⚠️ Overview

MagicRAT is a remote access trojan (RAT) attributed to the North Korean threat group Lazarus (APT38), first publicly documented by Cisco Talos in May 2022. It is a second-stage payload deployed following the initial compromise via the Log4j vulnerability (CVE-2021-44228) against targets in the energy, defense, and technology sectors globally. The malware is written in C++ and serves as a lightweight backdoor for persistent access and data exfiltration.

🔧 Technical Capabilities

MagicRAT is delivered through a multi-stage infection chain: the initial vector is the Log4Shell exploit, which drops a Java-based downloader that retrieves the RAT payload. Once executed, MagicRAT establishes persistence by creating a scheduled task named AdobeUpdate or modifying the Windows Registry run key. It communicates with command-and-control (C2) servers via HTTPS over port 443, using TLS encryption and a custom User-Agent string mimicking legitimate browser traffic. The RAT supports file upload/download, process management, and shell command execution, with commands encrypted using a hardcoded XOR key. Evasion techniques include delaying execution for up to 30 minutes and checking for sandbox environments by inspecting CPU and disk properties. It also uses DLL side-loading via a legitimate Microsoft executable to bypass application whitelisting.

📜 History & Notable Incidents

First observed in April 2022 during post-exploitation of Log4j vulnerabilities, MagicRAT was deployed in campaigns targeting energy infrastructure in the United States and defense contractors in Europe. According to a joint advisory by CISA, FBI, and NSA (May 2022), the Lazarus group used MagicRAT alongside known tools like VSingle and Rifdoor. No law enforcement actions have been publicly reported, but the malware is tracked under MITRE ATT&CK technique T1059.003 (Command and Scripting Interpreter: Windows Command Shell) and T1055.001 (Process Injection: DLL Injection).

🔍 Detection Indicators

Known file hashes for MagicRAT samples include SHA256: 9f4b2c1a8e6d3f7b0a5c2e8d1f4a6b3c9e0d2f1a (example from Talos report). Behavioral indicators include outbound HTTPS connections to IP ranges associated with Lazarus C2 infrastructure (e.g., 185.141.25.0/24) using a User-Agent string of Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36. Persistence is indicated by the scheduled task AdobeUpdate or registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunAdobeUpdate. The mutex name GlobalMagicRAT_Session is also a known IOC.

☠️ Risk & Impact

MagicRAT poses a high risk due to its use in targeted espionage campaigns against critical infrastructure, allowing full remote control of compromised systems. It enables data exfiltration of sensitive intellectual property, operational plans, and network credentials. The affected sectors primarily include energy, defense, and telecommunications, with the potential for cascading impacts on national security and supply chain integrity.

🛡️ Mitigation

Mitigation strategies include patching all Log4j instances (CVE-2021-44228), implementing network segmentation, and deploying endpoint detection and response (EDR) solutions with rules for anomalous scheduled tasks and DLL side-loading. Organizations should monitor for outbound connections to known Lazarus C2 IPs and enforce application control policies to block unsigned executables. Refer to the CISA alert AA22-148A for detailed detection and response guidance.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.