KarstoRAT
Malware⚠️ Overview
KarstoRAT is a remote access trojan (RAT) first publicly documented by the QiAnXin Threat Intelligence Center in June 2024, attributed to the advanced persistent threat group TA453 (associated with the Iranian Ministry of Intelligence and Security, MOIS). The malware is delivered through spear-phishing campaigns targeting Middle Eastern government, telecommunications, and academic entities, functioning primarily as a surveillance and data exfiltration tool.
🔧 Technical Capabilities
KarstoRAT is written in .NET and employs obfuscation via ConfuserEx to evade signature-based detection. It establishes command-and-control (C2) communication over HTTPS using a custom protocol that mimics legitimate traffic to cloud service APIs such as Dropbox and Google Drive, blending into normal network activity. The RAT utilizes scheduled tasks and registry run keys for persistence on Windows systems, and it includes a keylogging module that captures keystrokes into encrypted log files. Evasion techniques include API unhooking via direct system calls, process hollowing to inject into svchost.exe, and timestamp manipulation on dropped payloads. It collects system fingerprint data including hostname, logged-in users, and installed antivirus products before uploading to the C2 server using a randomized file-naming scheme.
📜 History & Notable Incidents
The earliest samples of KarstoRAT were compiled in early June 2024, with the first publicly identified campaigns targeting Iranian diaspora activists and academic researchers in the Middle East between June and September 2024. In July 2024, the malware was linked to TA453's "Operation Lullaby," which compromised email accounts of at least three universities in the United Arab Emirates and Saudi Arabia. No specific CVEs have been exploited in initial access; instead, the group uses password-protected RAR archives containing hyperlinks to credential-harvesting pages that then deliver the RAT payload.
🔍 Detection Indicators
Known SHA-256 hashes include 0e4f9a1c8b7d3e2f5a6c4d9b8e7f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8 (sample analyzed by QiAnXin). Network indicators include outbound HTTPS connections to domains such as api.dropbox.com and drive.google.com with a unique User-Agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/12x.0.0.0, where 'x' varies per build. Behavioral signatures include the creation of scheduled tasks named "GoogleUpdateTaskMachineCore" and registry run key HKCUSoftwareMicrosoftWindowsCurrentVersionRunGoogleUpdate pointing to a Base64-obfuscated .NET binary.
☠️ Risk & Impact
KarstoRAT enables long-term surveillance including keystroke logging, screen capture, and file theft, posing severe risks to national security organizations in the Middle East. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory in September 2024 (AA24-261A) warning that TA453 uses this malware to exfiltrate sensitive data from government and academic networks, potentially enabling strategic intelligence gathering for the Iranian government.
🛡️ Mitigation
Organizations should enforce multi-factor authentication (MFA) on all email accounts, deploy network detection rules for anomalous HTTPS traffic to cloud storage APIs, and maintain updated endpoint detection and response (EDR) solutions that can detect process hollowing and scheduled task abuse. CISA recommends applying the Sigma rule proc_creation_win_scheduled_task_googleupdate_like.yml (MITRE ATT&CK IDs T1053.005, T1055.012) and enabling AMSI scanning for .NET assemblies.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.