RAT – D E C E I V E R . I O

Engage Report: TA397 RATs War

TA397 utilizes a malicious shortcut (LNK) file embedded within a RAR archive. This LNK file, when activated, executes PowerShell code that creates a scheduled task on the victim’s machine. This scheduled task enables the download and execution of additional payloads, establishing persistence on the compromised system.

Hunting all around for TA397 RATs

Attackers are using phishing emails to deliver malicious attachments that gather system information and exfiltrate it to a remote server.

DarkComet RAT – Proxy

The DarkComet RAT utilizes a connection proxy, specifically SOCKS5, to obfuscate the true command and control (C2) server infrastructure. This makes it more difficult to identify and block the C2 communication, allowing the attacker to maintain persistent control over the infected system.

DarkComet RAT – Phishing

The attacker sent a spearphishing email containing a malicious Microsoft Word document (.doc) as an attachment. This document exploits a vulnerability (CVE-2012-0158) to execute embedded malicious code, ultimately leading to the download and execution of the DarkComet RAT payload.

Tag: RAT

Engage Report: TA397 RATs War

Hunting all around for TA397 RATs

DarkComet RAT – Proxy

DarkComet RAT – Phishing

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense