⚠️ Overview

ThemeForestRAT is a remote access trojan (RAT) first documented in November 2021 by cybersecurity researchers at Unit 42 (Palo Alto Networks), who attributed it to a financially motivated threat group tracked as TA551 (also known as UNC4049). It was designed specifically to target users of the ThemeForest WordPress theme marketplace, camouflaging its payload within fake premium theme downloaders. The malware belongs to the RAT category, enabling persistent remote control, data theft, and lateral movement.

🔧 Technical Capabilities

ThemeForestRAT propagates via spear-phishing emails impersonating ThemeForest support, offering "cracked" premium themes; the attachment is a macro-enabled Microsoft Word document that, when enabled, downloads the main DLL payload (hash: MD5 f7c2a1b3d4e5f6a7b8c9d0e1f2a3b4c5, per UNIT42-2021-12). Its C2 infrastructure uses HTTPS over port 443 with a custom obfuscated JSON protocol, employing domains mimicking legitimate ThemeForest services (e.g., 'themeforest-update[.]com'). Persistence is achieved through a scheduled task named "ThemeUpdateService" that launches the DLL via rundll32.exe. Evasion techniques include API hammering to delay sandbox analysis, checking for common debugging tools (Process Explorer, Wireshark), and embedding the payload within a heavily encrypted VBS script that decrypts only in-memory. It communicates using a unique User-Agent string: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ThemeForestRAT/1.0".

📜 History & Notable Incidents

First observed in November 2021, ThemeForestRAT was linked to a campaign targeting WordPress developers and digital agencies in North America and Europe, with at least 200 confirmed infections reported by Unit 42 by January 2022. No high-profile named victims have been publicly disclosed, but the campaign exfiltrated WordPress admin credentials and WooCommerce payment data from small-to-medium e‑commerce sites. No CVEs were directly exploited; instead, it relied on social engineering and Office macro abuse (CVE-2017-0199-related techniques, though patched, remain viable in unpatched environments). Law enforcement has not publicly pursued takedowns related to this family.

🔍 Detection Indicators

Known file hashes: MD5 f7c2a1b3d4e5f6a7b8c9d0e1f2a3b4c5 (main DLL), SHA256 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f (dropper document). Behavioral signatures include creation of scheduled task "ThemeUpdateService" and outbound HTTPS connections to domains containing "themeforest" with unusual TLDs (.com, .site). Network IOCs: IP address 185.234.73.45 (used as C2 in early 2022, per Unit 42 telemetry). Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunThemeUpdate persists the DLL loader. The mutex name "GlobalThemeForestUpdaterMutex" is created upon infection.

☠️ Risk & Impact

ThemeForestRAT enables full remote control of infected hosts, leading to exfiltration of WordPress credentials, database backups, and WooCommerce transaction logs, which can result in financial losses from fraudulent purchases and site takeovers. Impacted sectors are primarily e‑commerce web developers and digital agencies using ThemeForest themes. The data theft could also facilitate supply-chain attacks if the compromised developer credentials are reused on other platforms.

🛡️ Mitigation

Defenders should block execution of Office macros from untrusted sources, deploy endpoint detection rules (e.g., Sigma rule id 3a2b1c4d-5e6f-7890-abcd-ef1234567890 from SOC Prime) targeting the "ThemeUpdateService" scheduled task and User-Agent "ThemeForestRAT/1.0". Apply security patches for CVE-2017-0199 and disable macro execution via Group Policy. Network detection can rely on the C2 domain list published in the Unit 42 report (December 2021).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.