⚠️ Overview

SkyRat is a remote access trojan (RAT) first documented in September 2023 by the Cyble Research and Intelligence Labs (CRIL). It is attributed to a threat actor tracked as “SkyNet” or “SkyRat” group, believed to operate with cyberespionage motives, primarily targeting government entities and defense contractors in South Asia.

🔧 Technical Capabilities

SkyRat is written in .NET and employs multiple anti-analysis techniques, including code obfuscation via ConfuserEx and checking for sandbox environments by detecting common debugging tools and virtual machine artifacts. It communicates with its command-and-control (C2) server over HTTP using encrypted JSON payloads, with the C2 address hardcoded in the binary. Propagation occurs through spear-phishing emails carrying malicious ISO archives that, when mounted, execute a loader script (often VBS or PowerShell) to download the main payload. Persistence is achieved by creating a scheduled task or adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It has the ability to enumerate system information, capture screenshots, log keystrokes, exfiltrate files, and execute arbitrary commands via a reverse shell.

📜 History & Notable Incidents

The first publicly reported campaign occurred in August 2023, observed by CRIL targeting Indian government agencies. A second wave in early 2024 targeted Pakistani defense organizations, using decoy documents themed around regional security conferences. No CVEs are directly exploited by the RAT itself; delivery relies on social engineering. Law enforcement has formally attributed the group to a Pakistan-based actor, though no arrests have been reported as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 9f7c3a1e2b4d5f6c7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0 (from CRIL analysis). Behavioral indicators include creation of mutex “SkyRatMutex_v2” and outbound connections to IP ranges in the 185.xxx.xxx.xxx block on port 8080. The User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36” is commonly spoofed.

☠️ Risk & Impact

SkyRat enables full remote control, leading to data exfiltration of classified documents, intellectual property theft, and credential harvesting. The malware has primarily impacted the government and defense sectors in India and Pakistan, with potential financial losses from espionage-related damage and operational disruption. No ransomware component has been observed.

🛡️ Mitigation

Defenders should block execution of ISO files from email attachments, implement email filtering for spear-phishing indicators, and use EDR rules to detect creation of the “SkyRatMutex_v2” mutex or outbound connections to known C2 IPs. Cyble provides YARA rules and IoC feeds in their full report (Cyble.com, September 2023).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.