Skip to content
Malware family

NETWIRE

NetWire is a remote access trojan (RAT) and credential-stealing malware family.

Profile source: Mallory opens in a new tab

NETWIRE

Family profile

NetWire is a remote access trojan (RAT) and credential-stealing malware family. The provided content associates it with process injection, keylogging-related behavior, command-and-control traffic, automated data collection, credential theft, persistence, and delivery through phishing and malware downloaders. NetWire has been observed stealing passwords from messaging and mail client applications and from web browsers including Internet Explorer, Opera, Yandex, and Chrome. It can automatically archive collected data, write collected data to files in a ./LOGS directory, copy itself to and execute from hidden folders, and inject code into processes including notepad.exe, svchost.exe, and vbc.exe. The content also notes registry-based persistence via HKCU\SOFTWARE\NetWire and an autorun entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, as well as macOS persistence through LaunchAgents. Execution and delivery vectors mentioned include spearphishing and email campaigns with malicious attachments or documents, PowerShell-based execution, and distribution by GuLoader. NetWire is described as cross-platform in at least one context, and Bahamut is specifically noted as using the publicly available cross-platform RAT NETWIRE alongside Revenge RAT. Threat actors and clusters explicitly associated with NetWire in the content include ModifiedElephant, which used NetWire and DarkComet against human rights activists, academics, journalists, and lawyers in India; TA2541, which has used NetWire in campaigns targeting aviation, aerospace, transportation, manufacturing, and defense organizations; Bahamut; and Nigerian BEC actors tracked as SilverTerrier. The content also notes behavioral overlap between NetWire and other commodity RATs such as WarZoneRAT, njRAT, and NanoCore due to similarities in injection, keylogging-related calls, and C2 traffic.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 18, 2026
Last activity
Jul 18, 2026
Feed role
C2
Host form
0 IP / 3 hostnames

Leading locations

  • US1

Leading providers

  • Google LLC1

Infrastructure traits

  • Hosting 1
  • Vpn 1

Samples

Recent associated samples

Reported operators

Threat actors

6 named in public reporting
TA2541

Currently, TA2541 prefers AsyncRAT, but other popular RATs include NetWire, WSH RAT and Parallax.

ModifiedElephant

The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers... The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs).

WindShift

Bahamut utilized the publicly available, cross-platform remote administration tools (RATs) NETWIRE and Revenge RAT for remote control.

SilverTerrier

The top 10 of the RATs used in Nigerian BEC scams is formed by NetWire, DarkComet, NanoCore, LuminosityLink, Remcos, ImminentMonitor, NJRat, Quasar, Adwind, and Hworm.

TMT

The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.

RATicate

"...identified at least 5 different malware families used as final payloadβ€”all of them InfoStealer or RAT malware: ... Netwire"

Exploited software

Vulnerabilities linked to NETWIRE

4 CVEs

MITRE ATT&CK

NETWIRE in ATT&CK

63 distinct techniques

Techniques

63 techniques
T1082 System Information Discovery T1547.001 Registry Run Keys / Startup Folder T1112 Modify Registry T1565 Data Manipulation T1055 Process Injection T1056.001 Keylogging T1105 Ingress Tool Transfer T1083 File and Directory Discovery T1564.001 Hidden Files and Directories T1204.002 Malicious File T1560 Archive Collected Data T1016 System Network Configuration Discovery T1119 Automated Collection T1071.001 Web Protocols T1566.002 Spearphishing Link T1566 Phishing T1219 Remote Access Tools T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1543.001 Launch Agent T1074 Data Staged T1057 Process Discovery T1059.003 Windows Command Shell T1036 Masquerading T1059.001 PowerShell T1053.005 Scheduled Task T1555 Credentials from Password Stores T1555.003 Credentials from Web Browsers T1555.005 Password Managers T1027 Obfuscated Files or Information T1657 Financial Theft T1204 User Execution T1573.001 Symmetric Cryptography T1573 Encrypted Channel T1059.005 Visual Basic T1106 Native API T1036.005 Match Legitimate Resource Name or Location T1055.012 Process Hollowing T1113 Screen Capture T1048 Exfiltration Over Alternative Protocol T1071 Application Layer Protocol T1539 Steal Web Session Cookie T1027.002 Software Packing T1095 Non-Application Layer Protocol T1053.003 Cron T1218.004 InstallUtil T1036.001 Invalid Code Signature T1547.013 XDG Autostart Entries T1059.004 Unix Shell T1049 System Network Connections Discovery T1102 Web Service T1059 Command and Scripting Interpreter T1547.015 Login Items T1620 Reflective Code Loading T1074.001 Local Data Staging T1204.001 Malicious Link T1027.011 Fileless Storage T1010 Application Window Discovery T1090 Proxy T1560.001 Archive via Utility T1560.003 Archive via Custom Method T1090.001 Internal Proxy T1053 Scheduled Task/Job

Reporting

Research mentioning NETWIRE

Jun 26
Help Net Security

A privacy-first take on local malware analysis - Help Net Security

A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.

Mar 12
Breakglass Intel

StealC v2 Hidden in Candy Crush: A Multi-Campaign Crime Server on Google Cloud Running 6 Malware Families Across 3,778 Ports - Breakglass Intelligence - Breakglass Intelligence

Infrastructure pivoting reveals the C2 IP (34.41.139.193) is shared with NetWire RAT, ClearFake, AsyncRAT, XWorm, Formbook, and Zeppelin ransomware.

Dec 22
Rapid7 Velociraptor

Memory Analysis with Velociraptor - Part 2

19 netwire yes

Oct 14
Elastic Security Labs

NightMARE on 0xelm Street, a guided tour - Elastic Security Labs

With the release of v0.16, here are the different malware families that we cover. blister deprecated ghostpulse latrodectus lobshot lumma netwire redlinestealer remcos smokeloader stealc strelastealer xorddos

Jan 9
Sentinelone Labs

ModifiedElephant APT and a Decade of Fabricating Evidence | SentinelOne

The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers... The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs).

Dec 27
Group Ib

Falcon: Operation in two acts | Group-IB Investigation

The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.

Oct 26
Ptsecurity Global

Analytics

Bahamut utilized the publicly available, cross-platform remote administration tools (RATs) NETWIRE and Revenge RAT for remote control.

Mar 25
Mandiant Threat Intelligence

Behind the CARBANAK Backdoor | Mandiant | Google Cloud Blog

"Most notably, the infrastructure utilized in this campaign overlapped with LAZIOK, NETWIRE and other malware targeting similar financial entities in these regions."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.