Last seven days
- First activity
- Jul 18, 2026
- Last activity
- Jul 18, 2026
- Feed role
- C2
- Host form
- 0 IP / 1 hostnames
GravityRAT is a spyware/RAT family active since at least 2015 and believed to be linked to Pakistani threat actors.
Profile source: Mallory opens in a new tabGravityRAT
GravityRAT is a spyware/RAT family active since at least 2015 and believed to be linked to Pakistani threat actors. Reporting cited in the content states Cisco Talos published research on it in 2018 and that CERT-IN first discovered the Trojan in 2017; it was used to target the Indian armed forces and more broadly employees of Indian defense, police, and related organizations. The malware was initially associated with Windows, then expanded to Android in 2018 and later to macOS. Delivery described in the content includes trojanized or fake applications such as Travel Mate Pro, Enigma, Titanium, WeShare, TrustX, Click2Chat, Bollywood, Sharify, MelodyMate, GoZap, StrongBox, TeraSpace, OrangeVault, CvStyler, and SavitaBhabi, with victims reportedly lured via fake Facebook accounts.
Capabilities directly described in the content include collecting the victim username and account details such as account type, description, full name, SID, and status; gathering host information via WMI including Win32_Processor data such as processor ID, name, manufacturer, and clock speed; obtaining system date and time; collecting the victim IP address, MAC address, and account domain name; listing running processes; listing available services; using netstat to identify open ports; executing commands remotely on the infected host; and stealing files with extensions including .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf. One described behavior is stealing files based on an extension list when a USB drive is connected. Persistence on Windows is achieved by creating a scheduled task to re-execute daily; a macOS Enigma variant established persistence with a cron job.
Android-related activity in the content states that the trojanized Travel Mate Pro exfiltrated device data, contact lists, email addresses, call logs, SMS logs, and files from device and removable storage, including .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus files. A Windows-related sample, ZW.exe, is described as collecting system information, searching for documents, listing running processes, intercepting keystrokes, taking screenshots, executing shell commands, and scanning ports.
Infrastructure and IoCs explicitly mentioned in the content include HTTP C2 over non-standard TCP port 46769 and related use of port 64443; domains n1.nortonupdates[.]online and n2.nortonupdates[.]online, which resolved to 213.152.161[.]219; n3.nortonupdates[.]online:64443; enigma.net[.]in; titaniumx.co[.]in; windowsupdates[.]eu; mozillaupdates[.]com; mozillaupdates[.]us; u01.msoftserver[.]eu; and msoftserver[.]eu:64443 with path /ZULU_SERVER.php. Additional sample and payload names mentioned include Enigma.ps1, enigma.exe, Xray.exe, ZW.exe, RW.exe, TW.exe, Whisper, Wpd.exe, Taskhostex.exe, WCNsvc.exe, SMTPHost.exe, and CSRP.exe. The content also notes RW.exe used C2 path /ROMEO/5d907853.php and TW.exe used /TANGO/e252a516.php, and that older Whisper variants contained the strings "lolomycin2017" and "lolomycin&Co."
C2 tracking
Derp observations, rolling seven-day window
Samples
8c58b94c0728fd1cd0ad10c9cf8e0f156ceeba10e06b84bae5ef977d5c78ceda 9dd2785bcb0cc717f408a0adde64bd10f1e534fb007c09638f3424e26c8825b6 ab3d05f070617c56af33b872a05cd43771965011c5a8816731d9378e5ecd9121 afc063635051cec2be206f2dd5bc942d8e9a1b59ecbe9df23d2e8f7d5b1558a7 c673b89c508ec115b54a04f816bbea402ad39384ff4b138a057bf8463de9fbc5 MITRE ATT&CK
Reporting
A longstanding remote access trojan known as GravityRAT has reemerged with expanded capabilities targeting Android alongside Windows and macOS devices.
ANY.RUN has published a technical rundown of a sophisticated remote access trojan called GravityRAT that has been actively targeting organizations and government entities since 2016.
...ongoing GravityRAT espionage across platforms.
GravityRAT is a remote access trojan that has been targeting government agencies and military organizations since 2016. This malware originated as a Windows-only threat but has evolved into a cross-platform tool that can attack Windows, Android, and macOS systems.
GravityRat is cross-platform remote administration tool (RAT …backdoor) now ported to macOS. The (available) samples, are persistent first-stage downloaders.
In part one, we detailed the (new) macOS variant of GravityRat. Of the various (macOS) samples, we focused first on a binary named Enigma... In this post, we continue our analysis, but now focus on the StrongBox binary, from the other group of files.
Recently, noted security researcher Tatyana Shishkova of Kaspersky published a new report on the intriguing cross-platform spyware, GravityRAT ("used to target the Indian armed forces"). In this report, she noted that for the first time, “there are now versions for …macOS”.
In 2018, researchers at Cisco Talos published a post on the spyware GravityRAT, used to target the Indian armed forces. The Indian Computer Emergency Response Team (CERT-IN) first discovered the Trojan in 2017.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.