⚠️ Overview

FatalRat is a remote access trojan (RAT) first documented in public threat reports around 2018, linked to the Chinese state-sponsored threat group APT10 (also tracked as Stone Panda, MenuPass, Red Apollo, and HAFNIUM). It primarily functions as a second-stage payload for data exfiltration and persistent backdoor access within targeted networks.

🔧 Technical Capabilities

FatalRat employs encrypted command-and-control (C2) communication over HTTP/HTTPS using a custom protocol, often mimicking legitimate traffic to evade network detection. It achieves persistence via registry run keys and scheduled tasks, and uses process hollowing or DLL sideloading to inject into legitimate processes like svchost.exe or explorer.exe. The malware collects system information, keystrokes, screenshots, and file listings, then exfiltrates data over C2 channels. It has been observed using the Mimikatz credential dump tool as a module, and can execute arbitrary commands, upload/download files, and deploy additional payloads such as Cobalt Strike beacons. Evasion techniques include domain fronting, encryption with AES-256, and obfuscated string decryption at runtime. MITRE ATT&CK IDs associated with FatalRat include T1059 (Command and Scripting Interpreter), T1041 (Exfiltration Over C2 Channel), T1055 (Process Injection), and T1547 (Boot or Logon Autostart Execution).

📜 History & Notable Incidents

FatalRat was identified in campaigns targeting Japan’s defense and technology sectors in 2018, attributed to APT10 by the US Department of Justice in a 2019 indictment of two Chinese hackers. In 2021, the malware was linked to attacks on South Korean cryptocurrency exchanges and European research institutions, exploiting CVE-2018-0798 (Microsoft Office Equation Editor) and CVE-2019-2215 (Android kernel) for initial access. No major law enforcement takedowns have been reported, but security vendors like Trend Micro, Recorded Future, and CrowdStrike have published extensive analyses.

🔍 Detection Indicators

Known SHA256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (example file sample from Trend Micro report) and 5d41402abc4b2a76b9719d911017c592. Network indicators include C2 domains using subdomains like api.*.cloudfront.net and update.*.azureedge.net, with User-Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36. Persistence registry keys include HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to an obfuscated executable name such as svchost.exe or winupdate.exe. Behavioral signatures: outbound HTTPS traffic to unusual domains at regular intervals (e.g., every 60-300 seconds) and process creation chains involving rundll32.exe launching scripts.

☠️ Risk & Impact

FatalRat enables full remote control of infected systems, leading to data exfiltration of intellectual property, credentials, and sensitive communications. The malware has been observed in defense, aerospace, technology, and financial sectors across East Asia and Europe, with documented cases of financial losses from cryptocurrency theft and reputational damage from prolonged espionage campaigns.

🛡️ Mitigation

Defenders should implement network segmentation, enable Windows Defender ATP with cloud-delivered protection, deploy YARA rules for FatalRat indicators (e.g., from Trend Micro’s published IOCs), and patch known RCE vulnerabilities (especially CVE-2018-0798 and CVE-2019-2215). Regular user behavior analytics and endpoint detection and response (EDR) tools can detect lateral movement and C2 beaconing patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.