RAT - Cybersec Sentinel

RAT

A collection of 24 posts

Axios npm Backdoored: UNC1069 Deploys Cross-Platform RAT via Supply Chain Attack

Supply Chain Attack

Axios npm Backdoored: UNC1069 Deploys Cross-Platform RAT via Supply Chain Attack

GroupUNC1069 (North Korea-nexus, BlueNoroff-linked, financially motivated threat actor)Typenpm Supply Chain Compromise / Cross-Platform Remote Access TrojanMalwareSILKBELL: postinstall dropper embedded in plain-crypto-js@4.2.1. WAVESHAPER.V2: updated cross-platform RAT linked to prior BlueNoroff RustBucket campaignsScore🔴 9.5 Critical. Nation-state supply chain attack on one of npm's most downloaded

MIMICRAT Campaign Uses Fake Verification Lure

MIMICRAT Campaign Uses Fake Verification Lure

Threat Group – Unknown financially motivated operators Threat Type – Remote Access Trojan and social engineering campaign Exploited Vulnerabilities – User driven execution abuse of Windows Run dialog and PowerShell Malware Used – MIMICRAT Threat Score – 8.2 🔴 High Last Threat Observation – February 2026, reported by multiple security research teams including Securonix and independent

MoonPeak and the Growing Sophistication of DPRK Intrusions

MoonPeak and the Growing Sophistication of DPRK Intrusions

Threat Group UAT-5394 with strong tactical overlap to Kimsuky Threat Type Remote Access Trojan derived from XenoRAT delivered via weaponised LNK files and PowerShell droppers Exploited Vulnerabilities Windows LNK execution trust abuse, PowerShell execution policy bypass, LOTS and LOLBins abuse, trusted cloud and code hosting platforms Malware Used MoonPeak RAT

How SHADOW#REACTOR uses harmless looking text files to deliver Remcos RAT

How SHADOW#REACTOR uses harmless looking text files to deliver Remcos RAT

Threat Group – Unattributed, activity consistent with an initial access broker model Threat Type – Multi stage loader chain delivering remote access capability Exploited Vulnerabilities – None publicly confirmed, primary access relies on user execution and script based lures Malware Used – Remcos RAT delivered via SHADOW#REACTOR staging and loader framework Threat Score

Atroposia RAT Redefines Remote Access Malware-as-a-Service

Atroposia RAT Redefines Remote Access Malware-as-a-Service

Threat Group – Unknown actor likely a financially motivated Malware as a Service operator Threat Type – Remote Access Trojan and Malware as a Service Exploited Vulnerabilities – No specific CVEs publicly linked at time of writing. Built in UAC bypass and a Local Vulnerability Scanner enable dynamic post infection exploitation Malware Used

ScarCruft and RokRAT Pose High Threat to Government and Academia

ScarCruft and RokRAT Pose High Threat to Government and Academia

Threat Group: ScarCruft / APT37 / Reaper / Red Eyes Threat Type: Advanced Persistent Threat (APT), Remote‑Access Trojan (RAT), Espionage and Ransomware Exploited Vulnerabilities: CVE‑2017‑8291 (Encapsulated PostScript vulnerability in Hangul Word Processor), CVE‑2024‑38178 (Internet Explorer mode of Microsoft Edge), vulnerabilities in Hancom Office; exploitation of Windows LNK files,

Skype Delivered SCR and PIF Files Deploy GodRAT Malware in Financial Campaigns

Skype Delivered SCR and PIF Files Deploy GodRAT Malware in Financial Campaigns

Threat Group: Winnti (APT41) – suspected attribution based on code lineage and targeting Threat Type: Remote Access Trojan (RAT) Exploited Vulnerabilities: Social engineering via Skype delivering malicious .SCR and .PIF files containing steganographic shellcode in JPEGs and DLL sideloading Malware Used: GodRAT – evolution of Gh0st RAT and AwesomePuppet, featuring plugin-based architecture

Gamaredon Revives Remcos RAT in Fileless LNK Shortcut Attacks

Gamaredon Revives Remcos RAT in Fileless LNK Shortcut Attacks

$Threat Group: Gamaredon (a.k.a. Primitive Bear, UAC‑0010/UAC‑0184, Hive0156) Threat Type: Remote Access Trojan (RAT) Exploited Vulnerabilities: LNK shortcut execution, mshta abuse, PowerShell scripting, DLL sideloading Malware Used: Remcos RAT v6.0.0 Pro Threat Score: 🔴 High (7.5/10) – Due to fileless in-memory execution, sophisticated

Skitnet Malware C2 via DNS and Rust Loader Threatens Enterprise Networks

Skitnet Malware C2 via DNS and Rust Loader Threatens Enterprise Networks

Threat Group: - LARVA-306 Threat Type: - Post-Exploitation Malware / Remote Access Trojan (RAT) Exploited Vulnerabilities: - Not tied to specific CVEs; deployed post-compromise Malware Used: - Skitnet (Bossnet) Threat Score: - 🔴 High (8.3/10) – Due to its DNS C2, Rust/Nim modular design, stealthy persistence, and ransomware group integration

Credential Theft and MBR Wipe Drive Severe Impact Rating for Neptune RAT

Credential Theft and MBR Wipe Drive Severe Impact Rating for Neptune RAT

Threat Group – Individuals using the aliases ABOLHB and Rino, operating as the Mason Team / FreeMasonry group and distributing the malware through a freemium Malware‑as‑a‑Service model. Threat Type – Remote Access Trojan with credential theft, ransomware, destructive wipe, and clipboard hijacking plug‑ins. Exploited Vulnerabilities – Social‑engineering of users