Threats Feed|Unknown|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date01/09/2022

CodeRAT Targets Farsi-Speaking Developers with Innovative C2 Techniques

  • Actor Motivations: Exfiltration
  • Attack Vectors: RAT
  • Attack Complexity: Medium
  • Threat Risk: Unknown

Threat Overview

SafeBreach Labs has discovered CodeRAT, a new remote access trojan (RAT) targeting Farsi-speaking software developers with capabilities ranging from espionage to data exfiltration. Delivered via a Word document that exploits Microsoft DDE, CodeRAT monitors activity in various applications, particularly those related to social networking and development tools. Uniquely, it uses public file upload APIs and Telegram groups for command and control, bypassing typical C2 infrastructure. The malware supports 50 commands, including clipboard capture, process control and file upload. The CodeRAT developer released the source code on GitHub after it was discovered by researchers.

Reference and Credit: SafeBreach - September 2022

SafeBreach Labs Researchers Uncover New Remote Access Trojan (RAT)

Detected Targets

TypeDescriptionConfidence
RegionIran
High

Extracted IOCs

  • 25d6fccc82ec3c3c6786dcaa5d9f6920b769457502eef0759b235cd71c552b17
  • 2a4e5e6f403ce913cb073d5c5d1fd999d8ae79deb04915b9777525e05e21a2b2
  • cd53fba6ddd4ae4ef7a5747c6003236c85791477854cc1b7ce00e0f8ee7677d9
  • f22041b2ea1fd6d8e7f6f1db7469dec61b000d067ab4be2c5b0654edfecbddb6
download

Tip: 4 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 4 file hash) to this threat have been found.

About Affiliation
Unknown
View Unknown's Insights