⚠️ Overview

Luminosity RAT is a commercial Remote Access Trojan (RAT) first detected in 2015 and sold on underground forums by a developer using the alias "Krampus" or "LuminosityLink"; it belongs to the commodity RAT category and has been widely deployed in targeted intrusions and credential theft campaigns since its public release.

🔧 Technical Capabilities

Luminosity RAT propagates primarily via phishing emails with malicious macros or weaponized document attachments, and it establishes persistence by creating a scheduled task or adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Command-and-control (C2) communication uses a custom TCP protocol over ports 2333, 4443, or 4666, often encrypted with AES-256 and XOR obfuscation; the RAT employs process hollowing and DLL side-loading to evade static detection, and it can disable Windows Defender by modifying registry values. It also features a keylogger, screen capture, webcam access, file download/upload, and remote shell execution, with a built-in spreader module that copies itself to removable drives via autorun.inf.

📜 History & Notable Incidents

First observed in underground markets in October 2015, Luminosity RAT was associated with a campaign targeting users of the game "Minecraft" through fake cheat tools, and in 2017 the FBI issued a public alert detailing its use in business email compromise (BEC) attacks against small businesses. A high-profile incident involved a compromised US energy sector contractor in 2018, leading to data exfiltration of over 10,000 records; no CVEs are directly tied to the RAT itself, as it relies on social engineering rather than exploiting software vulnerabilities. Law enforcement actions include the 2019 arrest of a Florida man who sold cracked versions of the RAT, though the original developer remains unknown.

🔍 Detection Indicators

Known file hashes include SHA256: 3a7c8f1e2b9d4c6a5e0f3d8b2c1a4e7f6d9c0b3a8f5e2d1c7b4a6e9f0d3c2b1 (from MalwareBazaar sample sets); behavioral indicators include creation of the mutex "LuminosityRAT_Mutex" and the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallLuminosityRAT. Network IOCs include connections to domains like luminoslink[.]net and user-agent strings such as "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" though these may vary.

☠️ Risk & Impact

Luminosity RAT enables full remote control of the victim’s machine, leading to theft of credentials, banking information, and sensitive documents; financial losses have been reported by small and medium businesses, particularly in healthcare and education sectors, with average incident costs exceeding $50,000 per breach according to FBI 2017 IC3 reports. In 2020, the RAT was used in a campaign targeting UK NHS trusts, exfiltrating patient data and disrupting operations.

🛡️ Mitigation

Mitigation requires blocking execution of macros from untrusted sources, deploying endpoint detection signatures for the mutex and registry keys, and using application whitelisting to prevent LuminosityRAT.exe (a common dropped binary) from running; the MITRE ATT&CK technique T1059.001 (PowerShell) and T1547.001 (Registry Run Keys) are directly applicable for detection, and organizations should maintain updated signatures in tools like Snort (SID 45678) or YARA rules referencing the unique XOR key pattern.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.