Horus Eyes RAT
RAT⚠️ Overview
Horus Eyes RAT is a commercial remote access trojan (RAT) developed by the Egyptian threat actor group known as "Horus Eyes," first documented publicly by researchers at MalwareHunterTeam and Trend Micro in early 2019. The malware is sold as a commodity Malware-as-a-Service (MaaS) on underground forums and is categorized as a stealer and RAT, primarily targeting Windows systems for espionage and credential theft.
🔧 Technical Capabilities
Horus Eyes RAT propagates via phishing emails with weaponized Microsoft Office documents or compiled HTML help files (CHM), leveraging social engineering to trick victims into enabling macros. Its attack vectors include exploitation of publicly exposed RDP services and network propagation using brute-forced credentials. The C2 infrastructure uses encrypted HTTP communication with a custom XOR-based protocol, often hosted on bulletproof hosting providers. Persistence is achieved through registry Run keys and scheduled tasks, while evasion techniques include process hollowing, API unhooking, and detection of sandbox environments by checking for common analysis tools like Wireshark or Process Monitor. The RAT collects browser credentials, keystrokes, screenshots, and exfiltrates data via FTP or HTTP POST requests, and has a modular plugin system for additional capabilities like keylogging and file exfiltration.
📜 History & Notable Incidents
Horus Eyes RAT first appeared in underground forums in early 2019, offered for sale at $200 per license. A notable campaign in mid-2020 targeted government and energy sectors in the Middle East and North Africa, attributed to the Horus Eyes group using the RAT against Egyptian opposition figures and journalists. No specific CVEs are directly associated with the RAT itself, but it has been observed in campaigns alongside CVE-2017-11882 (Equation Editor exploit) to deliver payloads.
🔍 Detection Indicators
Known file hashes include SHA256: 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t (example from a Trend Micro report). Behavioral signatures include creation of scheduled tasks named "WindowsUpdateTask" or "JavaUpdateHelper," and registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with keys such as "HorusEyes". Network IOCs include User-Agent strings like "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1)" and C2 domains using random alphanumeric subdomains (e.g., hxxp://[random].ddns.net/bot.php). Mutex names include "HorusMutex" or "GlobalHorusEyesMutex".
☠️ Risk & Impact
The RAT enables full remote control and data theft, causing potential financial losses through credential harvesting and corporate espionage. Affected sectors include government, journalism, and energy, particularly in the MENA region, where it has been used for surveillance of political dissidents. Exfiltration of sensitive documents and credentials can lead to account compromise and further lateral movement within victim networks.
🛡️ Mitigation
Defenders should enable macro-blocking in Microsoft Office, apply principle of least privilege on RDP, deploy endpoint detection and response (EDR) solutions with behavioral rules for process hollowing and registry persistence, and implement network filtering for suspicious outbound HTTP traffic to dynamic DNS domains. The MITRE ATT&CK techniques associated include T1204.002 (User Execution: Malicious File), T1059.001 (Command and Scripting Interpreter: PowerShell), and T1133 (External Remote Services).
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.