stormkitty
silenttrinity
2025-05-29
Published: May 29, 2025
Downloadable IOCs: 35

Reborn in Rust: Attempt to thwart malware analysis

AsyncRAT, a remote access trojan known since 2019, has been rewritten in Rust, marking a shift from its original C# implementation. This change aims to complicate reverse engineering efforts due to limited analysis tool support for Rust. The malware retains its core functionality, including plugin …
plugins
asyncrat
rust
command and control
remote access trojan
reverse engineering
system information
2025-05-26
tls
hardware id
rustyasyncrat
Published: May 26, 2025
Downloadable IOCs: 4

Interlock ransomware evolving under the radar

The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdo…
ransomware
lumma
clickfix
double extortion
remote access trojan
2025-04-16
credential stealer
berserkstealer
interlock rat
interlock ransomware
fake updaters
powershell backdoor
Published: April 16, 2025
Downloadable IOCs: 0

NEPTUNE RAT: An advanced Windows RAT with System Destruction Capabilities and Password Exfiltration from 270+ Applications

Neptune RAT, a sophisticated Windows-based remote access trojan, has emerged with advanced capabilities including system destruction and password exfiltration from over 270 applications. It employs PowerShell commands for deployment, leveraging catbox.moe for hosting malicious scripts. The malware …
anti-analysis
remote access trojan
2025-04-09
neptune rat
Published: April 9, 2025
Downloadable IOCs: 24

Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques

Konni RAT, a sophisticated remote access Trojan targeting Windows systems, employs a multi-stage attack process using batch files, PowerShell scripts, and VBScript. It exploits Windows Explorer limitations, obfuscates file paths, dynamically generates URLs, and uses temporary files to erase activit…
windows
persistence
anti-analysis
data exfiltration
multi-stage attack
stealth techniques
remote access trojan
2025-04-01
konni rat
Published: April 1, 2025
Downloadable IOCs: 0

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft

Microsoft Incident Response researchers discovered a novel remote access trojan named StilachiRAT, demonstrating sophisticated evasion, persistence, and data exfiltration techniques. The malware collects extensive system information, targets cryptocurrency wallet extensions, steals browser credenti…
persistence
credential theft
cryptocurrency theft
command and control
remote access trojan
2025-03-17
stilachirat
system reconnaissance
anti-forensics
rdp monitoring
Published: March 17, 2025
Linked vulnerabilities : CVE-2023-36884
Downloadable IOCs: 2

New Steganographic Campaign Distributing Multiple Malware Variants

A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HT…
obfuscation
phishing
remcos
steganography
asyncrat
dcrat
CVE-2017-0199
process hollowing
remote access trojan
agenttesla
vipkeylogger
2025-03-17
Published: March 17, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 13

Unmasking GrassCall Campaign: The Hackers Behind Job Recruitment Cyber Scams

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferenci…
social engineering
rhadamanthys
cryptocurrency
atomic macos stealer
remote access trojan
web3
grasscall
2025-03-13
job recruitment scam
russian-speaking cybercriminals
Published: March 13, 2025
Downloadable IOCs: 0

APT37 - RokRat

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing email…
phishing
north korea
powershell
rokrat
cloud services
lnk files
remote access trojan
2025-03-12
Published: March 12, 2025
Downloadable IOCs: 9

Trump Cryptocurrency Delivers ConnectWise RAT

An email campaign impersonating Binance is offering fake TRUMP coins to lure victims into downloading a malicious 'Binance Desktop' application, which actually installs ConnectWise RAT. The attackers have created a convincing web page mimicking Binance's interface to host the malware download. Once…
phishing
social engineering
remote access trojan
2025-03-11
cryptocurrency scam
password theft
binance impersonation
connectwise rat
Published: March 11, 2025
Downloadable IOCs: 1

From Credit Card Skimming to Exploiting Zero-Days

XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sec…
powershell
zero-day
meterpreter
aspxspy
webshell
supply-chain-attack
2025-02-03
CVE-2024-57968
CVE-2025-25181
information-theft
remote-access-trojan
sql-injection
persistent-access
Published: February 3, 2025
Linked vulnerabilities : CVE-2024-57968 (CVSS 9.9), CVE-2025-25181 (CVSS 5.8), CVE-2019-18935, CVE-2017-9248
Downloadable IOCs: 17

AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again

A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of dow…
xworm
phishing
python
dropbox
asyncrat
venomrat
process injection
evasion techniques
trycloudflare
remote access trojan
2025-02-01
Published: February 1, 2025
Downloadable IOCs: 0

Analysis of AsyncRAT's Infection Tactics via Open Directories

This analysis explores two distinct methods used to infect systems with AsyncRAT through open directories. The first technique involves a multi-stage process using various obfuscated scripts (VBS, BAT, PowerShell) and disguised files to download and execute the AsyncRAT payload. The second method e…
obfuscation
powershell
asyncrat
remote access trojan
multi-stage infection
2024-11-07
vbs
scheduled tasks
bat
open directories
Published: November 7, 2024
Downloadable IOCs: 15

RunningRAT’s Next Move: From Remote Access to Crypto Mining for Profit

RunningRAT, a remote access trojan initially observed in 2018 targeting the Pyeongchang Winter Olympics, has evolved its capabilities to include cryptocurrency mining. This shift indicates an expansion of the malware's operational focus. The analysis reveals the discovery of RunningRAT samples in o…
xmrig
cryptocurrency mining
remote access trojan
2024-11-06
runningrat
Published: November 6, 2024
Downloadable IOCs: 11

ValleyRAT Insights: Tactics, Techniques, and Detection Methods

ValleyRAT is a remote access Trojan targeting Chinese-speaking users through phishing campaigns. It employs multi-stage, multi-component tactics to evade detection and maintain persistence. The malware uses various techniques including process injection, registry manipulation, and UAC bypass. It at…
phishing
evasion
persistence
valleyrat
remote access trojan
2024-10-25
uac bypass
chinese-speaking targets
Published: October 25, 2024
Downloadable IOCs: 3

DarkComet RAT: Technical Analysis of Attack Chain

This analysis examines the Remote Access Trojan (RAT) DarkComet, detailing its capabilities, distribution methods, and technical operations. The malware alters file attributes, establishes communication with malicious domains, modifies process privileges, and gathers system information. It employs …
rat
evasion
persistence
keylogging
privilege escalation
command and control
remote access trojan
2024-10-23
darkcomet
Published: October 23, 2024
Downloadable IOCs: 1

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

A new phishing campaign targeting Russian-speaking users employs the open-source Gophish framework to deliver DarkCrystal RAT and a novel remote access trojan called PowerRAT. The attack utilizes modular infection chains, either through malicious Microsoft Word documents or HTML files with embedded…
phishing
dcrat
html smuggling
darkcrystal rat
russian-speaking
remote access trojan
2024-10-22
powerrat
gophish
Published: October 22, 2024
Downloadable IOCs: 2

DarkVision RAT

DarkVision RAT is a customizable remote access trojan that first appeared in 2020, offered on Hack Forums for $60. Written in C/C++ and assembly, it offers features like keylogging, screenshots, file manipulation, process injection, remote code execution, and password theft. The analysis reveals a …
purecrypter
c2 communication
multi-stage attack
2024-10-10
remote access trojan
darkvision rat
Published: October 10, 2024
Downloadable IOCs: 0
Click here to see more Attack Reports