Ares RAT
Ares RAT is a Python-based remote access trojan historically associated with Transparent Tribe (APT36) and referenced in campaigns linked to the aligned SideCopy ecosystem. Reporting in the provided content describes its use in cross-platform espionage operations targeting Indian defense-sector, government, and government-aligned organizations, particularly in Linux-focused intrusion chains. In the observed Linux campaign, a Go-based downloader or Go binary, together with a downloaded shell script, installed Ares RAT. Once deployed, it performed automated system profiling, recursive file enumeration, command execution, harvesting of sensitive data, execution of Python scripts or actor-issued Python commands, and structured data exfiltration. Persistence on Linux was achieved through systemd user services, allowing the malware to survive reboots while blending into normal operations. The broader campaigns relied on phishing emails, malicious attachments or embedded download links, and multi-stage delivery chains. The content also notes that prior campaigns by the SloppyLemming cluster leveraged Ares RAT, but the detailed operational association in the supplied material is strongest with Transparent Tribe/APT36 and SideCopy. High-confidence behavioral indicators mentioned include use on Linux hosts, deployment via a Go-based downloader and shell script, automated host profiling, recursive file enumeration, structured exfiltration, and persistence through systemd user services.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This operation used a Go-based downloader to install ARES RAT, a Python-based remote access tool historically associated with APT36 activity. Once deployed, ARES RAT performed automated system profiling, recursive file enumeration, and structured data exfiltration.
"Running parallel to this Windows-focused campaign is a Linux variant... to drop a Python-based Ares RAT..."
"Prior campaigns ... have leveraged malware families like Ares RAT..."
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"These actors rely on proven tactics like spear-phishing and weaponized documents... One campaign targeted Windows systems using phishing emails ... that delivered malicious files"
Execution
2 techniquesPersistence
1 techniquePrivilege Escalation
1 techniqueDiscovery
2 techniquesOnce deployed, ARES RAT performed automated system profiling, recursive file enumeration, and structured data exfiltration.
Once deployed, ARES RAT performed automated system profiling, recursive file enumeration, and structured data exfiltration.
Command and Control
2 techniques"...connects to a hard-coded command-and-control (C2) server..."
"...shell script downloaded from an external server."
Exfiltration
1 techniqueOnce deployed, ARES RAT performed automated system profiling, recursive file enumeration, and structured data exfiltration.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan previously leveraged in prior campaigns (no additional capabilities described in this content).
Remote access trojan used in campaigns targeting Indian defense sector and government-aligned organizations; used to steal sensitive data and maintain access.
Python-based RAT deployed on Linux via a Go dropper and shell script. Supports a wide range of commands to harvest sensitive data and execute Python scripts/commands issued by the operator.
Python-based remote access trojan used on Linux; performs host profiling and structured data exfiltration, and persists via systemd user services to survive reboots while blending into normal operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.