Violet RAT is a remote access trojan described in Securonix reporting on the SERPENTINE#CLOUD campaign as a largely stable inner payload repeatedly repackaged through an evolving multi-stage delivery pipeline. In the campaign, Violet RAT was one of several RAT families deployed in parallel alongside families including DcRat, PureHVNC, AsyncRAT, PureLogs, and VenomRAT. The malware is characterized in the reporting as a “120-command dispatcher,” and one observed reference identifies a C2 endpoint as vijdklet.duckdns.org on TCP port 7575.
High-confidence reporting places Violet RAT in a chain consisting of a batch stager downloading ZIP archives from disposable Cloudflare Tunnel infrastructure, Python loaders decrypting embedded shellcode, Donut shellcode bootstrapping the .NET CLR, and final .NET payload handoff. Across seven deployment waves over roughly 176 days, operators changed the outer loader stack multiple times while keeping inner RAT families such as Violet RAT largely unchanged. Delivery variants included Python loaders using RC4 or AES-256-CBC plus XOR, execution via in-process shellcode launch or APC/Early Bird APC injection into suspended notepad.exe or explorer.exe, and later Kramer-obfuscated Python bytecode disguised as .py files. On 2025-11-19 waves, Violet RAT was also delivered through a deeper seven-layer chain in which Kramer-decoded Python launched Donut v0.9.3 shellcode, which loaded a native x64 AES crypter PE that decrypted and launched a second Donut stage before loading the final .NET RAT assembly.
Campaign behaviors associated with Violet RAT delivery included AV-aware branching in batch stagers, persistence via Startup-folder scripts such as Shoopify.bat, anti-idle VBS scripts (PWS.vbs and pws1.vbs), AMSI and WLDP patching performed by Donut, anti-forensic cleanup of Python parent processes, and hidden staging directories under %USERPROFILE%\Contacts. The reporting emphasizes that the principal innovation in this activity was the polymorphic and operationally resilient staging pipeline rather than major changes to Violet RAT itself.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
11 distinct techniques documented for this family, organized by ATT&CK tactic.
The batch stagers are the initial execution layer. 29 .bat files recovered across six evidence directories deduplicate to 13 unique templates in four categories.
The ZIP contains a Python runtime and one or more loader scripts. Each loader decrypts embedded shellcode, and that shellcode bootstraps the .NET Common Language Runtime (CLR) to load the actual payload.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
Wave 4/5 introduces the deepest nesting observed in the campaign. The Nov19 Donut instances deliver native x64 PE wrappers instead of .NET assemblies directly... Layer 2: Kramer decode (hex -> unicode shift -> rotation -> RC4 -> base64)
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
If detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip (full WBKS + BKSNO deployment).
Checks for AvastUI.exe and AVGUI.exe via tasklist. If detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip
17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
See also: Violet RAT analysis
A RAT payload family repeatedly delivered via the campaign’s Python->Donut->.NET chain; described as a 120-command dispatcher.
Named as a related payload in the same breach-analysis series; no additional technical details provided in this content beyond being part of the broader campaign context.
A .NET RAT described as a 120-command dispatcher and one of the core payloads repeatedly repackaged in the campaign.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.