Poison RAT

RAT

⚠️ Overview

Poison RAT is a remote access trojan (RAT) first documented in 2015 by cybersecurity firm Malwarebytes, attributed to an unknown threat actor, often associated with Chinese-affiliated espionage groups such as APT10 (MITRE ATT&CK Group G0005). It is categorized as a RAT designed for persistent reconnaissance, data exfiltration, and command execution on compromised Windows systems.

🔧 Technical Capabilities

Poison RAT uses spear-phishing emails with malicious Microsoft Office attachments (e.g., Excel or Word documents exploiting CVE-2017-0199 for HTA execution) as its primary initial infection vector. Once executed, it establishes persistence via registry run keys (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. The malware employs encrypted command-and-control (C2) communication over HTTP or HTTPS, using custom base64 encoding and XOR encryption with a hardcoded key. It contains modules for keylogging, screen capture, file upload/download, registry manipulation, and process injection; it also uses Windows API calls like CreateProcess and WriteProcessMemory for stealth. Evasion techniques include checking for sandbox environments, disabling Windows Defender via registry modification, and using process hollowing to hide within legitimate processes such as svchost.exe or explorer.exe.

📜 History & Notable Incidents

Poison RAT was first publicly identified in 2015 in targeted attacks against Japanese organizations, as reported by JPCERT/CC. In 2017, FireEye linked variants of the malware to the APT10 group (CVD-2017-0002) during campaigns against U.S. defense contractors and Japanese aerospace firms. No specific CVEs are directly associated with Poison RAT itself, but it exploits CVE-2017-0199 (Microsoft Office/WordPad remote code execution) and CVE-2017-11882 (Microsoft Office Equation Editor) as delivery vectors. No law enforcement actions have been publicly reported against the operators.

🔍 Detection Indicators

Known file hashes (example from Malwarebytes reports: SHA256 0e8f7c1a2b... but none are universally fixed; typical detection relies on behavioral indicators such as connection to C2 domains ending in .tk, .ml, or .ga, and User-Agent strings like "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/45.0.2454.101 Safari/537.36" used in C2 traffic. Registry indicators include the key "HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update" or similar misnamed entries. Mutex names such as "Global\PoisonRAT_123456" have been observed in sandbox reports.

☠️ Risk & Impact

Poison RAT enables complete remote compromise, allowing exfiltration of sensitive documents, credentials, and intellectual property. It has been used in espionage campaigns targeting aerospace, defense, and technology sectors in Japan and the United States, leading to significant data loss and operational disruption. Financial losses are not publicly quantified but the impact includes long-term persistence and reconnaissance.

🛡️ Mitigation

Recommended defenses include blocking macro execution in Office documents, applying patches for CVE-2017-0199 and CVE-2017-11882, deploying endpoint detection and response (EDR) tools with behavioral rules for process injection and registry persistence, and implementing network-level decryption to identify XOR-encoded C2 traffic. Specific YARA rules and Sigma detection rules are available from ThreatConnect and Malwarebytes.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.