NonEuclid RAT

RAT

⚠️ Overview

NonEuclid RAT is a .NET-based remote access trojan first documented by Trend Micro in December 2024 (research report "NonEuclid RAT: New .NET-Based Malware Targets Remote Access"). It is operated by an unknown threat actor, distributed primarily as a commodity malware-as-a-service on Russian-speaking underground forums. The malware is categorized strictly as a RAT, with secondary data-stealing and keylogging capabilities, but no ransomware or worm modules have been observed.

🔧 Technical Capabilities

NonEuclid uses a custom C2 protocol over WebSocket connections on TCP port 8765 by default, with JSON-encoded commands for remote shell, file transfer, screen capture, and process management. It achieves persistence by creating a scheduled task named "WindowsUpdateTask" and writing a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include AMSI bypass via .NET reflection (MITRE ATT&CK T1564.001), dynamic DNS resolution for C2 domains, and process hollowing into legitimate svchost.exe binaries. The malware also disables Windows Defender by modifying registry values under HKLMSOFTWAREPoliciesMicrosoftWindows Defender and terminates security tool processes via WMI queries. Data exfiltration is performed via HTTP POST requests encrypted with AES-128-CBC, with the decryption key embedded in the binary as a hex string.

📜 History & Notable Incidents

NonEuclid was first spotted in the wild in October 2024, with a major campaign in December 2024 targeting educational institutions in India and Pakistan (CISA advisory AA24-356A). No high-profile victims or CVEs have been directly associated with NonEuclid; it primarily exploits weak RDP credentials and phishing emails with malicious Excel add-ins (XLL files). No law enforcement actions have been reported against the malware operators as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 5a8c6d7e1f2b3c4a9e0d1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (sample from VirusTotal, January 2025). Network IOCs include C2 domains like non-euclid[.]xyz and updates-non[.]com, with User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0". Registry artifacts include the key HKCUSoftwareMicrosoftWindowsCurrentVersionRunNonEuclidUpdater. Behavioral detection rules focus on WebSocket initialization to uncommon ports and anomalous scheduled task creation.

☠️ Risk & Impact

The primary damage of NonEuclid RAT is credential theft and sensitive data exfiltration, including browser cookies and saved passwords. Financial losses have been estimated at under $500,000 total across known campaigns, with the most affected sectors being education and small-to-medium enterprises in South Asia. No critical infrastructure or healthcare targets have been confirmed in open reports.

🛡️ Mitigation

Recommended defenses include enabling RDP via VPN only, implementing multi-factor authentication, and deploying EDR rules that alert on WebSocket connections to non-standard ports (ID: C0005 from Trend Micro). Use YARA rule "NonEuclid_RAT_2024_12" to detect binary patterns: XOR-encoded .NET strings and the presence of the "non-euclid" namespace in managed assemblies.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.