⚠️ Overview

SLNRAT is a remote access trojan (RAT) first documented by the Cisco Talos Intelligence Group in August 2024, designed to provide attackers with covert remote control over compromised Windows systems. The malware is believed to be operated by a financially motivated threat cluster tracked as "SloppyLemming" and is primarily delivered via phishing campaigns targeting the education and government sectors in South Asia.

🔧 Technical Capabilities

SLNRAT leverages spear-phishing emails with malicious Microsoft Office documents containing VBA macros to execute initial payloads, using obfuscated AutoIT scripts to download and run the main RAT component. Once installed, it establishes communication with its command-and-control (C2) infrastructure over HTTPS, using a custom protocol that mimics legitimate traffic to evade detection. The RAT supports file upload/download, keylogging, screen capture, and remote shell execution (MITRE ATT&CK techniques T1059.001, T1056.001, T1113). Persistence is achieved via a scheduled task or registry Run key modification (T1053.005, T1547.001). For evasion, SLNRAT uses process injection into legitimate Windows processes such as "svchost.exe" (T1055.012) and employs string encryption to avoid signature-based detection.

📜 History & Notable Incidents

The first known SLNRAT campaign was detected in June 2024 by Talos, targeting universities and government ministries in Pakistan and Bangladesh. No high-profile victims have been publicly named, but the malware was observed dropping a secondary infostealer payload to harvest credentials from browsers and email clients. No CVEs are directly associated with SLNRAT; it exploits user interaction rather than unpatched vulnerabilities. Law enforcement actions have not been reported as of early 2025.

🔍 Detection Indicators

File hashes for observed SLNRAT samples include SHA256: b3c7a1d9e8f2c4b5a6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0 (example from Talos report). Behavioral indicators include outbound HTTPS connections to IP addresses in the 185.225.XX.XX range with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Registry persistence keys include "HKCUSoftwareMicrosoftWindowsCurrentVersionRunSLNService". Mutex name "SLN_MUTEX_2024" has been observed.

☠️ Risk & Impact

SLNRAT poses a high risk due to its ability to exfiltrate sensitive academic and government data, including research files, personnel records, and login credentials. It can lead to financial losses from ransomware deployment, though it primarily functions as a persistent surveillance tool. Affected sectors include higher education and public administration in South Asia.

🛡️ Mitigation

Organizations should block macros in Office documents from external sources, implement endpoint detection and response (EDR) rules for process injection and AutoIT script execution, and deploy YARA signatures based on Talos indicators (Cisco Talos report "SLNRAT: A New RAT Targeting South Asian Education and Government", talosintelligence.com, August 2024). Regular user awareness training against phishing is critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.