rat_hodin
Malware⚠️ Overview
Rat_Hodin is a modular remote access trojan (RAT) written in Delphi, first documented by Kaspersky in March 2022 as a custom tool used by the Lazarus Group (APT38) for cyberespionage targeting defense and aerospace sectors. The malware is named after the string "Hodin" found in its code, and it represents a backdoor designed for stealthy data exfiltration, categorized under RAT malware families tracked by MITRE ATT&CK.
🔧 Technical Capabilities
Rat_Hodin employs persistence via scheduled tasks and registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). It uses encrypted C2 communication over HTTP/S with a custom base64-like encoding scheme, and supports plugin loading for keylogging, screen capture, and file theft. The malware checks for virtual machine environments (e.g., VMware, VirtualBox) to evade sandbox analysis, and delays execution by sleeping for up to 30 seconds to bypass behavioral detection. Propagation is limited to manual deployment via spear-phishing emails containing weaponized documents or executable files, leveraging DLL side-loading and process injection techniques.
📜 History & Notable Incidents
First identified in early 2022, Rat_Hodin was used in a campaign targeting defense contractors in South Korea and the United States, as reported by Kaspersky and the South Korean National Intelligence Service (NIS). No specific CVEs are directly attributed, but initial access relied on Microsoft Office exploits (CVE-2017-11882) in early variants. In 2023, a variant was observed using DLL side-loading via legitimate signed binaries to evade detection, and the malware has been linked to multiple espionage incidents against military research institutes.
🔍 Detection Indicators
Known file hashes for Rat_Hodin samples are documented in Kaspersky’s threat intelligence reports (e.g., SHA256: 3c8a1b4f...). Behavioral signatures include creation of scheduled tasks named "HodinUpdate", registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "Hodin", and mutex names such as "HodinMutex". Network IOCs include C2 domains following patterns like "*.hodin-*.com" and User-Agent strings mimicking legitimate browsers (e.g., "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0)").
☠️ Risk & Impact
The malware poses high risk to targeted organizations, enabling full remote control, data exfiltration of sensitive intellectual property (military blueprints, research documents), and potential lateral movement within compromised networks. Impact has been reported primarily in defense and aerospace sectors, with estimated data losses involving classified project files and personnel records, according to public reports from Kaspersky and the NIS.
🛡️ Mitigation
Mitigation includes blocking spear-phishing emails, enabling endpoint detection rules for Delphi-based RATs (e.g., Sigma rule S0021), and applying patches for known Microsoft Office vulnerabilities (CVE-2017-11882, CVE-2012-0158). Recommended defensive measures include deploying YARA rules specific to Rat_Hodin (available from Kaspersky’s public repository), monitoring for the listed registry keys and mutexes, and using EDR tools to detect process injection and DLL side-loading.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.