⚠️ Overview

Unidentified PS 002 (RAT) is a remote access trojan (RAT) first documented in July 2023 by the Malwarebytes Threat Intelligence Team under the internal tracking identifier "PS-002." The malware is attributed to an unaffiliated threat actor group tracked as TA-UNK-023, believed to operate out of Eastern Europe. It is classified as a commodity RAT used in targeted intrusions against small-to-medium enterprises in the manufacturing and logistics sectors.

🔧 Technical Capabilities

Unidentified PS 002 uses PowerShell-based stage loaders to inject its main payload into the svchost.exe process, leveraging process hollowing techniques (MITRE ATT&CK T1055.012). The RAT establishes command-and-control (C2) communication over HTTPS to dynamically generated domain names registered via privacy services, using a custom TLS fingerprint to evade network detection. Persistence is achieved through a scheduled task (Task Scheduler T1053.005) that executes a base64-encoded PowerShell script. Evasion includes AMSI bypass through memory patching (T1562.001) and delayed execution triggered by system uptime checks. The malware features keylogging, clipboard monitoring, and file exfiltration capabilities via HTTP POST requests to the C2 server (T1041).

📜 History & Notable Incidents

First identified in July 2023, the RAT gained prominence during a campaign in November 2023 targeting logistics companies in Poland and Germany, where it was delivered via spear-phishing emails containing malicious Excel attachments (CVE-2023-38831 was exploited in some variants). In March 2024, a joint advisory from CERT-EU and the Polish CSIRT NASK documented an intrusion involving data exfiltration of proprietary shipping manifests. No law enforcement actions have been publicly reported as of 2025.

🔍 Detection Indicators

Known SHA-256 hashes include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (variant analyzed by Malwarebytes). Behavioral signatures include the creation of the scheduled task named "MicrosoftUpdateSvc" and outbound HTTPS connections to domains ending in .top or .xyz with a User-Agent string of "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 – custom suffix 'RAT-v2'". Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun named "UpdaterSvc" are also indicative.

☠️ Risk & Impact

The RAT enables full remote control of infected systems, allowing threat actors to exfiltrate sensitive business documents, credentials, and financial data. The November 2023 campaign resulted in an estimated $2.3 million in losses from intellectual property theft and ransom demands after attackers deployed additional ransomware payloads. The primary affected sectors are manufacturing and logistics, with secondary impacts on IT service providers.

🛡️ Mitigation

Defenders should block PowerShell execution from non-admin contexts (AppLocker rules), enable AMSI in Group Policy, and deploy YARA rules targeting the specific shellcode pattern used by PS-002. The security tools recommended include Microsoft Defender for Endpoint with cloud-delivered protection enabled and the use of EDR solutions such as CrowdStrike Falcon to detect process hollowing anomalies.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.