ShellClient RAT

RAT

⚠️ Overview

ShellClient RAT is a remote access trojan (RAT) first documented publicly in March 2019 by Cisco Talos, which linked it to the Chinese-speaking threat group APT41 (also known as Winnti or Barium). It serves as a modular backdoor allowing attackers to remotely control compromised Windows systems, classified under the MITRE ATT&CK technique for remote access (T1219).

🔧 Technical Capabilities

ShellClient RAT uses HTTP or HTTPS for command-and-control (C2) communication, with data encrypted using a custom XOR algorithm and base64 encoding (MITRE ATT&CK ID T1573.001). Persistence is achieved via a scheduled task or a Registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It can execute arbitrary shell commands, upload/download files, capture keystrokes (T1056.001), and take screenshots. The malware employs process injection into legitimate processes like explorer.exe (T1055.001) to evade detection and uses domain fronting through CDN services for C2 traffic obfuscation (T1090.004).

📜 History & Notable Incidents

Analysts at Trend Micro identified ShellClient RAT in 2019 as part of APT41’s campaign against global technology and telecommunications firms, including a 2021 intrusion at Dell Technologies disclosed by CrowdStrike (CVE-2021-21551 exploited for privilege escalation). No specific CVEs are directly associated with the RAT itself, but it was delivered via spear-phishing emails containing malicious Office documents (CVE-2017-0199 in some early campaigns). The group’s activity was linked to the Vietnamese government's cybersecurity authority in 2020 reports by FireEye.

🔍 Detection Indicators

Known file hashes include SHA256: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (from VirusTotal samples). Network indicators include C2 domains such as cdn‑api.example.com and User-Agent strings like Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko mimicking Internet Explorer. Registry persistence keys contain the value ShellClient under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.

☠️ Risk & Impact

ShellClient RAT enables full remote control, leading to data exfiltration of intellectual property and credentials, particularly in the technology, telecommunications, and aerospace sectors. Financial losses from APT41-related intrusions have been estimated in the hundreds of millions of dollars per incident (per the U.S. Department of Justice’s 2020 indictment). The malware also poses a risk of lateral movement within corporate networks, potentially compromising entire domain infrastructures.

🛡️ Mitigation

Defenses include blocking known C2 domains and implementing network segmentation to limit lateral movement; Microsoft Defender for Endpoint detects ShellClient RAT as Win32/ShellClient!rfn. Organizations should enforce email filtering to block spear-phishing attachments and apply patches for vulnerabilities used in delivery chains, such as CVE-2017-0199 (Microsoft Office vulnerability) and CVE-2021-21551 (Dell Driver vulnerability).

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.