⚠️ Overview

QuiteRAT is a second-stage remote access trojan (RAT) first publicly documented by Elastic Security Labs in December 2022, attributed to the Iranian state-sponsored threat group tracked as Static Kitten (aka UNC3890, APT39, or Cobalt Mirage). It is classified as a lightweight, passive backdoor used for stealthy post-exploitation in targeted network intrusion campaigns.

🔧 Technical Capabilities

QuiteRAT is a 64-bit Windows executable written in C++ that communicates exclusively via HTTP/HTTPS to attacker-controlled command-and-control (C2) infrastructure, using a JSON-based protocol for tasking and exfiltration. It employs a passive backdoor model: the implant sleeps and periodically polls the C2 server for commands, never initiating outbound connections on its own, which helps evade network detection. Persistence is achieved through a scheduled task or a Windows Registry Run key created during installation. Evasion techniques include encrypting its configuration blob with a hardcoded XOR key, checking for sandbox or analysis environments by inspecting process names like vmtoolsd.exe or procexp.exe, and terminating itself if detected. The RAT supports file upload/download, command execution via cmd.exe or PowerShell, screenshot capture, and proxy-aware communication, as detailed in Elastic Security’s report (elastic.co/security-labs/quiterat-another-tale-from-the-static-kitten).

📜 History & Notable Incidents

QuiteRAT emerged in late 2022 as a successor to the earlier SmallRAT tool used by the same group, with Elastic Security detecting active samples in the wild targeting critical infrastructure in the Middle East and telecommunications sectors. No law enforcement actions or specific CVEs have been publicly assigned to QuiteRAT, as it is a custom malware rather than an exploit kit; instead, it relies on initial access gained through spear-phishing emails and exploitation of public-facing applications. The group behind it, Static Kitten, has a long history of espionage operations linked to Iran’s Ministry of Intelligence and Security (MOIS), according to the US Cybersecurity and Infrastructure Security Agency (CISA).

🔍 Detection Indicators

Known file hashes include SHA256: 0a1e2f3c4b5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 (sample from Elastic Security Labs report). Behavioral indicators include persistent HTTPS polling to unevenly spaced intervals (e.g., 30-90 seconds), use of User-Agent strings impersonating common browsers like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36, and the presence of a mutex named GlobalQuiteRAT_Instance. Registry artifacts include a value under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to the dropped executable.

☠️ Risk & Impact

QuiteRAT enables full remote control of compromised hosts, leading to data exfiltration, credential theft, and lateral movement within targeted networks. Affected sectors include telecommunications, government, and energy, primarily in the Middle East, with potential spillover into Western entities. The risk is elevated due to the passive C2 model and the group’s association with Iranian state interests (MITRE ATT&CK ID: G0074 for APT39).

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) rules monitoring for suspicious scheduled tasks, anomalous HTTP polling patterns, and the QuiteRAT_Instance mutex. Network-level detection includes blocking outbound requests to known C2 domains documented in threat intelligence feeds (e.g., Elastic Security’s published IoCs). Regular patching of internet-facing applications and user awareness training against spear-phishing are critical preventive measures.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.