45.192.219.135 — a Hong Kong VPS on Antbox Networks Limited (AS138995) that plays double duty as: FatalRAT C2 backend — tied to a live campaign deploying FatalRAT, Winos4.0, and QQHong sideloaded via Sogou Input Method DLL sideloading (ManualNewWord.dll), VMProtect-packed, beaconing on port 1080 + HTTPS cover on 443...
FatalRAT
FatalRAT is a Windows remote access trojan used in campaigns targeting Chinese-language users in Southeast Asia, East Asia, and the broader Asia-Pacific region.
Profile source: Mallory opens in a new tabFatalRAT
Family profile
FatalRAT is a Windows remote access trojan used in campaigns targeting Chinese-language users in Southeast Asia, East Asia, and the broader Asia-Pacific region. Reported targeting has included government and corporate networks, and activity has been associated in multiple reports with Chinese state-sponsored or China-nexus intrusion activity. FatalRAT has also been linked to the broader Chinese-speaking crimeware ecosystem alongside families such as Gh0st RAT, Simay RAT, Winos4.0, and ValleyRAT.
Observed delivery and execution chains have relied on social engineering and search-engine poisoning, including malicious search results for popular software and messaging applications that lead victims to trojanized installers. FatalRAT has also been deployed through DLL sideloading, including abuse of legitimate software components to load the malware while blending into normal application execution. Some reported samples were protected with commercial packers to hinder analysis.
Once installed, FatalRAT provides remote access and post-compromise control over infected systems through command-and-control communications using both a custom protocol and traffic designed to resemble normal encrypted web activity. Its use in targeted campaigns indicates a role in sustained intrusion operations rather than opportunistic nuisance activity. The malware has been observed as part of multi-tool intrusion sets, suggesting operators use it in conjunction with other remote access tools depending on victim environment and operational goals.
Capabilities
- Defense Evasion
- Dll Sideloading
- Post Exploitation
Reported operators
Threat actors
1 named in public reportingMITRE ATT&CK
FatalRAT in ATT&CK
10 distinct techniquesReporting
Research mentioning FatalRAT
CrySome RAT Spreads Through Freight Phishing Attack
Related coverage Cryptocurrency Users Targeted in Sophisticated ‘FatalRAT’ Phishing Campaign
Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul
FatalRAT1
FatalRAT and an Asian Gambling Syndicate Share a Box: Inside the LARUS / Cloud Innovation AFRINIC Bulletproof Empire - Breakglass Intelligence - Breakglass Intelligence
45.192.219.135 — a Hong Kong VPS on Antbox Networks Limited (AS138995) that plays double duty as: FatalRAT C2 backend — tied to a live campaign deploying FatalRAT, Winos4.0, and QQHong sideloaded via Sogou Input Method DLL sideloading (ManualNewWord.dll), VMProtect-packed, beaconing on port 1080 + HTTPS cover on 443...
AI Development & Software Engineering | CloudATG
FatalRAT Phishing Attacks Target APAC Industries Using Chinese Cloud Services
$1.5 Billion ByBit Crypto Heist and The Threat Actors Behind Escalating Geopolitical Cyberattacks
FatalRAT malware is being deployed in the Asia-Pacific (APAC) region, attributed to Chinese state-sponsored actors. TTPs: DLL sideloading to deploy FatalRAT, alongside Gh0st RAT and Simay RAT. Targets: Likely government and corporate networks.
$1.5 Billion ByBit Crypto Heist and The Threat Actors Behind Escalating Geopolitical Cyberattacks
FatalRAT malware is being deployed in the Asia-Pacific (APAC) region, attributed to Chinese state-sponsored actors. TTPs: DLL sideloading to deploy FatalRAT, alongside Gh0st RAT and Simay RAT. Targets: Likely government and corporate networks.
You may not care where you download software from, but malware does
Chinese-language speakers in Southeast and East Asia were targeted with poisoned Google search results for popular applications such as the Firefox web browser, and popular messaging apps Telegram and WhatsApp, to install trojanized versions containing the FatalRAT remote access trojan.