Skip to content
Malware family

GravityRAT

GravityRAT is a spyware/RAT family active since at least 2015 and believed to be linked to Pakistani threat actors.

Profile source: Mallory opens in a new tab

GravityRAT

Family profile

GravityRAT is a spyware/RAT family active since at least 2015 and believed to be linked to Pakistani threat actors. Reporting cited in the content states Cisco Talos published research on it in 2018 and that CERT-IN first discovered the Trojan in 2017; it was used to target the Indian armed forces and more broadly employees of Indian defense, police, and related organizations. The malware was initially associated with Windows, then expanded to Android in 2018 and later to macOS. Delivery described in the content includes trojanized or fake applications such as Travel Mate Pro, Enigma, Titanium, WeShare, TrustX, Click2Chat, Bollywood, Sharify, MelodyMate, GoZap, StrongBox, TeraSpace, OrangeVault, CvStyler, and SavitaBhabi, with victims reportedly lured via fake Facebook accounts.

Capabilities directly described in the content include collecting the victim username and account details such as account type, description, full name, SID, and status; gathering host information via WMI including Win32_Processor data such as processor ID, name, manufacturer, and clock speed; obtaining system date and time; collecting the victim IP address, MAC address, and account domain name; listing running processes; listing available services; using netstat to identify open ports; executing commands remotely on the infected host; and stealing files with extensions including .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf. One described behavior is stealing files based on an extension list when a USB drive is connected. Persistence on Windows is achieved by creating a scheduled task to re-execute daily; a macOS Enigma variant established persistence with a cron job.

Android-related activity in the content states that the trojanized Travel Mate Pro exfiltrated device data, contact lists, email addresses, call logs, SMS logs, and files from device and removable storage, including .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus files. A Windows-related sample, ZW.exe, is described as collecting system information, searching for documents, listing running processes, intercepting keystrokes, taking screenshots, executing shell commands, and scanning ports.

Infrastructure and IoCs explicitly mentioned in the content include HTTP C2 over non-standard TCP port 46769 and related use of port 64443; domains n1.nortonupdates[.]online and n2.nortonupdates[.]online, which resolved to 213.152.161[.]219; n3.nortonupdates[.]online:64443; enigma.net[.]in; titaniumx.co[.]in; windowsupdates[.]eu; mozillaupdates[.]com; mozillaupdates[.]us; u01.msoftserver[.]eu; and msoftserver[.]eu:64443 with path /ZULU_SERVER.php. Additional sample and payload names mentioned include Enigma.ps1, enigma.exe, Xray.exe, ZW.exe, RW.exe, TW.exe, Whisper, Wpd.exe, Taskhostex.exe, WCNsvc.exe, SMTPHost.exe, and CSRP.exe. The content also notes RW.exe used C2 path /ROMEO/5d907853.php and TW.exe used /TANGO/e252a516.php, and that older Whisper variants contained the strings "lolomycin2017" and "lolomycin&Co."

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 18, 2026
Last activity
Jul 18, 2026
Feed role
C2
Host form
0 IP / 1 hostnames

Samples

Recent associated samples

MITRE ATT&CK

GravityRAT in ATT&CK

35 distinct techniques

Reporting

Research mentioning GravityRAT

Jan 13
Zimperium

GravityRAT Expands Remote Access Threats to Mobile Devices

A longstanding remote access trojan known as GravityRAT has reemerged with expanded capabilities targeting Android alongside Windows and macOS devices.

Jan 8
The Hacker News

ThreatsDay Bulletin: RustFS Flaw, Iranian Ops, WebUI RCE, Cloud Leaks, and 12 More Stories

ANY.RUN has published a technical rundown of a sophisticated remote access trojan called GravityRAT that has been actively targeting organizations and government entities since 2016.

Jan 7
Huntio

SIGNALS WEEKLY: MongoBleed (CVE-2025-14847) Is in KEV: The Unauth MongoDB Leak You Need to Patch

...ongoing GravityRAT espionage across platforms.

Jan 6
Cyber Security News

GravityRAT with Remote Access Capabilities Attacking Windows, Android, and macOS Systems

GravityRAT is a remote access trojan that has been targeting government agencies and military organizations since 2016. This malware originated as a Windows-only threat but has evolved into a cross-platform tool that can attack Windows, Android, and macOS systems.

Jan 1
Objective See

The Mac Malware of 2020 👾

GravityRat is cross-platform remote administration tool (RAT …backdoor) now ported to macOS. The (available) samples, are persistent first-stage downloaders.

Nov 27
Objective See

Adventures in Anti-Gravity (Part II)

In part one, we detailed the (new) macOS variant of GravityRat. Of the various (macOS) samples, we focused first on a binary named Enigma... In this post, we continue our analysis, but now focus on the StrongBox binary, from the other group of files.

Nov 3
Objective See

Adventures in Anti-Gravity

Recently, noted security researcher Tatyana Shishkova of Kaspersky published a new report on the intriguing cross-platform spyware, GravityRAT ("used to target the Indian armed forces"). In this report, she noted that for the first time, “there are now versions for …macOS”.

Oct 19
Securelist

GravityRAT: The spy returns | Securelist

In 2018, researchers at Cisco Talos published a post on the spyware GravityRAT, used to target the Indian armed forces. The Indian Computer Emergency Response Team (CERT-IN) first discovered the Trojan in 2017.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.