MalwareUsed by 1 actor

RatelS

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Ratel Master

RatelS (Ratel Master) ... msbtc.dat ○ エンコードされたMofu Loader ○ 内包したペイロードのRatelSを復号して実行する

via jsac jpcertjsac.jpcert.or.jp

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

4 techniques

T1027.007Dynamic API ResolutionEvidence1

Slides on '2nd Stage PE Loader (Mofu Loader)' state 'API Hashingのアルゴリズム(ror 12)と利用するAPIが同じ' and compare GroundPeony and RatelS loaders.

T1027.015CompressionEvidence1

The payload comparison slide states 'カスタムXOR + LZNT1で展開される2ndペイロード' for GroundPeony and RatelS.

T1140Deobfuscate/Decode Files or InformationEvidence1

Slides repeatedly note 'Load & Decrypt', including 'Decrypt by RC4 with hardcoded key', 'Decrypt by Custom Alg', and 'Decrypt by RC4 with key embedded in encrypted payload'. Examples include mic.doc, taskhask.doc, and msbtc.dat being decrypted before execution.

T1620Reflective Code LoadingEvidence1

The presentation labels Mofu Loader and Dracu Loader as '2nd Stage (in-memory PE loader)' and 'simple in-memory PE Loader', noting that shellcode decrypts and executes embedded PE payloads directly in memory.

Credential Access

1 technique

T1056.001KeyloggingEvidence1

A slide notes 'キーログ出力パスとファイル名が類似' when comparing HemiGate and RatelS.

Collection

1 technique

T1056.001KeyloggingEvidence1

A slide notes 'キーログ出力パスとファイル名が類似' when comparing HemiGate and RatelS.

Command and Control

3 techniques

T1001Data ObfuscationEvidence1

Slides describe 'カスタムXORのアルゴリズムが同じ ○ sub + xor + add' and 'Custom xor + LZNT1' used to unpack second-stage payloads, with PE magic values removed.

T1071.001Web ProtocolsEvidence1

Multiple slides compare HemiGate and RatelS communication implementations, including 'HTTPリクエストヘッダが類似' and proxy/authentication code similarities.

T1090ProxyEvidence1

A comparison slide states 'プロキシ情報を取得するコードが合致' for HemiGate and RatelS.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

jsac jpcertNews

May 26, 2026

A remote access backdoor used by the Ratel Master cluster. It is delivered via DLL side-loading, with Mofu Loader decrypting and loading the payload. The malware uses RC4-protected stages and shows implementation similarities with HemiGate and PlugX, including communications, keylogging-related behavior, config structure, and module mapping.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.