Last seven days
- First activity
- Jul 18, 2026
- Last activity
- Jul 18, 2026
- Feed role
- C2
- Host form
- 0 IP / 3 hostnames
NetWire is a remote access trojan (RAT) and credential-stealing malware family.
Profile source: Mallory opens in a new tabNETWIRE
NetWire is a remote access trojan (RAT) and credential-stealing malware family. The provided content associates it with process injection, keylogging-related behavior, command-and-control traffic, automated data collection, credential theft, persistence, and delivery through phishing and malware downloaders. NetWire has been observed stealing passwords from messaging and mail client applications and from web browsers including Internet Explorer, Opera, Yandex, and Chrome. It can automatically archive collected data, write collected data to files in a ./LOGS directory, copy itself to and execute from hidden folders, and inject code into processes including notepad.exe, svchost.exe, and vbc.exe. The content also notes registry-based persistence via HKCU\SOFTWARE\NetWire and an autorun entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, as well as macOS persistence through LaunchAgents. Execution and delivery vectors mentioned include spearphishing and email campaigns with malicious attachments or documents, PowerShell-based execution, and distribution by GuLoader. NetWire is described as cross-platform in at least one context, and Bahamut is specifically noted as using the publicly available cross-platform RAT NETWIRE alongside Revenge RAT. Threat actors and clusters explicitly associated with NetWire in the content include ModifiedElephant, which used NetWire and DarkComet against human rights activists, academics, journalists, and lawyers in India; TA2541, which has used NetWire in campaigns targeting aviation, aerospace, transportation, manufacturing, and defense organizations; Bahamut; and Nigerian BEC actors tracked as SilverTerrier. The content also notes behavioral overlap between NetWire and other commodity RATs such as WarZoneRAT, njRAT, and NanoCore due to similarities in injection, keylogging-related calls, and C2 traffic.
C2 tracking
Derp observations, rolling seven-day window
Samples
294a37914d7386d3aeaaebbf85911da91db45eb6228444c8db2bd22c0bc558d5 2daa289f9b2d9c522ddf198c31bd9ac107b205000ea4afb4e96e26156085ef43 553ecfbcb2f82b095277829d036136eca6aef7564dbe188bbd5e361022361db4 bd8ec43eab808c09681dbaec32a91c91a4f6adc34c8a1c9747b500fc02dd7c04 ef0fec448c1fcedade3ae9037b1cc26ba3d936bcbc9e0eae6a08a1a4a97a68be Reported operators
Currently, TA2541 prefers AsyncRAT, but other popular RATs include NetWire, WSH RAT and Parallax.
The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers... The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs).
Bahamut utilized the publicly available, cross-platform remote administration tools (RATs) NETWIRE and Revenge RAT for remote control.
The top 10 of the RATs used in Nigerian BEC scams is formed by NetWire, DarkComet, NanoCore, LuminosityLink, Remcos, ImminentMonitor, NJRat, Quasar, Adwind, and Hworm.
The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.
"...identified at least 5 different malware families used as final payloadβall of them InfoStealer or RAT malware: ... Netwire"
Exploited software
MITRE ATT&CK
Reporting
A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.
Infrastructure pivoting reveals the C2 IP (34.41.139.193) is shared with NetWire RAT, ClearFake, AsyncRAT, XWorm, Formbook, and Zeppelin ransomware.
19 netwire yes
With the release of v0.16, here are the different malware families that we cover. blister deprecated ghostpulse latrodectus lobshot lumma netwire redlinestealer remcos smokeloader stealc strelastealer xorddos
The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers... The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs).
The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.
Bahamut utilized the publicly available, cross-platform remote administration tools (RATs) NETWIRE and Revenge RAT for remote control.
"Most notably, the infrastructure utilized in this campaign overlapped with LAZIOK, NETWIRE and other malware targeting similar financial entities in these regions."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.