New Remote Access Trojans Expand Stealth and Surveillance Capabilities
Threat researchers reported multiple remote access trojan (RAT) developments that emphasize stealth, surveillance, and post-exploitation flexibility. A new Remcos RAT variant was observed adding real-time surveillance features (including on-demand webcam streaming) and keystroke transmission, while improving evasion through modular DLL plugins, encrypted C2 with in-memory-only config decryption, and dynamic API resolution; it also attempts to reduce forensic artifacts by deleting collected data (e.g., screenshots, audio, keylogging output, cookies) and removing persistence-related registry entries.
Separately, Elastic detailed a ClickFix social-engineering campaign that uses compromised legitimate websites as delivery infrastructure to deploy a previously undocumented Windows RAT dubbed MIMICRAT (AstarionRAT). The intrusion chain includes a multi-stage PowerShell flow with ETW and AMSI bypass, a Lua-based shellcode loader, and HTTPS C2 on port 443 using traffic patterns designed to resemble web analytics; the implant supports token impersonation, SOCKS5 tunneling, and a broad command set, with suspected end goals of ransomware deployment or data theft. In parallel mobile-focused reporting, Zimperium described ZeroDayRAT, a cross-platform Android/iOS spyware-style RAT distributed via social engineering and sideloaded apps, enabling screen capture, keylogging, and credential/file exfiltration, highlighting continued convergence of surveillance and remote-control capabilities across endpoints.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers report enhanced surveillance features in new Remcos RAT variant
Point Wild's Lat61 Threat Intelligence Team reported a new Remcos RAT variant with expanded surveillance features such as real-time keystroke transmission and live webcam streaming. The variant also adds stealth improvements including modular DLL plugins, encrypted C2, in-memory decryption, dynamic API resolution, and artifact cleanup.
Elastic discloses ClickFix campaign delivering newly documented MIMICRAT
Elastic Security Labs disclosed a ClickFix campaign using compromised legitimate websites, including bincheck[.]io, to deliver a previously undocumented RAT called MIMICRAT, also known as AstarionRAT. The infection chain uses fake Cloudflare verification prompts and multi-stage PowerShell, Lua, and shellcode components to install a C++ implant designed for stealthy post-exploitation.
Researchers identify ZeroDayRAT mobile spyware targeting Android and iOS
Zimperium researchers reported a new cross-platform mobile remote access trojan called ZeroDayRAT that targets both Android and iOS devices. The malware is described as being spread through social-engineering lures and sideloaded apps, with capabilities including screen capture, keylogging, and theft of files and credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Updated Remcos RAT features enhanced surveillance | SC Media
scworld.com
Open sourceClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT
thehackernews.com
Open source“ZeroDayRAT” Emergence Signals Advanced Mobile Spyware Threats
zimperium.com
Open source“ZeroDayRAT” Emergence Signals Advanced Mobile Spyware Threats
zimperium.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Resoker and CrySome RATs Expand Windows Remote Access and Evasion Capabilities
Security researchers detailed two Windows-focused remote access trojans, **ResokerRAT** and **CrySome RAT**, that use different command-and-control approaches while emphasizing stealth and persistent access on compromised systems. ResokerRAT was reported abusing the **Telegram API** as its control channel, allowing operators to issue commands to infected Windows hosts through a legitimate messaging platform and blend malicious traffic with normal network activity. Analysis described capabilities associated with remote command execution, host control, and data handling, highlighting Telegram-based C2 as a low-cost and resilient mechanism for managing infections. CrySome RAT was separately identified as an advanced **.NET** malware family with a broader feature set aimed at long-term compromise and operator concealment. Researchers said the malware includes **AV-killer** functionality to disable security tools and **HVNC** support, enabling attackers to interact with victim machines through hidden virtual desktop sessions without alerting users. Together, the reports show continued development of commodity and advanced RAT tooling for Windows environments, with threat actors combining trusted services, defense evasion, and covert remote-control features to improve persistence and reduce detection.
Jun 22, 2026
Multiple Remote Access Trojan Campaigns Target Windows and Android via Phishing, App Stores, and Social Platforms
Threat researchers reported several unrelated **RAT-focused malware campaigns** using different delivery channels and evasion techniques. **DEAD#VAX** was described as a Windows phishing operation that delivers **AsyncRAT** via purchase-order lures, abusing **IPFS-hosted VHD** files disguised as PDFs; the mounted VHD drops a multi-stage chain using **WSF**, heavily obfuscated batch scripts, and PowerShell loaders to decrypt and execute x64 shellcode **in memory** by injecting into trusted Windows processes, minimizing on-disk artifacts. Separately, analysis of **Pulsar RAT** activity described persistence via the per-user Run key (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`), an obfuscated batch dropper in *AppData*, PowerShell-based staging, and **Donut-generated shellcode** injection into processes such as `explorer.exe`, with anti-analysis features and data theft (credentials, wallets, tokens) exfiltrated via **Discord webhooks**. On Android, two distinct campaigns were highlighted. **Anatsa** banking malware was found distributed through **Google Play** in a trojanized “document reader” app that exceeded **50,000 downloads** before detection; the initial app acts as a loader that retrieves the full banking trojan and supports credential theft and C2-driven actions, with reporting attributing discovery and tracking to **Zscaler ThreatLabz**. **Arsink RAT** was reported spreading primarily via **Telegram/Discord** and file-sharing sites (e.g., MediaFire) through fake “mod/pro” apps impersonating major brands; research attributed to **Zimperium** cited **~45,000** victim IPs across **143 countries**, **1,216** malicious APKs, and **317** Firebase Realtime Database C2 endpoints, with capabilities including SMS/OTP theft, call log and contact harvesting, location tracking, and microphone audio capture.
Mar 21, 2026
Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple **social-engineering-driven malware delivery** efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed **counterfeit adult games** via popular “webhard” file-sharing services; victims received a ZIP containing a decoy `Game.exe` launcher that stages additional components (`Data1.Pak`, `Data2.Pak`, `Data3.Pak`) and ultimately injects **QuasarRAT** (aka **xRAT**), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as `GoogleUpdate.exe` and `WinUpdate.db`, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection. Separately, a spear-phishing campaign weaponized news about a purported **Nicolás Maduro arrest** to deliver a **backdoor**: emails carried a ZIP with a lure executable (`Maduro to be taken to New York.exe`) alongside a malicious DLL (`kuguo.dll`) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to `C:\ProgramData\Technology360NB`, persistence via an auto-start renamed binary (`DataTechnology.exe`), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with **Mustang Panda** but said attribution was not yet confirmed. A separate research note described **GravityRAT** reemerging as a multi-platform RAT with expanded **Android** targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
Mar 21, 2026