⚠️ Overview

jRAT, also known as Adwind (MITRE ATT&CK ID S0026) and AlienSpy, is a cross-platform remote access trojan (RAT) written in Java that surfaced in 2013 and is sold as malware-as-a-service on underground forums, operated by multiple financially motivated and state-sponsored threat actors including the Gaza Cybergang (APT-C-23) and Iranian groups. It targets Windows, macOS, Linux, and Android systems by exploiting the Java Runtime Environment to deliver a persistent backdoor.

🔧 Technical Capabilities

jRAT uses a two-stage loader often delivered via spear-phishing emails containing malicious JAR files or exploiting Apache Struts vulnerabilities (CVE-2017-5638, CVE-2017-9805) to gain initial access. The malware establishes command-and-control (C2) over TCP/SSL using custom protocols and dynamic DNS domains, with fallback over HTTP/S or DNS tunneling. Persistence is achieved through registry RUN keys on Windows, cron jobs on Linux, and launch agents on macOS, while evasion techniques include variable obfuscation, anti-sandbox checks (detecting virtual machines via MAC addresses), and encrypted configuration files. Once active, jRAT can capture keystrokes, record audio/video, extract browser credentials, upload/download files, and execute arbitrary commands.

📜 History & Notable Incidents

First documented by Trend Micro in 2013 as a Java-based RAT sold on exploit forums, jRAT’s source code leaked in 2016 leading to widespread variant adoption. In 2017, a campaign dubbed “Operation Parliament” targeted aerospace and defense organizations in the Middle East using CVE-2017-9805 for delivery. The same year, Symantec reported a campaign against financial institutions in Asia-Pacific where jRAT exfiltrated banking credentials. In 2020, Palo Alto Networks identified an updated variant (Frutas) used in attacks on oil and gas companies, leveraging cloud-based C2 servers to avoid detection.

🔍 Detection Indicators

Known SHA-256 hashes include e4a9a8b2c1d3f5e6... (see VirusTotal for up-to-date samples) and behavioral signatures like creating the mutex “Global\jRAT-Inst” or writing files named “javaw.exe” to %TEMP%. Network indicators include outbound connections to port 443 with a unique User-Agent string “Java/1.8.0_201” or “Apache-HttpClient/4.5.3”, and registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run with values containing “javaw -jar” references.

☠️ Risk & Impact

jRAT enables full remote control, leading to data exfiltration of sensitive documents, credentials, and intellectual property, with financial losses estimated in the millions across affected banking, defense, and energy sectors. The malware has been linked to state-sponsored espionage activities, particularly in the Middle East and Asia, affecting both private enterprises and government agencies.

🛡️ Mitigation

Defenders should block Java applets and untrusted JAR files at the email gateway, apply patches for CVE-2017-5638 and CVE-2017-9805, deploy endpoint detection rules (e.g., Sigma rule for suspicious JAR execution), and monitor for anomalous HTTP User-Agent strings and outbound connections to known malicious domains listed in threat intelligence feeds such as AlienVault OTX.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.