MostereRAT Expands Post-Exploitation with Remote Access Software

Threat Group – Unknown
Threat Type – Remote Access Trojan with remote administration tool deployment
Exploited Vulnerabilities – Phishing vectors, TightVNC privilege escalation CVE-2023-27830
Malware Used – MostereRAT
Threat Score – 7.8 🔴 High
Last Threat Observation – 9 September 2025

Overview

A phishing campaign uncovered by Fortinet on 9 September 2025 is distributing MostereRAT, a new Windows-focused remote access trojan. The operation uses business-themed email lures in Japanese to deliver Word documents containing ZIP archives. These payloads deploy the RAT, which then suppresses endpoint defences, disables telemetry, and communicates via mutual TLS (mTLS) to conceal command-and-control traffic.

Once established, MostereRAT runs with TrustedInstaller privileges, giving operators broad control over Windows internals. It then deploys legitimate remote access software including AnyDesk, TigerVNC, and TightVNC to persist and operate covertly. These tools are increasingly being abused for post-exploitation, with recent campaigns also showing social engineering attempts to trick victims into accepting AnyDesk connections under the guise of CERT or IT support.

The inclusion of a known TightVNC vulnerability (CVE-2023-27830) highlights the risks posed by unmanaged or outdated remote administration utilities.

Key Details

Delivery Method

• Phishing emails with business inquiry themes
• Attachments delivered as Word documents embedding ZIP files with executables

Target

• Japanese-language business users
• Enterprises where remote support tooling is common

Functions

• Disable antivirus and firewall controls
• Block outbound telemetry channels
• Privilege escalation to TrustedInstaller
• Collect host information and enumerate users
• File execution and shellcode injection
• Screenshot capture and keystroke logging
• Creation of hidden administrator accounts
• RDP session facilitation
• Heartbeat communications with C2 servers

Obfuscation

• Payload modules built in Easy Programming Language (EPL)
• Command and control hidden using mutual TLS
• Blends with legitimate remote access activity by deploying AnyDesk and VNC tools

Attack Vectors

1. Email lure → Word document + ZIP archive
2. Execution of embedded file → MostereRAT loader
3. Evasion of endpoint protections and escalation to TrustedInstaller
4. Deployment of AnyDesk/TigerVNC/TightVNC for persistence
5. Continued monitoring, data theft, and lateral movement

Known Indicators of Compromise (IoCs)

FileHash-MD5

• a9b52f654370a25d25af4554c25c2cc9

FileHash-SHA1

• 7065ec1c8d8cccf6be22d21f781e278f307720ad

FileHash-SHA256

• 3c621b0c91b758767f883cbd041c8ef701b9806a78f2ae1e08f932b43fb433bb
• 4e3cdeba19e5749aa88329bc3ac67acd777ea7925ba0825a421cada083706a4e
• 546a3418a26f2a83a2619d6c808985c149a0a1e22656553ce8172ca15622fd9b
• 926b2b9349dbd4704e117304c2f0edfd266e4c91fb9325ecb11ba83fe17bc383
• d281e41521ea88f923cf11389943a046557a2d73c20d30b64e02af1c04c64ed1

Domains (Defanged)

• huanyu3333[.]com
• idkua93dkh9590764478t18822056bck[.]com
• mostere[.]com
• osjfd923bk78735547771x3690026ddl[.]com
• xxxxxx25433693728080140850916444[.]com
• zzzzzzz0379098305467195353458278[.]com

Hostnames (Defanged)

• www[.]efu66[.]com

Mitigation and Prevention

User Awareness

• Train staff on phishing lures using business inquiries
• Warn against unsolicited AnyDesk or remote session requests

Email Filtering

• Block and sandbox attachments containing embedded archives
• Enforce policy checks on external business inquiries with attachments

Antivirus Protection

• Detect and block Early Bird injection into svchost.exe
• Monitor for processes escalating to TrustedInstaller
• Control installation of AnyDesk and VNC tools
• Patch TightVNC above version 2.8.75 to address CVE-2023-27830

Two-Factor Authentication

• Enforce 2FA on privileged accounts and remote access tools

Log Monitoring

• Alert on hidden account creation
• Monitor AnyDesk/TigerVNC/TightVNC session logs for unusual usage
• Detect anomalous outbound mTLS connections

Regular Updates

• Remove or update legacy remote administration tools
• Ensure Windows endpoints receive timely security patches

Risk Assessment

The campaign is assessed High (7.8) due to its advanced evasion, TrustedInstaller escalation, and covert use of legitimate tools. While no zero-days have been confirmed, the abuse of remote access software provides persistence and complicates detection. Organisations that permit unsupervised installation of remote tools are at significant risk.

Conclusion

MostereRAT represents the modern blending of malware loaders with legitimate IT software for stealth. The phishing delivery, TrustedInstaller execution, and remote tool abuse show adversaries moving closer to live-off-the-land tactics.

Immediate priority actions:

1. Harden email and attachment filtering
2. Remove unapproved remote administration tools
3. Patch TightVNC and validate AnyDesk usage
4. Monitor for TrustedInstaller misuse and outbound mTLS anomalies

These measures can significantly reduce exposure and mitigate the high risk this campaign poses.

Sources

• The Hacker News – From MostereRAT to ClickFix New Malware Campaigns Highlight Rising AI and Phishing Risks – https://thehackernews.com/2025/09/from-mostererat-to-clickfix-new-malware.html
• Infosecurity Magazine – MostereRAT Targets Windows Users With Stealth Tactics – https://www.infosecurity-magazine.com/news/rat-targets-windows-users-stealth/
• NVD – CVE-2023-27830 TightVNC Privilege Escalation – https://nvd.nist.gov/vuln/detail/CVE-2023-27830
• OTX AlienVault - Indicators of Compromise - https://otx.alienvault.com/pulse/68bfb1a471409d34dfdf3279