Skip to content
Malware family

Neptune RAT

Neptune RAT is a remote access trojan with at least two major versions, V1 and V2.

Profile source: Mallory opens in a new tab

Neptune RAT

Family profile

Neptune RAT is a remote access trojan with at least two major versions, V1 and V2. High-confidence reporting indicates Neptune RAT V1 has substantial technical overlap with XWORM and is most likely derived from it rather than independently developed. Researchers observed Neptune RAT samples triggering detections originally written for XWORM, and reverse engineering found closely matching initialization flow, configuration handling, and persistence logic.

Neptune RAT V1 loads configuration at the start of execution and stores configuration values in a single class of static strings. Its configuration strings, except the mutex, are AES-encrypted and Base64-encoded. Neptune RAT V1 and XWORM share a distinctive crypto routine in which the mutex is MD5-hashed and duplicated to form a 32-byte AES key, with AES used in ECB mode. This overlap reportedly caused Neptune RAT V1 configurations to be conflated with XWORM configurations in tracking systems.

Reported persistence mechanisms for Neptune RAT V1 include Task Scheduler, registry entries, and the startup folder. The malware also includes clipper-related logic: Neptune RAT V1 and XWORM reportedly use identical regular expressions targeting BTC, ETH, and TRC cryptocurrency wallets. Neptune RAT V1 specifically targets legacy Bitcoin addresses and largely ignores Bech32 addresses.

Open-source analysis cited in the content identified GitHub repositories that partially reconstruct Neptune RAT development history. A repository referenced as MasonGroup/NeptuneRatV1 is described as a fork of the V1 builder, with activity concentrated in early December 2024 and references to a Discord server named FreemasonryTM. A separate NeptuneRatV2 repository, first committed on February 22, 2025, is described as a trial version of a newer builder. Neptune RAT V2 appears to be a major rewrite or extensive refactor: its builder is described as more polished, its code flow differs from V1, variable names are not obfuscated, and configuration data is stored as plaintext strings in a Settings class rather than encrypted.

The content does not provide a confirmed threat actor attribution for Neptune RAT itself, but it does state that Neptune RAT V1 was linked to the investigated campaign and that ongoing development of the original Neptune RAT repository continued after the public forks, with the original repository later made private. The content also notes that SHA-256 hashes exist for samples labeled Neptune V1 RAT and Neptune V2 RAT, but the specific hashes are not reproduced in the provided material.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 13, 2026
Last activity
Jul 15, 2026
Feed role
C2
Host form
1 IP / 2 hostnames

Leading locations

  • DE1
  • GB1
  • US1

Leading providers

  • Ferdinand Zink trading as Tube-Hosting1
  • HostPapa1
  • OOO GETWIFI1

Infrastructure traits

  • Hosting 2

Samples

Recent associated samples

Reporting

Research mentioning Neptune RAT

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.