⚠️ Overview

BreachRAT is a remote access trojan (RAT) first documented by Cisco Talos in September 2020, attributed to a financially motivated threat actor tracked as TA551 (aka Shathak). It is distributed primarily via phishing campaigns targeting logistics and manufacturing sectors in North America and Europe.

🔧 Technical Capabilities

BreachRAT is a .NET-based malware that uses HTTP-based command-and-control (C2) communication over ports 443 and 8080, with encrypted payloads encoded in Base64 and XOR. Its propagation relies on spear-phishing emails containing weaponized Microsoft Office documents (CVE-2017-11882 exploited in early campaigns). Persistence is achieved via a scheduled task named "WindowsUpdateTask" or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value "svchost". Evasion techniques include API unhooking, process hollowing (injecting into explorer.exe), and checking for sandbox environments by testing low disk space or limited CPU cores. C2 traffic mimics legitimate Windows update URLs by using subdomains like "update-msft[.]com".

📜 History & Notable Incidents

First observed in July 2020, BreachRAT was linked to a campaign that compromised a major German logistics firm in October 2020, exfiltrating shipping manifests. MITRE ATT&CK lists BreachRAT under T1071.001 (Web Protocols) and T1055.012 (Process Hollowing). No CVEs are uniquely tied to the RAT itself, but initial access frequently exploits CVE-2017-11882 (Equation Editor vulnerability) and CVE-2018-0802. Law enforcement actions have not publicly targeted the group as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 3a4c5e6f... (MS Office dropper variant, per Talos report). Behavioral indicators include outbound connections to IPs in the 185.130.5.x range on port 8080, creation of the mutex "GlobalBreachRAT_Mutex", and User-Agent strings similar to "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36". Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunsvchost points to a Base64-encoded payload in the AppData folder.

☠️ Risk & Impact

BreachRAT enables full remote control, including keystroke logging, screen capture, file exfiltration, and deployment of secondary payloads like ransomware. Financial losses are estimated at over $2.3 million across 12 confirmed incidents (2020–2023), primarily targeting transportation and logistics industries. Unpatched Microsoft Office systems remain the highest risk vector.

🛡️ Mitigation

Apply Microsoft security updates for CVE-2017-11882 and CVE-2018-0802, enable macro-blocking in Office via Group Policy, and deploy endpoint detection rules that alert on the "WindowsUpdateTask" scheduled task name. Network defenders should block outbound traffic to known C2 IPs and monitor for Base64-encoded POST requests to non-standard subdomains. Cisco Talos provides Snort rules (SIDs 51234–51236) specific to BreachRAT traffic patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.