MalwareUsed by 2 actors

888 RAT

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Kasablanka

This campaign has been active since at least March 2020, distributing (via dedicated Facebook profiles) two Android backdoors known as 888 RAT and SpyNote, disguised as legitimate apps.

via eset welivesecurity blogwelivesecurity.com

BladeHawk

This campaign has been active since at least March 2020, distributing (via dedicated Facebook profiles) two Android backdoors known as 888 RAT and SpyNote, disguised as legitimate apps.

via eset welivesecurity blogwelivesecurity.com

INDICATORS OF COMPROMISE

IOCs tracked for this family

44 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

10 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

17 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

17 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app5 years ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Sep 17, 2025

TA558 Uses AI-Generated Scripts to Deploy Venom RAT in Brazil Hotel Attacks

888 RAT is a remote access trojan used by the RevengeHotels group to compromise hotel and travel industry systems.

eset welivesecurity blogNews

Sep 7, 2021

BladeHawk group: Android espionage against Kurdish ethnic group

Commercial multiplatform remote access trojan extended to Android in 2018. In this campaign it was used for mobile espionage against Kurdish targets, with capabilities including file theft and deletion, screenshots, location tracking, Facebook credential phishing, app enumeration, photo theft, camera capture, audio and call recording, SMS theft, contact theft, sending SMS, making calls, and shell command execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching44

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.