Follow on X RSS Feed
Malware

What Is Moonrise RAT and Why It Poses a Serious Risk

Cybersec Sentinel

4 min read
What Is Moonrise RAT and Why It Poses a Serious Risk

Threat Group – Unattributed
Threat Type – Remote Access Trojan
Exploited Vulnerabilities – No confirmed CVEs. Delivery aligned with user execution and social engineering techniques
Malware Used – Moonrise RAT
Threat Score – 7.8 🔴 High. Enables interactive remote control, credential theft, surveillance, and persistence with low early static detection which increases dwell time and escalation risk
Last Threat Observation – 24 February 2026

Overview

Moonrise is a recently reported Remote Access Trojan written in Go. It has been observed establishing active command and control sessions while generating minimal early static detection signals. This creates operational risk for organisations that prioritise signature verdicts over behavioural telemetry.

The malware provides full interactive control of compromised systems. Its command set supports remote command execution, file manipulation, process control, credential access functions, clipboard and keystroke monitoring, and multimedia device interaction. In practical terms, this enables operators to move from initial access to reconnaissance, data theft, environment preparation, and potential follow on payload deployment such as infostealers or ransomware.

Public reporting also indicates Moonrise has been seen masquerading as legitimate Windows processes such as svchost.exe when executed from non standard user writable directories. Persistence mechanisms include Startup folder artefacts and script based execution.

Moonrise should be treated as an enterprise relevant threat due to its capability breadth and evasion characteristics.

Key Details

Delivery Method

Current reporting aligns Moonrise with user driven execution paths. These include phishing attachments, malicious installers, malvertising, and software crack themed lures. No single fixed delivery chain has been confirmed, which suggests flexibility in initial access.

Defenders should assume Moonrise can be delivered through any vector that results in user execution of a malicious binary or staged dropper.

Target

No specific industry vertical has been publicly attributed. The capability set is broadly applicable across sectors.

Higher risk endpoints include:

  • Systems used for administrative access
  • Finance and payroll workstations
  • Endpoints used to access privileged portals
  • Devices with camera or microphone capabilities in sensitive environments

Because Moonrise supports surveillance functions, privacy and compliance exposure is also a key consideration.

Functions

  • Establishes persistent command and control sessions with interactive command handling
  • Executes remote shell commands and manipulates processes
  • Performs file upload, execution, deletion, and directory creation
  • Captures keystrokes and clipboard content
  • Supports screenshot capture, webcam interaction, and microphone recording
  • Restarts or terminates processes and can initiate system restart or shutdown

These capabilities collectively allow full endpoint takeover.

Obfuscation

Moonrise’s most notable defensive challenge is low early static detection. Initial sandbox observations showed limited signature alignment despite active C2 communication.

Masquerading behaviour has also been observed, including binaries named svchost.exe executed from user profile directories rather than standard system paths.

This combination increases the likelihood of delayed detection in environments that rely heavily on static scanning.

Attack Vectors and Operational Flow

Stage 1 Initial execution

A user executes a malicious binary. Observed artefacts include svchost.exe located in user writable directories such as AppData Temp rather than the Windows system directory.

Detection opportunity:

  • Process creation of svchost.exe from non system paths
  • Unusual parent child relationships inconsistent with Windows service hosting

Stage 2 C2 establishment

Moonrise initiates outbound communication and registers with its command and control server. The session remains active to allow interactive operator control.

Detection opportunity:

  • New outbound connections from suspicious processes
  • Beaconing behaviour originating from user profile directories

Stage 3 Environment discovery

The operator enumerates processes, files, displays, and multimedia devices. This stage prepares for targeted actions.

Detection opportunity:

  • Enumeration commands executed from non administrative processes
  • Abnormal API usage tied to screen or device access

Stage 4 Remote control and execution

Operators execute shell commands, manipulate processes, and stage additional tools.

Detection opportunity:

  • cmd.exe spawned by suspicious svchost instances
  • Security tooling termination attempts
  • New binaries dropped shortly after C2 establishment

Stage 5 Credential and data capture

Moonrise leverages keylogging and clipboard monitoring functions. This increases the risk of credential theft and lateral movement.

Detection opportunity:

  • Suspicious access to browser credential stores
  • Keylogging indicators or abnormal low level input hooks
  • Authentication anomalies following compromise

Stage 6 Persistence

Startup folder scripts and similar mechanisms are used to maintain access across logon events.

Detection opportunity:

  • Creation of VBS files in Startup directories
  • New Run key entries referencing user writable paths

Known Indicators of Compromise IoCs

The following IoCs are based on recent public reporting. Treat them as tactical indicators and supplement with behavioural hunting.

  • SHA256082fdd964976afa6f9c5d8239f74990b24df3dfa0c95329c6e9f75d33681b9f47609c7ab10f9ecc08824db6e3c3fa5cbdd0dff2555276e216abe9eebfb80f59b8a422b8c4c6f9a183848f8d3d95ace69abb870549b593c080946eaed9e5457ad8d7c1bbdb6a8bf074db7fc1185ffd59af0faffb08e0eb46a373c948147787268c7fd265b23b2255729eed688a211f8c3bd2192834c00e4959d1f17a0b697cd5eed5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551
  • IPv4193[.]23[.]199[.]88

Mitigation and Prevention

Mitigation Checklist suitable for GAP analysis

User Awareness

  • Train users to treat unexpected attachments and installers as suspicious
  • Reinforce reporting of unusual pop ups or unexpected script execution
  • Discourage use of unofficial download portals and software cracks

Email Filtering

  • Block high risk attachment types where business appropriate
  • Implement attachment detonation or content disarm and reconstruction
  • Apply link scanning and disable automatic external content loading where feasible

Antivirus Protection

  • Enable behavioural detection capabilities in endpoint protection tools
  • Alert on execution of common Windows process names from user writable directories
  • Monitor and restrict script execution in Startup folders

Two Factor Authentication 2FA

  • Enforce MFA for privileged accounts and remote access
  • Implement conditional access policies to reduce impact of stolen credentials
  • Separate privileged and standard user accounts

Log Monitoring

  • Alert on svchost.exe running from AppData or Temp
  • Monitor creation of new Startup folder scripts
  • Correlate suspicious process execution with outbound network activity
  • Investigate unusual process termination events involving security tools

Regular Updates

  • Maintain current OS and application patching
  • Keep endpoint detection agents and detection content up to date
  • Review configuration baselines to reduce execution from user writable paths

Incident Response Guidance

If Moonrise is suspected:

  1. Isolate the affected system from the network.
  2. Preserve volatile data and collect forensic artefacts.
  3. Identify and remove persistence mechanisms.
  4. Reset credentials for accounts used on the compromised host.
  5. Conduct environment wide hunting using both IoCs and behavioural patterns.

Risk Assessment

Moonrise is assessed as High due to its full remote control capability, credential theft functions, surveillance features, and persistence mechanisms.

Key organisational risks include:

  • Credential compromise leading to lateral movement
  • Data exposure via clipboard and keylogging functions
  • Privacy breaches through screen, webcam, or microphone capture
  • Operational disruption via process manipulation or forced restart

The low early static detection profile increases the probability of delayed containment. Organisations that rely primarily on signature based detection are at greater risk of extended attacker dwell time.

Conclusion

Moonrise RAT represents a capable and stealthy remote access threat. Its combination of interactive command handling, surveillance functionality, credential access, and persistence makes it suitable for follow on exploitation and secondary payload deployment.

Defenders should prioritise behavioural detection focused on suspicious process placement, Startup folder persistence, and anomalous outbound connections. Immediate hunting using the IoCs provided in this advisory is recommended, alongside validation of endpoint monitoring maturity.

Sources

ANY.RUN – Moonrise RAT A New Low Detection Threat with High Cost Consequences – https://any.run/cybersecurity-blog/moonrise-rat-detected/
Red Piranha – Threat Intelligence Report February 17 to February 23 2026 – https://redpiranha.net/news/threat-intelligence-report-february-17-february-23-2026
Dataprise – Dataprise Defense Digest Moonrise Remote Access Trojan – https://www.dataprise.com/resources/defense-digest/defense-digest-moonrise-rat/