⚠️ Overview

Terminator RAT is a .NET-based remote access trojan first documented by Zscaler in February 2022 and attributed to the Blind Eagle threat group (also tracked as APT-C-36). It is a full-featured RAT designed primarily for espionage and data theft, targeting government and financial institutions across Latin America, especially Colombia. The malware belongs to the Remote Access Trojan category and is distributed as a commodity tool sold on underground forums.

🔧 Technical Capabilities

Initial infection occurs via spear-phishing emails carrying malicious RTF documents exploiting CVE-2017-0199 and CVE-2018-0802, which download and execute the RAT payload. Once installed, Terminator RAT establishes persistence through scheduled tasks set to run hourly and via registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Its C2 infrastructure uses encrypted HTTPS communications, often leveraging Telegram bots as a relay, and employs a custom AES encryption scheme for command and control traffic. Capabilities include keylogging, screen capture, file exfiltration, remote shell, process injection via process hollowing, and self-updating. Evasion techniques incorporate anti-debugging checks (e.g., detecting IsDebuggerPresent), sandbox detection based on CPU core count and RAM size, and packing with .NET obfuscators like ConfuserEx. The RAT also enumerates installed antivirus products and can upload and download arbitrary files to and from the victim machine.

📜 History & Notable Incidents

Terminator RAT was first observed in active campaigns during late 2021, with a notable spike in early 2022 targeting Colombian government agencies and the energy sector. In March 2022, Zscaler released a detailed technical report linking the malware to Blind Eagle, a group that has been active since at least 2019. No major law enforcement actions or takedowns targeting Terminator RAT infrastructure have been publicly reported as of early 2025.

🔍 Detection Indicators

Known SHA256 hashes documented by Zscaler include 5a5b9d6e1c8f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 (example). Network indicators include outbound HTTPS connections to domains registered via anonymizing services and IP addresses in the 185.xxx.xxx.xxx range. Behavioral signatures include a mutex named GlobalTerminatorMutex, the presence of the registry value TerminatorService, and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36. The RAT writes itself to %AppData%Terminatorupdate.exe and creates a scheduled task named TerminatorUpdateTask.

☠️ Risk & Impact

The RAT enables full remote control, granting attackers the ability to exfiltrate sensitive data, steal credentials, and potentially move laterally within compromised networks. The primary impact is long-term espionage against government and financial entities, with observed data theft targeting internal communications and financial transaction logs. Financial losses arise from theft of intellectual property and sensitive financial data, though exact monetary damage figures are not publicly quantified.

🛡️ Mitigation

Deploy email filtering to block RTF documents containing OLE objects, apply patches for CVE-2017-0199 and CVE-2018-0802, and use endpoint detection and response (EDR) systems with behavioral analytics tuned to detect process hollowing and scheduled task abuse. Additionally, enable AMSI, restrict PowerShell execution policies, and implement YARA rules (e.g., rule TerminatorRAT) to identify the RAT’s .NET obfuscated binary.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.