Venom RAT

Venom RAT is a remote access trojan and multi-function malware tool, described as a successor to Quasar RAT and in one report as an AsyncRAT variant. It is commercially sold and has been observed in cybercrime ecosystems and malware-as-a-service style offerings, including premium hidden VNC (hVNC) functionality with customer support. Reported capabilities include keylogging, surveillance, file management, remote command execution, covert remote desktop access via hVNC, data theft, reverse proxying, anti-kill protections, persistence via Windows Registry changes, removable-media/USB propagation, and remote execution through APC injection. Additional reported behaviors include modifying process DACLs, terminating security-related processes, tampering with Task Scheduler and the Registry to disable security tools, terminating Microsoft Defender Antivirus, preventing system sleep, keeping the display on, and, when elevated, enabling SeDebugPrivilege and marking itself as a critical process.

Observed delivery vectors include phishing emails with invoice themes, JavaScript loaders, PowerShell downloaders, Windows Internet Shortcut files delivered via phishing, WebDAV-hosted shortcut chains, and loader malware such as Kiss Loader. In one documented chain, Kiss Loader decrypted and executed Venom RAT via APC injection. TA558/RevengeHotels used phishing emails in Portuguese and Spanish targeting hotels in Brazil and Spanish-speaking markets to deliver Venom RAT, with the objective of stealing credit card data from hotel systems and online travel agencies. CERT-UA also reported Venom RAT among malware families used by UAC-0050 in campaigns affecting Ukrainian organizations. Venom RAT infrastructure was also included in Europol/Eurojust Operation Endgame in November 2025, which dismantled more than 1,025 servers and seized domains linked to Venom RAT, Rhadamanthys, and the Elysium botnet; one report states the main Venom RAT suspect was arrested in Greece.

Targeting and victimology directly mentioned in the content include hospitality, hotel, and travel organizations in Latin America, especially Brazil and Spanish-speaking regions, as well as Ukrainian government, energy, finance, healthcare, and IT organizations in broader campaign reporting. Infrastructure associated with Venom RAT was identified in the 45.154.98.0/24 subnet alongside other malware families. High-confidence indicators and artifacts mentioned in relation to Venom RAT activity include use of hVNC; JavaScript and PowerShell-based loaders; APC injection; and campaign artifacts such as the downloaded file name "cargajecerrr.txt" in TA558 activity.