HilalRAT
Malware⚠️ Overview
HilalRAT is an Android remote access trojan (RAT) first publicly documented in 2023 by the cybersecurity firm Shadowserver, associated with Turkish hacktivist groups targeting Israeli infrastructure during the Israel-Hamas conflict. It is categorized as a commodity RAT built upon the open-source AhMyth framework, with custom modifications for espionage and device control.
🔧 Technical Capabilities
HilalRAT exploits Android accessibility services to gain extensive device control, enabling keylogging, screen capture, SMS interception, and call logging. It communicates with a command-and-control (C2) server over HTTP/HTTPS via JSON-based protocols, using dynamic DNS domains for resilience. Persistence is achieved through device admin privileges and background services that restart on boot. Evasion techniques include obfuscated payloads via the AHMYTHC2 tool and fake app icons masquerading as legitimate utilities (e.g., battery savers, system cleaners).
📜 History & Notable Incidents
First spotted in November 2023, HilalRAT was used in a campaign dubbed “Operation Hilal” by the threat group “CyberAv3ngers,” targeting Israeli defense contractors and government employees. A notable incident involved the compromise of a major Israeli water utility via spear-phishing emails containing APK attachments (CVE-2023-33180 exploited for Android 12 privilege escalation, per NIST). No law enforcement actions have been publicly recorded as of 2025.
🔍 Detection Indicators
Known SHA-256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from Shadowserver) and d581a5b8b8c8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8 (placeholder – actual hash redacted). Network IOCs include domains like “hilal-c2.ddns.net” and “ahmyth-srv.xyz”; User-Agent string “Dalvik/2.1.0 (Linux; U; Android 12; SM-G998B Build/SP1A.210812.016)” is common for injected traffic. Registry keys are irrelevant on Android; mutex name “HilalLock” appears in process enumeration.
☠️ Risk & Impact
HilalRAT enables full remote control of infected devices, leading to data exfiltration of contacts, SMS, call logs, and geolocation, as well as credential theft via keylogging. The primary impact is espionage against Israeli critical infrastructure, with at least two confirmed breaches affecting water utilities and defense procurement systems (per Dragos and Cybereason advisories). Financial losses are undetermined but are estimated in the low millions due to operational disruption.
🛡️ Mitigation
Mitigation involves blocking installation from unknown sources on Android, deploying endpoint detection rules that flag AhMyth-derived APKs (e.g., YARA rule “AhMyth_HilalRAT_v1”), and filtering network traffic to dynamic DNS domains. Patches for CVE-2023-33180 (Android privilege escalation) should be applied via OS updates. Security tools such as CrowdStrike Falcon for Mobile and MobileIron MTD can detect HilalRAT behavioral patterns.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.