Ares RAT is a Remote Access Trojan (RAT) that allows cybercriminals to gain full control over an infected system. It is commonly used for espionage, data theft, and deploying additional malware. Ares RAT is an open-source project, which makes it accessible to both ethical hackers and malicious actors.

Features of Ares RAT:

• Remote desktop control – full access to the victim’s screen.
• Keylogging – records keystrokes to steal passwords and sensitive data.
• File management – allows attackers to upload, download, and execute files remotely.
• Process and task management – attackers can terminate or create processes.
• Credential theft – extracts stored passwords from browsers and applications.
• Webcam & microphone recording – spies on the victim’s surroundings.
• Persistence – ensures the malware stays active after system reboots.

AMOS (Atomic macOS Stealer) is yet another proof that macOS is no longer an “impregnable fortress” for cybercriminals. Many Mac users mistakenly believe that viruses and malware for this operating system are almost non-existent, which only contributes to the success of such attacks.

What makes AMOS particularly dangerous:

• It is actively evolving — its creators continuously update it, adding new features and improving evasion techniques.
• It’s easy to “catch” — it spreads through fake applications and fraudulent updates that look highly convincing.
• It steals critically important data — logins, passwords, cryptocurrency wallets, and files, which can lead to serious financial losses or leaks of confidential information.

The main takeaway: macOS security now depends not only on Apple but also on the users themselves. It’s time to stop blindly trusting the “safety” of Macs and start implementing basic cybersecurity measures—installing software only from trusted sources, keeping the system updated, using antivirus software, and enabling two-factor authentication. AMOS is a clear signal that it’s time to rethink our approach to security.

AsyncRAT is a Remote Access Trojan (RAT) designed for stealthy remote control over infected systems. It is often used by cybercriminals for espionage, data theft, and deploying additional malware.

Capabilities of AsyncRAT:

• File manipulation – uploads, downloads, and executes files remotely.
• Credential theft – extracts stored passwords and sensitive data.
• Remote Shell Execution – allows attackers to execute commands on the victim’s system.
• Persistence mechanisms – ensures the malware remains active even after system reboots.
• Screen and webcam capture – monitors the victim’s activity.
• Keylogging – records keystrokes to steal credentials.

BitRAT is a malware (Remote Access Trojan, RAT) used by attackers to remotely control infected devices.

BitRAT capabilities:

• Data theft: logins, passwords, information from browsers.
• Keylogger: recording user-entered data.
• Screen and webcam capture.
• Cryptocurrency mining.
• Downloading and executing other malicious programs.
• Remote system management (files, processes, registry, etc.).

Brute Ratel C4 (BRC4) is an advanced adversary simulation and red-teaming framework, similar to Cobalt Strike. Originally designed for cybersecurity professionals, it has been weaponized by threat actors for stealthy cyberattacks. Unlike traditional malware, BRC4 is built to bypass endpoint detection and response (EDR) systems, making it a potent tool for advanced persistent threats (APTs).

Key Features of BRC4:

• EDR & Antivirus Evasion – Uses sophisticated techniques to avoid detection by security solutions.
• Payload Delivery – Supports multiple execution methods, including PowerShell and shellcode injection.
• Command & Control (C2) – Provides flexible communication channels for attackers.
• Credential Dumping & Privilege Escalation – Can extract credentials and escalate privileges stealthily.
• Fileless Execution – Runs in memory to reduce disk footprint, making detection harder.

Caldera is an open-source, automated adversary emulation platform developed by MITRE. While it is not inherently malware, it can be weaponized by threat actors for malicious purposes. Originally designed for red teaming and cybersecurity research, Caldera enables users to simulate real-world cyberattacks and automate post-exploitation tasks.

Key Features of Caldera:

• Automated Adversary Emulation – Simulates the tactics, techniques, and procedures (TTPs) of real-world attackers.
• Modular & Extensible – Uses plugins and agents (like the Manx agent) to execute commands on compromised systems.
• Post-Exploitation Capabilities – Can escalate privileges, exfiltrate data, move laterally, and persist on networks.
• Built-in MITRE ATT&CK Integration – Aligns with the ATT&CK framework to help security teams understand and counter threats.
• Command & Control (C2) – Supports communication between compromised hosts and the attacker’s infrastructure.

Cobalt Strike is a legitimate red-team tool designed for penetration testing, but it has been widely abused by cybercriminals and advanced persistent threat (APT) groups. It provides a powerful Command & Control (C2) framework that enables attackers to deploy payloads, escalate privileges, move laterally, and evade detection within compromised networks.

Key Features:

• Beacon Payload – The primary backdoor used for covert communication with the attacker’s C2 server.
• EDR & Antivirus Evasion – Uses obfuscation and fileless execution to bypass security defenses.
• Lateral Movement – Exploits protocols like SMB, RDP, and WMI to spread across networks.
• Credential Theft – Uses Mimikatz integration to dump Windows credentials.
• Post-Exploitation Framework – Enables persistence, keylogging, and privilege escalation on compromised systems.

Covenant is an open-source Command & Control (C2) framework designed for red team operations and penetration testing, but it has been increasingly misused by cybercriminals. It provides stealthy payload execution, post-exploitation capabilities, and remote administration, making it a powerful tool for adversaries.

Key Features:

• Encrypted C2 Communications – Supports HTTPS and DNS-based C2, making detection more difficult.
• Cross-Platform C2 – Written in .NET Core, allowing execution on Windows, Linux, and macOS.
• Grunt Agents – Modular payloads that operate similarly to Cobalt Strike Beacons, enabling stealthy communication with the attacker’s server.
• Evasion Techniques – Uses in-memory execution and obfuscation to bypass endpoint detection and response (EDR).
• Lateral Movement – Enables credential dumping, privilege escalation, and network discovery.

DarkComet is a Remote Access Trojan (RAT) originally developed as a legitimate remote administration tool but later exploited by cybercriminals for malicious activities. It allows attackers to remotely control infected systems, steal sensitive data, and execute commands stealthily.

Key Features of DarkComet:

• Persistence Mechanisms – Uses registry modifications and startup entries to maintain access.
• Remote Desktop Control – Allows attackers to view and control the infected system.
• Keylogging & Credential Theft – Captures keystrokes, enabling theft of passwords and other sensitive data.
• File Management – Upload, download, and delete files remotely.
• Process & Registry Manipulation – Can modify system settings and execute programs silently.
• Spy Functions – Can turn on the victim’s webcam and microphone without their knowledge.

DcRAT is a Remote Access Trojan (RAT) written in C#, designed to provide full control over infected machines. Originally marketed as a “legitimate” remote administration tool, it has been widely used by cybercriminals for espionage, data theft, and botnet operations.

Key Features of DcRAT:

• Command & Control (C2) Communication – Uses encrypted connections over HTTP, WebSockets, or TCP to avoid detection.

• Modular & Lightweight – Small in size but capable of advanced malicious operations.

• Keylogging & Credential Theft – Logs keystrokes and steals saved passwords from browsers and applications.

• Remote File Execution & Management – Allows attackers to upload, download, delete, and execute files remotely.

• Persistence Mechanisms – Modifies registry keys, startup folders, and scheduled tasks to survive reboots.

• Process & System Control – Can terminate processes, manipulate the registry, and execute system commands.

• Webcam & Microphone Spying – Enables attackers to record audio and video from the victim’s device.

GoPhish is an open-source phishing framework used primarily for simulated phishing campaigns to train organizations on how to recognize and respond to phishing attacks. However, while it is a legitimate tool for ethical hackers and security professionals, it has been increasingly exploited by cybercriminals to carry out real-world phishing attacks, often as part of social engineering campaigns to steal sensitive information.

Key Features:

• Integration with Other Tools – Can be combined with malware payloads or remote access tools to further compromise systems once the victim is tricked.

• Phishing Campaign Automation – Allows attackers to send large numbers of targeted phishing emails with customized content.

• Credential Harvesting – Can be used to create fake login pages that capture usernames and passwords when victims enter their information.

• Detailed Tracking & Reporting – Tracks when and where emails are opened, when links are clicked, and when credentials are submitted.

• Customizable Templates – Provides tools to craft realistic-looking phishing emails and landing pages that can trick users into providing credentials.

Havoc is an advanced Command & Control (C2) framework that is often used in red teaming and penetration testing, but like many such tools, it has been weaponized by threat actors for malicious purposes. It provides attackers with the ability to control compromised systems remotely and conduct post-exploitation activities, making it a significant threat if used in cyberattacks.

Key Features:

• Stealthy Persistence – Uses techniques like modifying startup entries, scheduled tasks, and registry keys to ensure the attacker maintains access even after reboots.

• Cross-Platform Support – Built using Go (Golang), allowing it to run on Windows, Linux, and macOS.

• Modular Payloads – Can execute payloads to perform actions like data exfiltration, lateral movement, and credential dumping.

• C2 Communication – Supports encrypted communications over HTTPS, DNS, and custom ports to avoid detection by security systems.

• Fileless Execution – Havoc can run in-memory to reduce the footprint on disk and avoid detection by antivirus or endpoint detection tools.

• Privilege Escalation & Lateral Movement – Can exploit Windows services and network shares to escalate privileges and move across the network.

HookBot is a type of Remote Access Trojan (RAT) primarily designed to give attackers control over infected systems. It is often used for data theft, credential harvesting, and botnet activities. HookBot is known for its ability to hook into processes and execute commands without detection, which makes it difficult to analyze and stop using traditional methods.

Key Features:

• System Monitoring – Can monitor the infected system’s activities, take screenshots, and even activate the camera for surveillance purposes.

• Keylogging – Captures keystrokes, allowing attackers to steal sensitive information like passwords, credit card details, and other personal data.

• Credential Dumping – Can extract stored passwords from browsers, email clients, and other applications.

• File Management – Allows attackers to remotely upload, download, and delete files on the infected system.

• Process Injection – Hooks into processes to avoid detection by security software and ensure persistence on the system.

• Persistence Mechanisms – Modifies system startup settings, Windows registry, and scheduled tasks to maintain access even after system reboots.

• C2 Communication – Uses encrypted channels (often over HTTP/HTTPS or custom protocols) to communicate with the attacker’s Command and Control (C2) server.

Layui is a JavaScript framework commonly used for building user interfaces (UI) and web applications. However, in the context of malware, Layui refers to a malicious campaign or backdoor that can exploit the Layui framework or its associated resources to carry out harmful activities. Attackers may inject or manipulate the Layui framework into web applications to exploit vulnerabilities and gain unauthorized access to systems.

Key Features:

• Data Exfiltration – Attackers can use injected Layui scripts to exfiltrate data from compromised systems or to send stolen data to remote servers controlled by the attackers.

• Backdoor Installation – Attackers may exploit vulnerabilities in web applications using Layui (or similar frameworks) to inject malicious scripts that provide them with remote access.

• Web Shells – A web shell can be injected into web applications, providing attackers with full control over the server to manipulate files, steal data, or deploy additional malware.

• Credential Harvesting – Phishing pages can be created using Layui-based UI elements to deceive users into entering sensitive information (e.g., login credentials).

• Cross-Site Scripting (XSS) – Layui-based applications may be vulnerable to XSS attacks, which allow attackers to inject malicious JavaScript into the application and steal session cookies, credentials, or sensitive data.

• Persistence – Malicious scripts embedded within Layui frameworks can be used to maintain long-term access to compromised websites or systems, allowing attackers to control them at will.

The Metasploit Framework is a widely-used, legitimate penetration testing tool that security professionals use to find and exploit vulnerabilities in systems. However, it is also frequently misused by cybercriminals to deploy malicious payloads, conduct remote exploitation, and gain unauthorized access to systems.

When used maliciously, Metasploit can be leveraged by attackers to execute exploits, install backdoors, and perform post-exploitation activities. The framework is highly flexible and allows for the creation and execution of various malicious payloads, including remote access tools (RATs), web shells, and ransomware.

Key Features:

• Evading Detection – Many Metasploit payloads come with built-in obfuscation and encryption techniques, helping them evade detection by antivirus or EDR solutions.

• Exploits Vulnerabilities – Metasploit can be used to exploit known vulnerabilities in software, such as buffer overflows, SQL injection, and unpatched services.

• Payload Delivery – Once a vulnerability is successfully exploited, Metasploit can deliver malicious payloads like meterpreter (RAT), which provides attackers full control over the infected system.

• Post-Exploitation – Metasploit offers modules for privilege escalation, network pivoting, credential dumping, and keylogging, allowing attackers to further compromise the network and gain deeper access to the victim’s environment.

• Persistence Mechanisms – Metasploit can be used to implant backdoors or maintain access through various persistence techniques, such as modifying registry keys, adding startup tasks, or exploiting task schedulers.

• Meterpreter – A powerful payload that acts as a remote shell, allowing attackers to control the victim’s system, steal data, and manipulate files. It also supports fileless attacks, as it operates in memory, making it harder to detect.

• Social Engineering – Metasploit can be used to craft phishing payloads or malicious documents to deliver malicious exploits via email or other vectors.

Mythic is an open-source Command and Control (C2) framework used for post-exploitation activities. It allows attackers to maintain persistent control over compromised systems, execute payloads, and perform various malicious actions within a target network. Mythic is popular in red teaming and penetration testing, but it has been increasingly used by cybercriminals in actual attacks due to its flexibility, ease of use, and powerful capabilities.

Key Features of Mythic Malware:

• Dynamic Payloads – The framework allows the creation of dynamic, polymorphic payloads that change characteristics to avoid signature-based detection.

• Modular Payloads – Mythic supports various types of payloads that can be customized and executed remotely. Attackers can choose from a wide variety of exploits, file manipulation tools, and network intrusion methods.

• Cross-Platform Support – Mythic supports multiple platforms, including Windows, Linux, macOS, and Android, allowing attackers to target a wide range of devices.

• Command & Control (C2) – Mythic establishes a robust and encrypted C2 channel that facilitates bidirectional communication between the attacker and the compromised systems.

• Fileless Execution – Payloads can run in-memory, avoiding detection by traditional file-based antivirus software, which makes Mythic especially difficult to detect.

• Web Shell Deployment – Mythic allows attackers to deploy web shells for remote system control and data exfiltration.

• Persistence – Attackers can use Mythic to ensure persistence on compromised systems by modifying startup configurations, task schedulers, and system registries.

• Advanced Evasion – Mythic supports features that enable attackers to evade detection by using techniques such as process injection, encryption, and polymorphism to bypass security systems.

NanoCore is a powerful and sophisticated Remote Access Trojan (RAT) that allows attackers to take full control of an infected machine. It is primarily used in cyber espionage and data theft, but it is also employed in cybercrime operations for various malicious purposes. Despite being sold as a legitimate tool for penetration testers and red teams, NanoCore is often used by cybercriminals for unauthorized access to networks and systems.

Key Features:

• Remote Control – Once installed on a victim’s machine, NanoCore gives attackers full control, allowing them to execute commands, manage files, and even control the system’s webcam and microphone.
• Keylogging – NanoCore can record keystrokes, allowing attackers to capture login credentials, credit card numbers, and other sensitive information

• Screen Capture – The malware has the ability to take screenshots of the victim’s screen and send them back to the attacker.

• Password Theft – NanoCore can extract stored passwords from browsers, email clients, and other programs, facilitating the theft of sensitive credentials.

• File Management – Attackers can use NanoCore to upload, download, or delete files on the infected machine.

• Persistence – NanoCore can maintain its presence on the infected system by creating persistence mechanisms, such as modifying the Windows registry, creating startup tasks, or using scheduled tasks.

• Webcam and Microphone Control – Attackers can activate the infected system’s webcam or microphone to spy on the user without their knowledge.

• Encrypted Communication – NanoCore uses encrypted channels to communicate with the attacker’s Command and Control (C2) server, which helps it avoid detection by security tools.

• Stealth – The malware is designed to be stealthy and can evade antivirus software and endpoint protection systems by using obfuscation and polymorphism techniques.

NJRat (also known as NjRAT or Bladabindi) is a widely used Remote Access Trojan (RAT) that provides attackers with remote control over infected machines. It is often used for a variety of malicious purposes, including spying, data theft, and system manipulation. NJRat has been popular with cybercriminals due to its user-friendly interface and customizability, allowing attackers to easily control compromised systems.

NJRat is typically delivered through phishing emails, malicious downloads, or exploit kits, and it operates by establishing a command and control (C2) channel between the infected machine and the attacker.

Key Features:

• Encrypted C2 Communication – The communication between the infected machine and the attacker’s C2 server is often encrypted, making it harder for security software to detect the RAT’s activity.

• Remote Control – Once installed, NJRat allows attackers to remotely control the victim’s computer, executing commands, opening files, and performing actions as though they were sitting at the system.

• Keylogging – NJRat can capture keystrokes and passwords, which is commonly used for credential theft and data exfiltration.

• File Management – Attackers can upload and download files from the infected machine, facilitating data theft or the installation of additional malware.

• Screen and Webcam Capture – The malware can take screenshots of the victim’s screen and even activate the webcam to spy on the user.

• Microphone Control – NJRat can turn on the infected system’s microphone, allowing attackers to listen in on the victim’s environment.

• Persistence – The malware ensures it remains on the infected system by establishing persistence mechanisms, such as modifying registry keys and creating startup tasks to reload the RAT after system reboots.

• Password Stealing – NJRat is capable of stealing passwords saved in browsers, email clients, FTP clients, and other software.

• Proxy and Network Management – Attackers can route internet traffic through the compromised system, turning it into a proxy for their own activities, such as hiding their identity or attacking other targets.

Orcus is a Remote Access Trojan (RAT) that allows attackers to gain unauthorized remote control over infected systems. It is a highly versatile malware that can be used for various malicious purposes, including data theft, spying, credential harvesting, and network exploitation. Orcus is known for its customizability, making it a popular choice for cybercriminals, but it is also used in penetration testing and red team activities by security professionals.

Key Features:

• Encrypted Communication – Orcus uses encrypted channels to communicate with its Command and Control (C2) server, helping it evade detection by traditional security tools.

• Remote Control – Orcus gives attackers the ability to remotely control a victim’s machine. Attackers can interact with the system as if they were sitting at the machine, performing actions like executing commands, browsing files, and installing additional malware.

• Keylogging – Orcus can record keystrokes, allowing attackers to steal sensitive information such as login credentials, credit card details, and other personal data.

• Screen and Webcam Capture – The malware can take screenshots of the victim’s screen and even capture live footage from the webcam for surveillance purposes.

• Microphone Control – Orcus has the ability to activate the infected system’s microphone, allowing attackers to listen in on the victim’s environment.

• File Management – Attackers can upload and download files to and from the infected machine, enabling them to steal documents, inject malicious payloads, or deploy additional malware.

• Persistence – Orcus ensures that it remains on the infected system by creating persistence mechanisms, such as modifying registry keys, startup tasks, and system settings to automatically start after a reboot.

• Password Stealing – Orcus can extract and steal passwords stored in web browsers, FTP clients, and other software, facilitating further attacks or credential-based exploitation.

• Network and Proxy Management – The malware allows attackers to route internet traffic through the compromised system, turning it into a proxy for hiding the attacker’s true location or conducting further attacks.

Panda is a type of Remote Access Trojan (RAT) that allows attackers to gain remote control of an infected system. It is primarily used for spying, data theft, and exploitation of vulnerable systems. Panda RAT is part of a category of malware that enables cybercriminals to operate without the victim’s knowledge, often maintaining long-term access to compromised machines for surveillance or data harvesting.

Key Features of Panda Malware:

• Encrypted Communication – Panda communicates with its Command and Control (C2) server over encrypted channels, which helps it avoid detection and analysis by traditional security tools.

• Remote Access – Panda RAT allows attackers to remotely control the victim’s system, enabling them to execute commands, access files, and manipulate the system as though they were physically at the machine.

• Keylogging – The malware has the ability to record keystrokes, which can lead to the theft of sensitive data such as login credentials, credit card details, and other personal information.

• Screen Capture – Panda can capture screenshots or even record the screen, allowing attackers to monitor the victim’s activity and extract valuable data.

• Webcam and Microphone Control – The RAT can access and control the victim’s webcam and microphone, enabling covert surveillance without the victim’s knowledge.

• File Management – Attackers can upload and download files to/from the infected system, facilitating data theft or the installation of additional malware.

• Persistence – Panda uses persistence mechanisms such as modifying registry keys, startup tasks, and scheduled tasks to maintain its presence on the infected machine even after system reboots.

• Password Stealing – Panda is capable of extracting saved passwords from web browsers, FTP clients, and other software, enabling the attacker to steal credentials and gain unauthorized access to online accounts.

• Network Monitoring – The malware can monitor and capture network traffic, potentially stealing sensitive communication or login sessions.

Posh or PoshC2 is a Remote Access Trojan (RAT) and a Command and Control (C2) framework written in PowerShell, a powerful scripting language built into Windows systems. PoshC2 is often used in cyber-attacks, penetration testing, and red teaming, but it can also be weaponized by cybercriminals for malicious purposes. The framework allows attackers to gain control over an infected system, execute commands remotely, and exfiltrate data.

PoshC2’s primary feature is its use of PowerShell scripts, making it particularly effective in evading traditional security measures, which often overlook PowerShell-based threats. It’s highly customizable, meaning attackers can modify the malware to suit their specific needs, including covert data exfiltration, lateral movement within a network, and surveillance

Key Features:

• Encrypted C2 Communication – PoshC2 uses encrypted communication to avoid detection by security systems and to ensure the confidentiality of its commands and data transfers.

• PowerShell-based Execution – PoshC2 leverages the PowerShell scripting language to communicate between the C2 server and the infected system. PowerShell’s flexibility makes it effective for both fileless malware and remote exploitation.
• Remote Access & Control – Once installed, PoshC2 gives attackers full remote access to the victim’s system, allowing them to execute commands, manipulate files, and interact with the system as if they were physically at the computer.
• Command and Control (C2) Framework – PoshC2 is structured around a C2 server that communicates with compromised systems to send commands and receive data, facilitating the attacker’s control over the system.
• Fileless Operation – PoshC2 is capable of executing fileless attacks, meaning it can run in memory without writing malicious files to disk. This makes detection more difficult since no physical traces are left on the system.

• Data Exfiltration – Attackers can use PoshC2 to exfiltrate sensitive data from the infected system, such as passwords, confidential documents, and network information.

• Keylogging – PoshC2 can capture keystrokes to steal sensitive information, including login credentials and financial details.

• Web Shells – It can also deploy web shells on compromised web servers to establish further access points into the network.

• Persistence – PoshC2 ensures it remains on the compromised system by implementing persistence techniques, such as modifying startup tasks or scheduled tasks, so the malware reactivates after a reboot.

• Lateral Movement – Attackers can use PoshC2 to facilitate lateral movement within a network, spreading to other machines and potentially compromising an entire organization.

Remcos (Remote Control and Surveillance) is a Remote Access Trojan (RAT) that enables attackers to gain unauthorized control over an infected system. It is a highly effective tool for cybercriminals to conduct various malicious activities, including data theft, spying, and system exploitation. Remcos is often used for espionage, network exploitation, and attacks on critical infrastructure.

Key Features:

• Encrypted Communication – To evade detection, Remcos uses encrypted communications to transmit commands and data between the victim system and the attacker’s Command and Control (C2) server, making it difficult for traditional security tools to detect it.

• Remote Access & Control – Remcos provides attackers with full remote control over the infected system, enabling them to execute commands, manage files, and manipulate system settings as though they were physically at the machine.

• Keylogging – One of the primary functions of Remcos is its ability to record keystrokes, allowing attackers to capture login credentials, personal information, and other sensitive data typed by the victim.

• Webcam & Microphone Control – Remcos can activate the webcam and microphone on the infected system to conduct covert surveillance. This allows attackers to view and listen to the victim without their knowledge.

• Screen Capture – Attackers can capture screenshots or record the screen in real-time, monitoring the victim’s activities and potentially obtaining sensitive data from open applications or documents.

• File Management – Remcos allows attackers to upload and download files from the compromised system. This enables data theft or the installation of additional malicious payloads.

• Persistence – Remcos implements persistence mechanisms, such as adding entries to Windows registry or creating startup tasks to ensure that it remains active even after system reboots or attempts to remove it.

• Password Stealing – It can extract passwords stored in web browsers, email clients, and other applications, facilitating further exploitation of credentials.

• Process Management – Remcos provides the attacker with the ability to terminate processes, which is useful for stopping security software (e.g., antivirus) or killing other important processes to further compromise the system.

• Network Sniffing – The malware has the capability to monitor network traffic and potentially capture sensitive communications, such as login sessions, encrypted messages, and other valuable data.

ShadowPad is a sophisticated remote access Trojan (RAT) used primarily for espionage, cybercrime, and cyber warfare. First discovered in 2017, it is often attributed to advanced persistent threat (APT) groups and is a well-known tool used in supply chain attacks. ShadowPad is notorious for its stealth and flexibility, often being delivered via compromised software updates or third-party software providers.

The malware operates by providing attackers with remote control over an infected system, allowing them to conduct data theft, espionage, and network surveillance. It is often part of a larger attack chain, being dropped on systems following initial exploitation and serving as a tool for maintaining long-term access to compromised networks.

Key Features:

• Stealth & Evasion – ShadowPad uses advanced techniques to avoid detection, including anti-analysis features, the ability to bypass security software, and code obfuscation to mask its true intent.

• Remote Access & Control – ShadowPad allows attackers to have full remote control of an infected system, enabling them to execute commands, run programs, manage files, and manipulate system resources.

• Modular Architecture – The malware is modular, which means it can be customized and extended by attackers. New modules can be downloaded to the infected system to carry out specific tasks such as keylogging, data exfiltration, or file manipulation.

• Persistence – ShadowPad has strong persistence mechanisms that enable it to remain active on the system even after reboots or attempts to clean the infection. This may include modifying system files, adding entries to the Windows registry, or creating scheduled tasks.

• Fileless Operation – ShadowPad is designed to operate in a fileless manner, which means it doesn’t always write malicious files to disk. This helps it evade traditional detection methods that rely on scanning file systems for known malware signatures.

• Command and Control (C2) Communication – The malware communicates with its C2 server through encrypted channels, making it harder for security tools to detect the malicious traffic. ShadowPad can use HTTP, HTTPS, or other protocols for C2 communication.

• Data Exfiltration – ShadowPad is often used for data exfiltration, where sensitive information such as login credentials, business documents, intellectual property, and other confidential data is stolen from the infected machine.

• Keylogging – Like many RATs, ShadowPad can record keystrokes, enabling attackers to steal login credentials, sensitive personal information, and other typed data from the victim.

• Surveillance – ShadowPad can activate system features like the webcam and microphone to conduct covert surveillance on the victim without their knowledge.

• Privilege Escalation – The malware has the ability to escalate its privileges on infected systems, giving attackers full administrative control to manipulate or compromise other systems in the network.

• Lateral Movement – Once inside a network, ShadowPad can help attackers move laterally to other systems, expanding the scope of the attack and allowing for further data collection or exploitation.

Sliver is an advanced open-source post-exploitation framework and remote access tool (RAT), primarily used by security professionals for red teaming, but also used by malicious actors for exploitation and cyberattacks. Developed by Transmitted (the same group behind Cobalt Strike), Sliver is a modern tool that offers a range of features enabling attackers to control compromised systems, conduct lateral movement, and exfiltrate data. Despite its legitimate use in penetration testing, it has been repurposed by cybercriminals for covert operations, espionage, and ransomware attacks.

Key Features:

• Command and Control (C2) Communication – Sliver enables attackers to maintain command and control over infected systems through secure and encrypted channels. This communication typically occurs over HTTP, HTTPS, or other common protocols to avoid detection by network monitoring tools.

• Modular Architecture – Sliver has a modular design, allowing attackers to download and execute various modules depending on the specific needs of the attack. These modules can include functions such as keylogging, data exfiltration, and system exploitation.

• Advanced Payload Delivery – The framework allows for the creation of highly customizable payloads designed to bypass antivirus software and traditional defenses. These payloads are commonly executed on victim systems via social engineering or software vulnerabilities.

• Post-Exploitation Capabilities – After gaining initial access to a victim machine, Sliver allows attackers to perform post-exploitation actions.

• Persistence – Sliver includes techniques to ensure that the malware maintains long-term access to the infected systems. This can involve creating scheduled tasks, modifying system settings, or adding entries to the Windows registry.

• Keylogging and Screen Capture – Sliver can use its keylogging capabilities to capture sensitive information like passwords, and its screen capture functionality allows attackers to monitor the victim’s activities in real-time.

• Credential Harvesting – It can harvest passwords and other stored credentials from browsers, applications, or network resources, facilitating further exploitation and lateral movement.

• Stealth and Evasion – Sliver uses various evasion techniques such as code obfuscation, anti-analysis features, and encryption to avoid detection by security software, firewalls, and intrusion detection systems (IDS).

• Command Execution – Sliver allows the execution of arbitrary commands on the infected system. This capability gives attackers the flexibility to carry out a wide range of tasks, from installing additional malware to altering system configurations.
• Advanced Payload Obfuscation – The framework provides tools to obfuscate payloads, ensuring that the malware avoids detection by security software by hiding its malicious intent.

Strike is a type of remote access Trojan (RAT) and post-exploitation tool that has been used by threat actors for a variety of malicious purposes, including data theft, network infiltration, and espionage. It is part of a broader class of malware commonly used in cyberattacks, enabling attackers to gain control over compromised systems, spread throughout networks, and persist undetected.

Key Features:

• Remote Access – Strike allows attackers to remotely control infected systems as if they had physical access. This enables them to execute commands, install additional malware, and interact with system files and processes.
• Persistence Mechanisms – Strike includes techniques to ensure long-term access to the compromised system. It can set up scheduled tasks, modify system files, and alter the Windows registry to maintain control even after system reboots
• Modular Architecture – The malware is modular, meaning it can be extended with additional functionality or modules. These modules can be loaded dynamically, depending on the attacker’s needs, and may include features like keylogging, data exfiltration, or system surveillance.

• Data Exfiltration – One of the primary goals of Strike malware is to steal sensitive data. This can include credentials, financial information, intellectual property, and other confidential files. The malware can upload the stolen data to an external server controlled by the attacker.

• Keylogging and Screen Capture – Like many RATs, Strike is equipped with keylogging capabilities that enable attackers to capture login credentials, personal data, and other sensitive information typed by the user. Additionally, the malware can take screenshots of the infected system to monitor the victim’s activities.

• Privilege Escalation – Strike can exploit vulnerabilities or misconfigurations in the system to escalate its privileges, giving the attacker higher-level access to the system and allowing them to perform more destructive actions.

• Lateral Movement – Once Strike compromises a machine, it can facilitate lateral movement to other devices on the network. This allows attackers to expand the reach of their attack and increase the potential damage.

• Stealth and Evasion – Strike employs advanced techniques to avoid detection. This can include obfuscation of its code, fileless execution, and evasion of traditional security tools, making it difficult for antivirus software and other defenses to detect the presence of the malware.

• Command and Control (C2) Communication – Strike communicates with a remote C2 server, where attackers can issue commands and receive stolen data. This communication can occur over encrypted channels, making it harder for security tools to detect malicious traffic.

• Fileless Operation – Strike can operate without writing files to disk, making it harder for traditional antivirus software to detect. It may run entirely from memory or use legitimate system tools like PowerShell to carry out its actions.

XMRig is a widely known cryptojacking malware primarily used to mine Monero (XMR) cryptocurrency. It is not a traditional virus or RAT (Remote Access Trojan), but rather a cryptomining tool that is often illegally deployed on compromised systems to mine cryptocurrency without the victim’s consent. Cryptojacking involves using the infected machine’s processing power to mine cryptocurrencies, resulting in increased system load, decreased performance, and potential hardware damage.

XtremeRAT is a remote access Trojan (RAT) that allows cybercriminals to gain unauthorized control over a compromised system, often for malicious purposes such as data theft, spying, and further exploitation. It is commonly used in cyberattacks and is one of many tools in the RAT family designed to provide attackers with full access to an infected machine. XtremeRAT is known for its stealth capabilities and ability to perform a wide range of activities, including keylogging, file theft, and system surveillance.

Key Features:

• Data Exfiltration – XtremeRAT is commonly used to steal sensitive information such as personal documents, financial records, and confidential business data. The malware can exfiltrate this information by uploading it to a remote server controlled by the attacker.

• Remote Control and Monitoring – XtremeRAT allows attackers to remotely control an infected system, as if they were sitting in front of it. This can include the ability to execute commands, access files, and run applications without the user’s knowledge.

• Keylogging – One of the key features of XtremeRAT is its ability to log keystrokes on the infected machine, which can be used to steal sensitive information like login credentials, personal data, and financial information.

• File Management – XtremeRAT enables attackers to manage files on the victim’s system. This includes the ability to download, upload, delete, or modify files, which can be used for data exfiltration or implanting additional malicious files.

• System Surveillance – The malware allows the attacker to take screenshots, capture video, or even remotely activate webcams and microphones on the infected system. This can be used for espionage or to monitor the victim’s activity.

• Persistence Mechanisms – XtremeRAT includes features that allow it to remain on the infected system even after a reboot or attempt to remove it. It can inject itself into legitimate processes, create scheduled tasks, or make changes to system settings to maintain access.
• Self-Propagation – Some versions of XtremeRAT are capable of spreading to other systems within a network. This is often done by exploiting vulnerabilities in software or using social engineering techniques to convince users to run the malware on their own devices.

• Encrypted Communication – XtremeRAT uses encryption to conceal the command-and-control (C2) communication, making it more difficult for security tools to detect malicious activity. Communication with the C2 server can include stolen data, as well as commands to control the victim machine.

• Credential Harvesting – The malware can capture login credentials from browsers, email clients, or other services, and send them back to the attacker. This data can be used for identity theft, unauthorized access, or fraudulent activities.

• Remote Shell Access – Attackers can use XtremeRAT to open a command shell on the infected machine, allowing them to execute arbitrary commands and run scripts, often with elevated privileges.