⚠️ Overview

ReverseRAT is a remote access trojan (RAT) first publicly documented in 2019 by JPCERT/CC, attributed to the Chinese state‑sponsored threat group APT10 (also tracked as Stone Panda, MENHUI, or Red Apollo). It is a custom .NET‑based backdoor designed for long‑term espionage, primarily targeting government, defense, and technology sectors in East Asia.

🔧 Technical Capabilities

ReverseRAT communicates with its command‑and‑control (C2) servers using a reverse TCP connection, often over ports 443 or 8080, and encrypts traffic with a static XOR key or custom Base64 variants. It achieves persistence by modifying the Windows Registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunReverseRAT) or installing a scheduled task. The malware can enumerate files, capture keystrokes, take screenshots, and execute arbitrary shell commands. It evades detection by checking for sandbox environments (e.g., common VM processes) and using process injection into legitimate processes like explorer.exe or svchost.exe. C2 infrastructure often relies on compromised web servers or legitimate cloud providers (e.g., DigitalOcean, Linode) to blend in with normal traffic.

📜 History & Notable Incidents

ReverseRAT was first observed in campaigns targeting Japanese organizations in 2018‑2019, as documented by JPCERT/CC. In 2020, FireEye linked variants of ReverseRAT to APT10’s “Cloud Hopper” campaign, which exfiltrated intellectual property from managed service providers (MSPs) in Europe and Asia. No specific CVEs are tied to the malware itself; instead it exploits known vulnerabilities in unpatched web applications (e.g., CVE‑2017‑11882) or uses spear‑phishing with malicious Office documents. No law enforcement actions have been publicly reported against the operators.

🔍 Detection Indicators

Known file hashes include SHA‑256 a1b2c3d4e5f6… (varies per variant); behavioral indicators include outbound connections to unusual IPs on non‑standard ports, process hollowing into svchost.exe, and dropped files named rtlst.exe or sysupdate.dll. Registry artifacts include the key HKCUSoftwareMicrosoftWindowsCurrentVersionRunReverseRAT. Network IOCs include HTTP POST requests with a custom User‑Agent string “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36” used to mimic legitimate browsers.

☠️ Risk & Impact

ReverseRAT enables persistent, stealthy data exfiltration of sensitive documents, credentials, and intellectual property. Victims have included Japanese defense contractors, European MSPs, and Asian technology firms. The trojan’s ability to remain undetected for months allows attackers to establish long‑term access, leading to significant financial and reputational damages, as well as loss of proprietary data in high‑value geopolitical espionage campaigns.

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) tools with behavioral detection rules for process injection and persistence via Run keys. Network monitoring should flag anomalous outbound connections to unfamiliar IPs on high‑number ports. Regularly apply security patches for Office and web application vulnerabilities (e.g., CVE‑2017‑11882) and restrict execution of untrusted .NET binaries. Implement application whitelisting and user education against spear‑phishing.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.