LodaRAT

LodaRAT is a remote access trojan/tool active since at least 2016 and written in AutoIt. It has been observed in multiple in-the-wild versions and used in both cyber-espionage and crimeware-style campaigns. Reported operators include the espionage-focused threat actor YoroTrooper, although Cisco Talos assessed LodaRAT is used by multiple distinct operators and not solely by the actor associated with its Android counterpart.

Observed delivery methods include earlier multi-stage phishing chains using malicious Microsoft Word documents that exploited CVE-2017-11882 and downloaded an MSI containing the compiled AutoIt script, as well as newer phishing emails carrying renamed RAR archives with a .rev extension that contain the compiled AutoIt binary and rely on user execution. Rapid7 also reported distribution via phishing, vulnerability exploitation, DonutLoader, and CobaltStrike.

Capabilities directly described in the source material include remote access functionality, screenshot capture, credential and cookie theft, and active C2-driven tasking. Cisco Talos reported a PowerShell keylogger in version 1.1.1 that is written to tmpwstz21.ps1 and executed on receipt of the C2 command MgPlugUp, with logs written to the temp directory using the current date as the filename. Talos also observed the C2 command Screen sending screenshots at regular intervals, and MpS8x generating a VBScript to display a custom message box. Version 1.1.7 was reported to focus on stealing passwords and cookies from browsers and to check Windows versions via the AutoIt macro @OSVERSION before copying itself to Temp or Startup locations and executing the copy. Rapid7 additionally reported theft of credentials and cookies from Microsoft Edge and Brave, persistence via registry modification or scheduled tasks, screen capture with hidden storage, microphone and webcam recording with exfiltration to C2, creation of new user accounts, disabling of Windows Firewall, and SMB-based lateral movement including attempts to connect to internal IPs over port 445.

Operationally, Talos observed direct threat-actor interaction with infected hosts, suggesting active monitoring and possible manual sandbox recognition from returned screenshots. Talos also reported use of legitimate tunneling or port-forwarding services such as ngrok.io and portmap.io for C2 anonymization. Mentioned infrastructure and indicators include the C2 URL http://roodan888tools[.]atwebpages[.]com/ng.txt, IPs 193[.]161[.]193[.]99 and 174[.]126[.]51[.]178, the dead stream reference live.mp3quran[.]net:9976 used by the QURAN command, the filename BYDVRI.vbs used by a single-instance VBScript in version 1.1.1, and tmpwstz21.ps1.

Targeting has varied by campaign. Talos linked LodaRAT use to YoroTrooper operations targeting government and energy-sector organizations in Azerbaijan, Tajikistan, Kyrgyzstan, other CIS countries, and some European entities. Rapid7 described a newer campaign as global and indiscriminate rather than regionally focused, with roughly 30% of VirusTotal samples reportedly uploaded from the United States.