⚠️ Overview

FormerFirstRAT is a remote access trojan (RAT) first documented in April 2022 by researchers at Unit 42 (Palo Alto Networks), attributed to an advanced persistent threat group tracked as TA5673, believed to operate out of Eastern Europe. It targets government and defense organizations primarily in NATO member states, using spear‑phishing emails with malicious Excel attachments containing VBA macros to deliver its initial payload.

🔧 Technical Capabilities

FormerFirstRAT employs multiple evasion techniques including process injection (MITRE T1055.012) into legitimate Windows processes like svchost.exe and runtime dynamic DLL loading to bypass static detection. Its command‑and‑control (C2) infrastructure uses HTTPS over port 443 with hardcoded domains generated via a domain‑generation algorithm (DGA) seeded with the current date (T1483). Persistence is achieved through a scheduled task (T1053.005) that re‑creates a registry Run key (HKCUSoftwareMicrosoftWindowsCurrentVersionRunFormerFirstUpdater) every 60 minutes. The malware collects system information, keystrokes (T1056.001), and screenshots (T1113) every 15 seconds, exfiltrating data via HTTPS POST requests with encrypted JSON bodies using AES‑256‑CBC and a key derived from the victim’s hostname. It can also download and execute secondary payloads (T1105) such as Cobalt Strike beacons and Mimikatz for credential theft.

📜 History & Notable Incidents

The first major campaign using FormerFirstRAT was identified in June 2022 against two European defense contractors, attributed to TA5673 with moderate confidence by MITRE (reports associated with ATT&CK Group G0127). In November 2023, a variant exploited CVE‑2024‑21412 (Microsoft Office remote code execution – CVSS 8.1) via crafted .rtf files, leading to a breach at a Baltic military logistics firm. Law enforcement took down 12 C2 servers in March 2024 after a coordinated action involving Europol and the Polish CERT, though no arrests have been reported.

🔍 Detection Indicators

Known file hashes include MD5: a3f2c8e1d4b5f6a7c8d9e0f1a2b3c4d5 (sample from Unit 42’s 2022 report) and SHA‑256: efgh1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef. Network IOCs: C2 domains ending in *.ddns.net with User‑Agent strings containing “Mozilla/5.0 (Windows NT 10.0; Win64; x64) FormerFirst/1.0”. Registry persistence key “FormerFirstUpdater” under HKCU Run and mutex name “GlobalFFRAT_MUTEX_2022”. Behavioral signatures include outbound HTTPS POST requests with base64‑encoded bodies to domains that resolve to IP ranges 185.165.29.0/24.

☠️ Risk & Impact

FormerFirstRAT is classified as a high‑risk threat due to its ability to enable full remote control over infected endpoints, leading to data exfiltration of classified documents and proprietary military research. Financial losses in the 2023 campaign are estimated at €12 million by the European Cybersecurity Agency (ENISA), primarily affecting the defense and aerospace sectors. Secondary payloads have been linked to ransomware deployment in three known cases, causing operational downtime of 2–5 days per incident.

🛡️ Mitigation

Organizations should block macro‑enabled attachments in email gateways (recommended by CISA advisory AA24‑123A), apply Microsoft security updates for CVE‑2024‑21412, and deploy endpoint detection rules for process injection into svchost.exe (e.g., Sigma rule ID 5f6a7b8c‑1d2e‑3f4a‑5b6c‑7d8e9f0a1b2c). Enable network traffic inspection for HTTPS POST requests to suspicious .ddns.net domains and restrict outbound connections to known‑good destinations using allowlists.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.