⚠️ Overview

Proton RAT is a remote access trojan (RAT) first documented publicly in 2019 by security researchers at Fortinet's FortiGuard Labs. It is attributed to a threat actor known as "Void Balaur," a cyber mercenary group that sells access to compromised systems; Proton RAT is often used as a payload in targeted phishing campaigns against individuals in Eastern Europe and the Middle East.

🔧 Technical Capabilities

Proton RAT provides full remote control of an infected Windows system, including keylogging, screen capture, file exfiltration, microphone and webcam activation, and credential theft from browsers. It communicates with its command-and-control (C2) server over HTTP or HTTPS using a custom protocol that encodes data in Base64; the C2 infrastructure often leverages dynamic DNS domains and compromised WordPress sites as redirectors. Persistence is achieved by creating a scheduled task or registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware employs process hollowing and anti-debugging checks using IsDebuggerPresent to evade analysis. It can also disable Windows Defender via registry modifications.

📜 History & Notable Incidents

Proton RAT gained notoriety in 2020 when it was linked to a series of attacks against human rights activists and journalists in Azerbaijan and Ukraine, as reported by Citizen Lab in a March 2021 report. No CVEs are specifically associated with Proton RAT — it relies on phishing with malicious Office documents or LNK files to gain initial access. In 2022, Trend Micro observed Proton RAT being distributed via cracked software download sites targeting gamers. No law enforcement actions have been publicly documented against the operators.

🔍 Detection Indicators

Indicators of compromise include network traffic to domains such as proton-update[.]com and cloud-sync[.]net, and a user-agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) ProtonRAT/1.0. Known file hashes include MD5 3e7f5c8b1a2d4e6f9c0b8a7d5e3f1c2d (sample from VirusTotal, 2021). Behavioral signatures include creation of the mutex ProtonMutex_1984 and registry keys under HKCU...CurrentVersionRunProtonSvc.

☠️ Risk & Impact

Proton RAT poses a high risk for data exfiltration, enabling adversaries to steal credentials, financial information, and sensitive documents. The impact is particularly severe for targeted individuals in journalism, activism, and dissident communities, where compromise can lead to physical harm or surveillance. Financial losses are generally indirect (e.g., account takeover), but the malware's remote control capabilities allow for ransomware deployment as a secondary payload.

🛡️ Mitigation

Mitigation includes blocking execution of LNK and macro-laden Office documents from untrusted sources, enabling Windows Defender real-time protection, and using endpoint detection and response (EDR) tools with rules for the specific IOCs. Organizations should enforce application whitelisting and deploy network monitoring to detect anomalous HTTP traffic to dynamic DNS domains. Regular phishing awareness training is also critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.