Shadow RAT
Shadow RAT is a Windows remote access trojan offered through a live Malware-as-a-Service ecosystem. Breakglass Intelligence reported an operational Shadow RAT Panel v2.0 at 87.120.107[.]117 hosted on Shinomiya Hosting (AS215428), described as Ukrainian-operated bulletproof hosting. The panel used a Vite/React frontend with an Express.js backend and supported user registration, licensing, payload building, client management, and administration. Newly registered users required administrator approval, the user model included subscription-style license fields, and the service was linked to Telegram channels @spyingsystem and @CrackBaseProxy. The operator was identified in the reporting as Aleksei Ezhov.
The malware builder produced Windows RAT payloads with persistence, surveillance, credential theft, remote shell, and rootkit-related functionality. Reported persistence options included scheduled tasks, registry Run keys, and startup folder shortcuts. Additional capabilities included adding C:\ to Microsoft Defender exclusions, enabling a rootkit mode using the $77 file prefix, browser credential and cookie theft, Telegram session extraction, cryptocurrency wallet theft, remote control, and destructive actions including shutdown, reboot, BSOD, and self-delete.
Shadow RAT has also been associated with espionage activity. Malpedia and Seqrite Labs linked the malware family to UNG0002, a South Asian espionage actor. Seqrite documented Shadow RAT-related activity in Operation Cobalt Whisper and Operation AmberMist targeting defense, aviation, government, academia, and other strategic sectors in China, Hong Kong, and Pakistan during 2024–2025. In AmberMist, INET RAT was assessed as a customized variant of Shadow RAT. Reported infection chains used phishing emails, malicious ZIP archives, LNK shortcut files, and VBScript.
Known infrastructure and indicators mentioned in the content include the active panel at 87.120.107[.]117, a likely PostgreSQL server at 87.120.107[.]123:5432, and a previously known inactive Shadow RAT C2 at 5.9.228[.]188. An exposed phpinfo() page at http://87.120.107[.]117:8081/dashboard/phpinfo.php leaked host details including hostname DESKTOP-GKGI28A. A known Shadow RAT sample, mustang.dll, had SHA256 90c9e0ee1d74b596a0acf1e04b41c2c5f15d16b2acd39d3dc8f90b071888ac99 and reportedly used DLL sideloading via rasphone.exe with persistence through scheduled tasks named SysUpdater and UtilityUpdater.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Breakglass Intelligence discovered a fully operational Shadow RAT command-and-control panel running at 87.120.107[.]117 on Ukrainian-operated bulletproof hosting infrastructure... The panel ... provides a complete Malware-as-a-Service platform with user registration, licensing, and a malware builder capable of producing Windows RAT payloads with rootkit, surveillance, credential theft, and remote shell capabilities.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesUNG0002 is characterized as a South Asian espionage actor with TTPs including spearphishing with weaponized documents... MITRE ATT&CK Mapping Tactic Technique ID Initial Access Spearphishing Attachment T1566.001
UNG0002 is characterized as a South Asian espionage actor with TTPs including ... fake government pages. MITRE ATT&CK Mapping ... Spearphishing Link T1566.002
Execution
4 techniquesPersistence mechanisms include scheduled tasks via Windows Task Scheduler... Persistence is maintained through two scheduled tasks: SysUpdater and UtilityUpdater.
MITRE ATT&CK Mapping Tactic Technique ID ... Execution PowerShell T1059.001
Remote Control : Interactive command shell (cmd.exe)... MITRE ATT&CK Mapping ... Execution Windows Command Shell T1059.003
The generated payload is then distributed to victims through the operator's chosen delivery method. MITRE ATT&CK Mapping ... Execution User Execution: Malicious File T1204.002
Persistence
2 techniquesPersistence mechanisms include scheduled tasks via Windows Task Scheduler... Persistence is maintained through two scheduled tasks: SysUpdater and UtilityUpdater.
Privilege Escalation
2 techniquesPersistence mechanisms include scheduled tasks via Windows Task Scheduler... Persistence is maintained through two scheduled tasks: SysUpdater and UtilityUpdater.
Stealth
3 techniquesThe builder can also add the entire C:\ drive to Windows Defender exclusions and enable a rootkit mode using the $77 file prefix, which requires administrator privileges or UAC bypass.
Payload options include ... assembly copy (cloning PE metadata from a donor executable for masquerading), icon injection for custom executable icons... MITRE ATT&CK Mapping ... Defense Evasion Masquerading T1036.005
Payload options include melt-build (self-delete of the original executable after installation)... MITRE ATT&CK Mapping ... Defense Evasion File Deletion T1070.004
Credential Access
4 techniquesThe monitor feature also captures mouse and keyboard input... MITRE ATT&CK Mapping ... Collection Keylogging T1056.001
Data Theft : Telegram session extraction... MITRE ATT&CK Mapping ... Credential Access Steal Application Access Token T1528
Data Theft : ... browser cookie theft... MITRE ATT&CK Mapping ... Credential Access Steal Web Session Cookie T1539
Data Theft : ... browser credential theft... MITRE ATT&CK Mapping ... Credential Access Credentials from Web Browsers T1555.003
Discovery
2 techniquesCollection
4 techniquesThe monitor feature also captures mouse and keyboard input... MITRE ATT&CK Mapping ... Collection Keylogging T1056.001
Surveillance : Real-time screen streaming with configurable quality and FPS, single-frame screenshot capture... MITRE ATT&CK Mapping ... Collection Screen Capture T1113
Surveillance : ... microphone recording. MITRE ATT&CK Mapping ... Collection Audio Capture T1123
Surveillance : ... webcam access... MITRE ATT&CK Mapping ... Collection Video Capture T1125
Command and Control
2 techniquesC2 traffic patterns : HTTP traffic to 87.120.107[.]117 with Express.js headers... MITRE ATT&CK Mapping ... Command and Control Web Protocols T1071.001
Remote Control : ... URL-based download-and-execute... MITRE ATT&CK Mapping ... Command and Control Ingress Tool Transfer T1105
Exfiltration
1 techniqueMITRE ATT&CK Mapping ... Exfiltration Exfiltration Over C2 Channel T1041
Impact
1 techniqueDestructive : System restart, shutdown, BSOD trigger, and self-delete. MITRE ATT&CK Mapping ... Impact System Shutdown/Reboot T1529
Other
1 techniqueIOCs tracked for this family
18 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Shadow RAT is a commercially sold Malware-as-a-Service remote access trojan with a builder and management panel. It can generate Windows payloads supporting persistence, rootkit mode, surveillance, credential and cookie theft, Telegram session extraction, crypto wallet theft, remote shell, file management, and destructive actions. It has also been used in espionage campaigns via DLL sideloading.
Spyware/RAT family referenced as the likely base family for INET RAT (customized variant).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.