Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Remote Access Trojan

Remote Access Trojan (RAT) is a malware category that enables attackers to gain remote control of an infected system. In the provided reporting, RATs are described as being used in multiple intrusion and fraud scenarios. Italian authorities warned that the operating system of the Italian passenger ferry Fantastic may have been infected by a RAT while docked in Sète, France; investigators assessed that such malware could have provided remote access to onboard systems, possibly including navigation-related components, and the case is being examined as suspected foreign interference with possible state involvement. The content also states that remote access software on poorly isolated systems can enable lateral movement into sensitive networks.

RATs are also referenced in social-engineering campaigns. ReliaQuest reported that the Scattered Lapsus$ Hunters group targeted organizations using Zendesk by submitting fraudulent support tickets and using typosquatted or impersonating Zendesk-related domains, fake SSO portals, and crafted pretexts to infect support and help-desk personnel with RATs and other malware, with the goal of stealing credentials, compromising endpoints, stealing data, and extorting victims. Separate reporting cited Google warnings that scammers embed RATs and info-stealers in fake interview software, application materials, malicious job application downloads, and broader online job scam workflows. These campaigns use fake recruiter profiles, cloned career pages, and fraudulent application forms; resulting infections can provide persistent backdoor access, facilitate credential harvesting, financial theft, identity fraud, system compromise, and corporate network infiltration when infected personal devices later connect to enterprise environments. Additional content notes that malicious VPN apps and browser extensions distributed via social engineering can also deliver RATs alongside information stealers and banking malware.

No single RAT family, specific malware sample, or unique IOC set is identified in the provided content; the term is used generically to describe malware that provides unauthorized remote access and persistence across maritime, enterprise help-desk, and job-scam infection scenarios.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1598Phishing for InformationEvidence1

The attacker gained access to the lead maintainer's PC through a targeted social engineering campaign and RAT malware.

Resource Development

1 technique
T1585Establish AccountsEvidence1

The attacker would then share links online, like social media or forums... to lure users to the malicious GitHub repos.

Initial Access

3 techniques
T1195Supply Chain CompromiseEvidence6

When the axios HTTP client library was compromised, attackers pushed two poisoned releases that dropped a remote-access Trojan on every machine that ran a fresh install during a roughly three-hour window.

T1566PhishingEvidence2

The attacker gained access to the lead maintainer's PC through a targeted social engineering campaign and RAT malware.

T1566.002Spearphishing LinkEvidence1

Similarly, he tricked a Robinhood employee into installing a remote access trojan which he used to steal customer information.

Execution

4 techniques
T1059Command and Scripting InterpreterEvidence2

A separate supply-chain attack on the widely used Axios npm package occurred within hours of the leak, injecting a remote-access trojan into versions 1.14.1 and 0.30.4.

T1127Trusted Developer Utilities Proxy ExecutionEvidence1

VentureBeat reported that anyone who installed or updated Claude Code via npm on March 31 between 00:21 and 03:29 UTC may have pulled in the compromised dependency.

T1204.002Malicious FileEvidence1

attackers pushed two poisoned releases that dropped a remote-access Trojan on every machine that ran a fresh install during a roughly three-hour window.

T1574.006Dynamic Linker HijackingEvidence1

Step 2 — Poison it. Add something malicious. Usually this hides in a postinstall script — a feature that lets packages run code automatically the moment you install them, with no confirmation prompt.

Stealth

3 techniques
T1036MasqueradingEvidence1

The package impersonated an installer for OpenClaw... The campaign combined brand impersonation with malicious package delivery, using a familiar project name to increase the odds of installation by developers or users seeking OpenClaw tooling.

T1127Trusted Developer Utilities Proxy ExecutionEvidence1

VentureBeat reported that anyone who installed or updated Claude Code via npm on March 31 between 00:21 and 03:29 UTC may have pulled in the compromised dependency.

T1574.006Dynamic Linker HijackingEvidence1

Step 2 — Poison it. Add something malicious. Usually this hides in a postinstall script — a feature that lets packages run code automatically the moment you install them, with no confirmation prompt.

Credential Access

1 technique
T1555Credentials from Password StoresEvidence1

According to the report, the package targeted macOS systems and was designed to steal credentials in addition to deploying a RAT... it stole macOS credentials from compromised devices.

Collection

1 technique
T1005Data from Local SystemEvidence1

The researchers said the malicious package deployed a remote access trojan after installation and collected sensitive information from infected hosts.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1

Check your network logs for connections to sfrclak[.]com or 142.11.206.73 on port 8000

T1105Ingress Tool TransferEvidence1

the postinstall script (node setup.js) that runs automatically on npm install downloaded an obfuscated dropper that retrieves a platform-specific RAT payload for macOS, Windows, or Linux.

T1219Remote Access ToolsEvidence7

The researchers said the malicious package deployed a remote access trojan after installation and collected sensitive information from infected hosts.

Exfiltration

1 technique
T1048Exfiltration Over Alternative ProtocolEvidence1

he tricked a Robinhood employee into installing a remote access trojan which he used to steal customer information.

Other

1 technique
T1656ImpersonationEvidence1

Lazarus APT group... used a social engineering campaign, sending fake job offers with a remote access trojan... Iranian hackers pose as recruiters on LinkedIn and distribute malware through fake lucrative job offers.

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app3 months ago
uri●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
toms hardwareNews
Dec 19, 2025
French authorities arrest man for installing malware on a passenger ferry on behalf of 'a foreign power' — could have enabled external control of systems, including navigation

A Remote Access Trojan (RAT) is a type of malware that allows attackers to remotely control infected systems, potentially providing access to sensitive ship functions including navigation and operating systems.

Read more
knowbe4 blogNews
Dec 8, 2025
Notorious Cybercrime Group is Now Targeting Zendesk Users

Remote Access Trojans (RATs) are used to provide attackers with persistent, covert access to compromised endpoints, allowing them to steal data, move laterally, and further compromise the organization.

Read more
cso onlineNews
Dec 3, 2025
Get poetic in prompts and AI will break its guardrails

Remote Access Trojans (RATs) are a type of malware that provide persistent remote access to compromised systems, allowing attackers to control the victim's machine, exfiltrate data, and deploy additional payloads.

Read more
bank info securityNews
Nov 7, 2025
Online Job Scams Creating News Risks for Corporate Networks

Remote Access Trojans (RATs) are being delivered through fake job application forms and interview software, providing persistent backdoor access to compromised devices. Once installed, they allow attackers to control the victim's device, harvest credentials, and potentially infiltrate corporate networks when the infected device connects to enterprise resources.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.