SoullessRAT
SoullessRAT is an obfuscated JavaScript remote access trojan observed in multi-stage intrusion chains attributed to the Versatile Werewolf cluster. It was delivered via the fake UAV training installer AlphaFlyInstallV1-2.msi distributed from alphafly-drones[.]com, a site that mimicked betaflight.com and reused media from obriy[.]airforce. In the documented infection chain, the MSI dropped a PowerShell loader and VBS launcher into %LOCALAPPDATA%\AlphaFlyNew, displayed a fake installation error, downloaded Node.js if needed, executed an obfuscated JavaScript loader, and then retrieved the final SoullessRAT payload from newfolder[.]click, including the observed URL pattern hxxps://newfolder[.]click/?cid=9ebeb834a451460e&mod=main. The malware was described as a final-stage JavaScript RAT previously seen in earlier Versatile Werewolf attacks and reportedly created using generative AI. Reported capabilities include file upload and download, module loading, PowerShell command execution, screenshot capture, system reconnaissance, logical volume enumeration, directory and file listing, Outlook data theft/harvesting, and self-termination. The broader campaign context involved lures themed around drone pilot training and targeted individuals and organizations connected to UAV activity; related reporting also places the wider Werewolf activity against government and industrial targets.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This final stage payload is an obfuscated JavaScript RAT created using generative AI. We named this trojan SoullessRAT.
Malware Family SoullessRAT Delivered via fake AlphaFly installer in Eagle Werewolf multi-stage attack chain
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesA separate espionage campaign linked to the Eagle Werewolf cluster used Iraqi hosting on Regxa infrastructure to deploy multiple remote access tools via phishing lures based on Starlink registration and drone training themes.
used Iraqi hosting on Regxa infrastructure to deploy multiple remote access tools via phishing lures based on Starlink registration and drone training themes.
Execution
6 techniquesThe loader then fetches the Node.js interpreter (if it is not present in the system) and the next stage obfuscated JS script. Upon downloading all the components, the Node.js interpreter executes the JS script.
run-script.ps1, a PowerShell script to load and execute code via PowerShell. The file contains: powershell -w hidden -ep bypass -c "I''E''X...DOWNLOADDaTa(...)"
helper.vbs, a VBS file ... that executes run-script.ps1.
The obfuscated JS script is a loader used to gain a foothold in the compromised system and download the malware... This final stage payload is an obfuscated JavaScript RAT... SoullessRAT.
Upon execution, StarDebug_1.0.1.msi creates the directory %LOCALAPPDATA%\Star and extracts the following three files to it...
The URL hxxps://battleflight[.]org/download/installer hosted the executable BattleFlight-Install-v11.0.3.exe, a C# dropper disguised as an installer for a drone pilot training simulator.
Stealth
4 techniquesThe appwiz.cpl applet is packed with UPX and obfuscated with Oreans Code Virtualizer.
The dropper contains the EchoGather payload, which is Base64-encoded and XOR-encrypted.
BattleFlight-Install-v11.0.3.exe, a C# dropper disguised as an installer for a drone pilot training simulator.
the C# dropper contains the EchoGather payload, which is Base64-encoded and XOR-encrypted.
Discovery
2 techniquesEchoGather performs anti-virtualization checks, gathers system information, uploads it to the C2 server...
ScanFiles ... The following fields are sent to the endpoint /clients/files: fileName relativePath fullPath fileSize createdDate modifiedDate
Collection
3 techniquesFiles, uploads a directory/file from the host to the C2 server.
Key capabilities of SoullessRAT ... downloads and runs modules for self-destruction, SSH, and data harvesting from the Outlook mail client
Command and Control
3 techniquesmore than 1,350 active command-and-control (C2) servers were identified across 98 infrastructure providers in the region within just three months.
The loader then fetches the Node.js interpreter (if it is not present in the system) and the next stage obfuscated JS script.
Exfiltration
1 techniqueThe payload then enters an endless loop in which it connects to the C2 server, encodes the system information in Base64, and exfiltrates it via an HTTPS POST query.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan delivered via a fake AlphaFly installer as part of a multi-stage Eagle Werewolf attack chain.
Remote access trojan delivered via a fake AlphaFly installer in the observed campaign.
An obfuscated JavaScript RAT delivered through MSI, PowerShell, Node.js, and JS loaders. It can upload files, download and execute modules, harvest Outlook data, collect system information, execute commands including PowerShell, take screenshots, enumerate volumes and files, and self-terminate.
An obfuscated JavaScript RAT delivered through MSI, PowerShell, Node.js, and JS loader stages. Its documented capabilities include file upload/download, command execution, screenshot capture, system reconnaissance, Outlook data harvesting, and self-termination.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.