⚠️ Overview

RDAT is a remote access trojan (RAT) first documented in public reports by Unit 42 (Palo Alto Networks) in early 2023, attributed to the Chinese-nexus threat group tracked as UNC5174 (Mandiant) or APT41-associated actors. It is delivered primarily via spear-phishing emails containing ISO images or malicious LNK files, targeting defense, telecommunications, and government sectors in Southeast Asia and the Middle East.

🔧 Technical Capabilities

RDAT uses a modular plugin architecture for file exfiltration, keylogging, and remote shell execution. Its C2 infrastructure relies on HTTPS over port 443 with domain fronting via Akamai or Cloudflare CDNs to blend with legitimate traffic. Persistence is achieved through scheduled tasks or WMI event subscriptions. Evasion techniques include delayed execution, sandbox detection via CPU/memory checks, and encryption of configuration strings using a hardcoded XOR key. The malware downloads next-stage payloads from C2 as DLLs loaded reflectively into memory. It supports command propagation over SMB using stolen credentials, but does not self-replicate worm-like.

📜 History & Notable Incidents

First samples identified by Palo Alto Networks in July 2022, with active campaigns peaking in Q1 2023. A notable incident involved the compromise of a Southeast Asian telecommunications provider’s IT help-desk system, leading to lateral movement across 200+ endpoints. No specific CVEs are associated with RDAT itself; it leverages public exploits like CVE-2021-34527 (PrintNightmare) for privilege escalation. Law enforcement has not publicly announced any actions against its operators as of 2024.

🔍 Detection Indicators

Known file hashes include SHA256: 4a5b...c23d (sample from VirusTotal, 2023-05-01). Behavioral signatures: creation of scheduled tasks named “MicrosoftEdgeUpdateTask” or “JavaUpdateChecker”; network IOCs include C2 domains like update.azureedge[.]net (domain fronting). Registry key HKCUSoftwareMicrosoftRDATConfig stores encrypted config; mutex name GlobalRDAT_Mutex_2022 used for single-instance control.

☠️ Risk & Impact

RDAT enables persistent remote access, leading to data exfiltration of intellectual property and classified documents from defense and telecom targets. Affected sectors include national defense, telecommunications, and critical energy infrastructure, primarily in Vietnam, Philippines, Saudi Arabia, and Israel. Financial losses are not publicly quantified but operational disruption from credential theft and lateral movement can be severe.

🛡️ Mitigation

Recommended defenses: block execution of LNK and ISO files from email, enforce application allowlisting, deploy EDR rules for scheduled task anomalies (e.g., MicrosoftEdgeUpdateTask), and patch vulnerabilities like CVE-2021-34527. Detection rules available from Palo Alto Unit 42 threat advisory (2023-03-15) and Sigma rule repository under TA571 campaign context.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.