Skip to content
Malware family Windows

FatalRAT

FatalRAT is a Windows remote access trojan used in campaigns targeting Chinese-language users in Southeast Asia, East Asia, and the broader Asia-Pacific region.

Profile source: Mallory opens in a new tab

FatalRAT

Family profile

FatalRAT is a Windows remote access trojan used in campaigns targeting Chinese-language users in Southeast Asia, East Asia, and the broader Asia-Pacific region. Reported targeting has included government and corporate networks, and activity has been associated in multiple reports with Chinese state-sponsored or China-nexus intrusion activity. FatalRAT has also been linked to the broader Chinese-speaking crimeware ecosystem alongside families such as Gh0st RAT, Simay RAT, Winos4.0, and ValleyRAT.

Observed delivery and execution chains have relied on social engineering and search-engine poisoning, including malicious search results for popular software and messaging applications that lead victims to trojanized installers. FatalRAT has also been deployed through DLL sideloading, including abuse of legitimate software components to load the malware while blending into normal application execution. Some reported samples were protected with commercial packers to hinder analysis.

Once installed, FatalRAT provides remote access and post-compromise control over infected systems through command-and-control communications using both a custom protocol and traffic designed to resemble normal encrypted web activity. Its use in targeted campaigns indicates a role in sustained intrusion operations rather than opportunistic nuisance activity. The malware has been observed as part of multi-tool intrusion sets, suggesting operators use it in conjunction with other remote access tools depending on victim environment and operational goals.

Capabilities

  • Defense Evasion
  • Dll Sideloading
  • Post Exploitation

Reported operators

Threat actors

1 named in public reporting
Silver Fox

45.192.219.135 — a Hong Kong VPS on Antbox Networks Limited (AS138995) that plays double duty as: FatalRAT C2 backend — tied to a live campaign deploying FatalRAT, Winos4.0, and QQHong sideloaded via Sogou Input Method DLL sideloading (ManualNewWord.dll), VMProtect-packed, beaconing on port 1080 + HTTPS cover on 443...

MITRE ATT&CK

FatalRAT in ATT&CK

10 distinct techniques

Reporting

Research mentioning FatalRAT

Jul 15
Security Online Info

CrySome RAT Spreads Through Freight Phishing Attack

Related coverage Cryptocurrency Users Targeted in Sophisticated ‘FatalRAT’ Phishing Campaign

Jul 7
Gurucul Threat Research

Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul

FatalRAT1

Apr 9
Breakglass Intel

FatalRAT and an Asian Gambling Syndicate Share a Box: Inside the LARUS / Cloud Innovation AFRINIC Bulletproof Empire - Breakglass Intelligence - Breakglass Intelligence

45.192.219.135 — a Hong Kong VPS on Antbox Networks Limited (AS138995) that plays double duty as: FatalRAT C2 backend — tied to a live campaign deploying FatalRAT, Winos4.0, and QQHong sideloaded via Sogou Input Method DLL sideloading (ManualNewWord.dll), VMProtect-packed, beaconing on port 1080 + HTTPS cover on 443...

Feb 13
Cloudatg Insights

AI Development & Software Engineering | CloudATG

FatalRAT Phishing Attacks Target APAC Industries Using Chinese Cloud Services

Feb 27
Armis

$1.5 Billion ByBit Crypto Heist and The Threat Actors Behind Escalating Geopolitical Cyberattacks

FatalRAT malware is being deployed in the Asia-Pacific (APAC) region, attributed to Chinese state-sponsored actors. TTPs: DLL sideloading to deploy FatalRAT, alongside Gh0st RAT and Simay RAT. Targets: Likely government and corporate networks.

Feb 27
Armis

$1.5 Billion ByBit Crypto Heist and The Threat Actors Behind Escalating Geopolitical Cyberattacks

FatalRAT malware is being deployed in the Asia-Pacific (APAC) region, attributed to Chinese state-sponsored actors. TTPs: DLL sideloading to deploy FatalRAT, alongside Gh0st RAT and Simay RAT. Targets: Likely government and corporate networks.

May 16
Eset Welivesecurity

You may not care where you download software from, but malware does

Chinese-language speakers in Southeast and East Asia were targeted with poisoned Google search results for popular applications such as the Firefox web browser, and popular messaging apps Telegram and WhatsApp, to install trojanized versions containing the FatalRAT remote access trojan.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.