September 30, 2023

VileRAT is a Python-based malware, initially appeared in attack campaign targeting foreign exchange and cryptocurrency trading companies. The attack was attributed to DeathStalker. The attackers have upgraded the capabilities of VileRAT to perform more sophisticated attacks. 

Researchers stated, DeathStalker has been  updating the features of VileRAT through 2021, with the latest update observed in June 2022. Many new samples of the trojan with new infrastructure have been identified since March 2022, indicating an increase in compromise attempts. 


Since July 2022, the attackers have begun leveraging chatbots on targeted companies’ websites to send malicious documents. The documents are named with keywords such as ‘compliance’ or ‘complaint.’

The campaign uses the VBA stomping technique to conceal the macros embedded within malicious documents. These macros, when enabled, ultimately execute a malicious obfuscated JavaScript backdoor called VileDropper. Later this VileDropper is scheduled to drop VileRAT. 

VileRAT, versions from 2.4 to 8 has been obtained by the researchers with few of the functionalities are similar across all the samples. While some are dropped by leveraging SSH as a C2 channel or screenshotting, the latest versions are deployed using VileLoader.

The primary functionality of VileRAT includes keylogging, executing arbitrary code, listing security solutions from targeted systems, and self-updating from a C2 server. 


Affected countries are Bulgaria, Cyprus, Germany, Kuwait, the UAE, Malta, and the Russian Federation. 

Attackers are continuously changing their evasion techniques and capabilities of VileRAT, organizations should have robust endpoint protection solutions to detect and block most of VileRAT’s related malicious activities

Leave a Reply

%d bloggers like this: