AstarionRAT
AstarionRAT is a custom remote access trojan first publicly documented by Huntress in February 2026 after being deployed in ClickFix intrusion chains that used the Matanbuchus 3.0 malware-as-a-service loader. In the observed campaigns, victims were socially engineered to execute malicious Run dialog or msiexec commands, leading to silent MSI installation, DLL sideloading, an embedded Lua interpreter, and reflective in-memory loading of the final payload, identified internally as Beacon.exe. Huntress reported that Matanbuchus delivered AstarionRAT via reflective PE loading from Lua. AstarionRAT supports 24 commands and is described as a fully featured custom implant with capabilities including credential theft, shell execution with output capture, SOCKS5 proxying, port scanning, file operations, process management, credential logon and impersonation, and reflective or in-memory loading of arbitrary operator-supplied code. Its command-and-control configuration is stored in the .data section as RC4-encrypted, hex-encoded data decrypted with a hardcoded 110-byte key. Reported C2 infrastructure includes www.ndibstersoft[.]com. The malware’s HTTP profile impersonates Edge/18.19045, uses GET requests to /intake/organizations/events?channel=app, includes Accept-Language: zh-CN,zh;q=0.9 and a Google referer, and embeds beacon data in a cookie header between static values including AFUAK=1C5DEC09609A6B41 and HFK=423b5828bc98f5c7c57e6c321. Huntress reported that AstarionRAT’s initial metadata beacon begins with a 0xBEEF marker, derives a session key from 16 random bytes hashed with SHA-256, and RSA-encrypts metadata using a hardcoded 1024-bit public key before transmission. The malware polls every 10 seconds and parses responses as network-byte-order [command_id][size][data] tuples. Observed post-compromise activity associated with infections delivering AstarionRAT included rapid hands-on-keyboard operations, PsExec and RDP lateral movement, rogue account creation, Microsoft Defender tampering, and targeting of Windows servers and domain controllers, with Huntress assessing the likely objective as ransomware deployment or data exfiltration.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
8 techniques
Execution
"established persistence via a scheduled task named Application Maintenance"
"...leads to the execution of a PowerShell command... fetch a second-stage PowerShell script..."
"Shell Execute... spawns CMD... captures output"; "wraps in CMD /C <command>"
"After decryption, the Lua script is straightforward; its only purpose is to decode and execute embedded shellcode."
"walking the Process Environment Block to locate ntdll.dll and resolve four native API functions by hash"; "All API access is routed through an internal hash dispatch function"
"The malware leverages the persistent “ClickFix” social engineering tactic, which tricks users into manually executing malicious commands... Victims are presented with deceptive prompts instructing them to copy and paste specific PowerShell or Run dialog commands."
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
5 techniques
Stealth
“...extract a password-protected archive (TMP412.7z with password...)... heavily padded with junk code... strings... encrypted... ChaCha20...”
"Steal Token... duplicates its token... applies it to the current thread"; "Credential Logon... LogonUserA... impersonates the resulting token"; "Revert to Self"
Credential Access
2 techniques
Credential Access
Discovery
5 techniques
Discovery
"includes... the local IP address obtained via WSAIoctl"
"tab-delimited string of the computer name, username, and process filename"
Lateral Movement
1 technique
Lateral Movement
Command and Control
7 techniques
Command and Control
Step 5 - C2 Registration + EDR Enumeration T1071.001, T1518.001 | Malware Main module registers with C2 via Protobuf-over-HTTPS (ChaCha20 encrypted, 32-byte key + 12-byte nonce prepended). C2 traffic masquerades as Skype Desktop application.
"...AstarionRAT... including credential theft and SOCKS5 proxying."
"...msiexec command that fetches a payload from a newly registered domain."
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan delivered in current Matanbuchus campaigns. It supports 24 commands including shell execution, SOCKS5 proxying, port scanning, credential theft, reflective code loading, and file operations, with C2 traffic disguised as application telemetry.
A novel custom implant mentioned in connection with a prior ClickFix intrusion.
Remote access trojan distributed via ClickFix social-engineering; supports credential theft, SOCKS5 proxying, port scanning, reflective code loading, shell execution, and RSA-encrypted C2 disguised as application telemetry.
Custom remote access trojan/implant providing post-compromise capabilities including credential theft, proxying (SOCKS5), port scanning, reflective code loading, and command execution.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.