Skip to main content
Mallory
Back to malware
Malware

SmartRAT

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

27 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence1

ThreatLabz observed threat actors using a webpage likely generated with AI to impersonate a Brazilian bank and a ClickFix lure (fake CAPTCHA followed by a fullscreen fake BSOD/system recovery prompt) to pressure victims into running a PowerShell command.

T1566.003Spearphishing via ServiceEvidence1

DisplayOverlay : Renders full-screen fake overlays, including Windows Update, BSOD, and bank-branded security screens for major Brazilian banks... dataEntry: : Show a branded bank input form and capture what the victim types

Execution

5 techniques
T1053Scheduled Task/JobEvidence1

Attempts to establish persistence by creating a logon-triggered scheduled task named MicrosoftEdgeUpdateCore.

T1053.005Scheduled TaskEvidence1

Attempts to establish persistence by creating a logon-triggered scheduled task named MicrosoftEdgeUpdateCore.

T1059Command and Scripting InterpreterEvidence2

Execution T1059 Command and Scripting Interpreter Use built-in interpreters (like PowerShell) to run malicious commands/scripts.

T1059.001PowerShellEvidence2

If a user pastes it into the Windows run command, the command will download and execute the next stage by retrieving st.txt from 64[.]95[.]13[.]238... The decrypted blob is a PowerShell RAT that ThreatLabz named SmartRAT.

T1569.002Service ExecutionEvidence1

If UAC elevation is approved: SmartRAT compiles inline C# service code using csc.exe and installs a Windows service named MicrosoftEdgeUpdateCore under %ProgramData%\Microsoft\Diagnosis\ETW. This service is configured to run with System privileges.

Persistence

4 techniques
T1053Scheduled Task/JobEvidence1

Attempts to establish persistence by creating a logon-triggered scheduled task named MicrosoftEdgeUpdateCore.

T1053.005Scheduled TaskEvidence1

Attempts to establish persistence by creating a logon-triggered scheduled task named MicrosoftEdgeUpdateCore.

T1543.003Windows ServiceEvidence2

Attempts to establish persistence by creating a logon-triggered scheduled task named MicrosoftEdgeUpdateCore... If UAC elevation is approved: SmartRAT compiles inline C# service code using csc.exe and installs a Windows service named MicrosoftEdgeUpdateCore... configured to run with System privileges.

T1547.001Registry Run Keys / Startup FolderEvidence2

If task creation fails, it falls back to registry-based persistence by writing a MicrosoftEdgeUpdateCore value under HKCU\Software\Microsoft\Windows\CurrentVersion\Run that launches a PowerShell command to re-execute SmartRAT.

Privilege Escalation

6 techniques
T1053Scheduled Task/JobEvidence1

Attempts to establish persistence by creating a logon-triggered scheduled task named MicrosoftEdgeUpdateCore.

T1053.005Scheduled TaskEvidence1

Attempts to establish persistence by creating a logon-triggered scheduled task named MicrosoftEdgeUpdateCore.

T1134Access Token ManipulationEvidence1

SmartRAT also compiles another C# component that uses DuplicateTokenEx and CreateProcessAsUser to spawn a new PowerShell process using the current user’s session, even when the RAT is running as SYSTEM.

T1543.003Windows ServiceEvidence2

Attempts to establish persistence by creating a logon-triggered scheduled task named MicrosoftEdgeUpdateCore... If UAC elevation is approved: SmartRAT compiles inline C# service code using csc.exe and installs a Windows service named MicrosoftEdgeUpdateCore... configured to run with System privileges.

T1547.001Registry Run Keys / Startup FolderEvidence2

If task creation fails, it falls back to registry-based persistence by writing a MicrosoftEdgeUpdateCore value under HKCU\Software\Microsoft\Windows\CurrentVersion\Run that launches a PowerShell command to re-execute SmartRAT.

T1548Abuse Elevation Control MechanismEvidence1

Prompts for User Account Control (UAC) elevation. If UAC elevation is approved... installs a Windows service... If UAC elevation is denied... launches a hidden PowerShell process that bypasses the UAC logic and beacons to the C2.

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence1

SmartRAT decrypts two C2 server configurations. The first is decrypted using XOR with the key 2... The fallback C2 is an IP address that is decrypted using XOR with the key 233.

T1036MasqueradingEvidence2

Defense Evasion T1036 Masquerading Masquerade artifacts (e.g., rename malware to svchost.exe) to appear legitimate and evade monitoring.

T1070.004File DeletionEvidence1

0xA2 SystemCommand... uninstall: Complete self-removal; delete the service, scheduled tasks, registry keys, and all files, then exit.

T1134Access Token ManipulationEvidence1

SmartRAT also compiles another C# component that uses DuplicateTokenEx and CreateProcessAsUser to spawn a new PowerShell process using the current user’s session, even when the RAT is running as SYSTEM.

T1564Hide ArtifactsEvidence1

The malware uses the port number 51888 for communication. SmartRAT also hides the running PowerShell window using user32.dll’s ShowWindow function.

Credential Access

2 techniques
T1056Input CaptureEvidence1

NativeInput: Handles mouse and keyboard inputs, including freezing the victim's input.

T1056.001KeyloggingEvidence2

InputTracker: A high-priority keylogger that monitors all keystrokes... 0x70 InputTrackStart Start keylogger thread.

Discovery

4 techniques
T1007System Service DiscoveryEvidence1

0xB3 ServiceList Return list of Windows services.

T1057Process DiscoveryEvidence1

0xB2 ProcessList Return list of running processes.

T1082System Information DiscoveryEvidence2

GuestInfo (type 0xE6) Sends victim profile JSON (OS, username, host, privilege, session ID, install token, HMAC).

T1083File and Directory DiscoveryEvidence1

0x50 FileList Browse the victim's filesystem.

Collection

4 techniques
T1056Input CaptureEvidence1

NativeInput: Handles mouse and keyboard inputs, including freezing the victim's input.

T1056.001KeyloggingEvidence2

InputTracker: A high-priority keylogger that monitors all keystrokes... 0x70 InputTrackStart Start keylogger thread.

T1113Screen CaptureEvidence2

Automatic screen streaming: Captures and streams screenshots to the operator at configurable intervals.

T1115Clipboard DataEvidence2

0x40 Clipboard Copy content to the victim’s clipboard (can be AES-encrypted).

Command and Control

3 techniques
T1001Data ObfuscationEvidence1

The encryption and decryption of C2 command traffic is handled by the following two functions... Uses AES-CBC to encrypt plaintext... The IV and ciphertext are each hex-encoded separately and returned as a colon-delimited string.

T1071Application Layer ProtocolEvidence2

Command and Control T1071 Application Layer Protocol Use standard protocols (HTTP/DNS/SMB) for C2 to blend with normal traffic.

T1219Remote Access ToolsEvidence2

SmartRAT is a PowerShell-based banking RAT used for remote access and financial data theft... supports encrypted C2 communications, remote control (screen/keyboard/mouse).

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

The information captured in the overlay form is then exfiltrated to the SmartRAT C2... 0x54 FileDownload Exfiltrate a file (up to 50MB).

INDICATORS OF COMPROMISE

IOCs tracked for this family

7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
ip.v4●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
uri●●●●●●●●●●●●View more in apptoday
uri●●●●●●●●●●●●View more in apptoday
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
malware newsNews
Jun 17, 2026
ClickFix Campaign Generated Via AI Delivers SmartRAT - Malware News - Malware Analysis, News and Indicators

A PowerShell-based Brazil-focused banking RAT used for remote access and financial data theft. It supports encrypted C2 over raw TCP, screen and input control, keylogging, fake bank-branded overlays, QR code interception/swapping, screenshot streaming, file browsing/download, persistence via scheduled tasks/registry and a Windows service, and privilege escalation to SYSTEM.

Read more
zscaler threat labzNews
Jun 17, 2026
AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz

Brazil-focused PowerShell banking RAT that provides remote access, keylogging, screen capture/streaming, fake banking overlays, QR interception and QR-swap fraud, clipboard and file operations, command execution, persistence via scheduled task/registry/service installation, and exfiltration of victim and financial data to a C2 over raw TCP.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching7

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping27

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.