Last seven days
- First activity
- Jul 13, 2026
- Last activity
- Jul 15, 2026
- Feed role
- C2
- Host form
- 1 IP / 2 hostnames
Neptune RAT is a remote access trojan with at least two major versions, V1 and V2.
Profile source: Mallory opens in a new tabNeptune RAT
Neptune RAT is a remote access trojan with at least two major versions, V1 and V2. High-confidence reporting indicates Neptune RAT V1 has substantial technical overlap with XWORM and is most likely derived from it rather than independently developed. Researchers observed Neptune RAT samples triggering detections originally written for XWORM, and reverse engineering found closely matching initialization flow, configuration handling, and persistence logic.
Neptune RAT V1 loads configuration at the start of execution and stores configuration values in a single class of static strings. Its configuration strings, except the mutex, are AES-encrypted and Base64-encoded. Neptune RAT V1 and XWORM share a distinctive crypto routine in which the mutex is MD5-hashed and duplicated to form a 32-byte AES key, with AES used in ECB mode. This overlap reportedly caused Neptune RAT V1 configurations to be conflated with XWORM configurations in tracking systems.
Reported persistence mechanisms for Neptune RAT V1 include Task Scheduler, registry entries, and the startup folder. The malware also includes clipper-related logic: Neptune RAT V1 and XWORM reportedly use identical regular expressions targeting BTC, ETH, and TRC cryptocurrency wallets. Neptune RAT V1 specifically targets legacy Bitcoin addresses and largely ignores Bech32 addresses.
Open-source analysis cited in the content identified GitHub repositories that partially reconstruct Neptune RAT development history. A repository referenced as MasonGroup/NeptuneRatV1 is described as a fork of the V1 builder, with activity concentrated in early December 2024 and references to a Discord server named FreemasonryTM. A separate NeptuneRatV2 repository, first committed on February 22, 2025, is described as a trial version of a newer builder. Neptune RAT V2 appears to be a major rewrite or extensive refactor: its builder is described as more polished, its code flow differs from V1, variable names are not obfuscated, and configuration data is stored as plaintext strings in a Settings class rather than encrypted.
The content does not provide a confirmed threat actor attribution for Neptune RAT itself, but it does state that Neptune RAT V1 was linked to the investigated campaign and that ongoing development of the original Neptune RAT repository continued after the public forks, with the original repository later made private. The content also notes that SHA-256 hashes exist for samples labeled Neptune V1 RAT and Neptune V2 RAT, but the specific hashes are not reproduced in the provided material.
C2 tracking
Derp observations, rolling seven-day window
Samples
1a6575851bea34926857ca0e582fc92b171ff6858e0f56b0e15c1fd17def182d e23a96afa548760eb79fc9e4388204b2082e269f935493ead676eefa39daa68d 0e5c2dc881698eddca82990a30bb2f734065b2eb9ea329b03fbf454e43a254e8 bd2cc2f1f25b5f520a87068475247dd5611ab9f199ed3264983d720e016acf66 Reporting
NEPTUNE RAT1
"Neptune RAT: Gen Digital has discovered new versions of the Neptune RAT in its historic XWorm data."
A recent investigation into Neptune RAT unexpectedly uncovered notable overlaps with the notorious remote access trojan, XWORM... we conclude that the similarities between Neptune RAT V1 and XWORM are unlikely coincidental, Neptune RAT V1 is most likely a derivative of XWORM.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.