BIOPASS RAT
BIOPASS RAT is a remote access trojan referenced in reporting on China-aligned intrusion activity. The provided content identifies it as a tool used by Wicked Panda (also known as Axiom, Winnti, APT41, and Bronze Atlas), alongside other malware such as ShadowPad, PlugX, Derusbi, Gh0st RAT, HighNoon, RedXOR, and China Chopper. The content also links BIOPASS RAT to Earth Lusca and states that a 2021 BIOPASS RAT campaign targeted online gambling companies in China via a watering-hole attack. Additional reporting in the content notes that certificates used to sign malware in other campaigns were previously observed in BIOPASS RAT operations, including a stolen certificate from a South Korean gaming company that was also used in a BIOPASS RAT campaign. A specific behavioral overlap mentioned is that BIOPASS RAT, like MKDOOR, uses a technique of opening an HTTP server on a high-numbered localhost port to listen; watering-hole scripts can scan that localhost port to determine whether the victim is already infected with the backdoor. High-confidence details on BIOPASS RAT’s full infection chain, persistence, command set, or platform support are not otherwise provided in the supplied content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"In watering-hole scenarios, malicious scripts injected into websites trigger downloads of the main PeckBirdy script upon victim visitation, often leading to fake software update pages that prompt execution of malicious files."
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Remote access trojan referenced as having used the same stolen code-signing certificates in prior campaigns attributed to Earth Lusca.
Remote access trojan used in a 2021 watering-hole campaign targeting online gambling companies in China; noted similarities with MKDOOR (both open a local high-port HTTP server listener).
RAT campaign referenced due to shared stolen-code-signing certificate usage; noted to share a technique with MKDOOR (opening a high local port HTTP listener to enable watering-hole scripts to detect infection).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.