For almost three decades now, threat actors have used remote access trojans (RATs) to monitor user activity and steal sensitive information and credentials. The RAT’s surreptitious nature has cemented its spot in malicious actors’ malware arsenal, and over the years, it has evolved to include advanced functionalities, including remote code execution, browser decryption, C2 communication, and reconnaissance.
LevelBlue SpiderLabs conducted a deep-dive investigation into KarstoRAT, including its code execution logic, C2 communication and exfiltration mechanisms, a detailed list of its capabilities, and how the LevelBlue/Cybereason platform protects users against this novel RAT in our technical briefing.
In early 2026, a new malware family dubbed KarstoRAT was observed in the wild. This novel RAT is capable of system reconnaissance, audio and webcam monitoring, screenshot capture, key logging, and token theft. Based on our investigation, KarstoRAT enables threat actors to download and run additional payloads, which could point to it being used for post-compromise control on infected machines.
Here are some of the most notable observations of the KarstoRAT sample we analyzed:
-
KarstoRAT uses a command-and-control (C2) server that has a diverse set of open ports and services, indicating that it has a multi-purpose infrastructure created for C2 communication and payload distribution.
-
Threat actors use a fake Blox Fruits (a popular Roblox game) virtual marketplace as a lure to trick players into downloading malware that will install KarstoRAT into their machines.
-
KarstoRAT enters an infinite two-second loop to keep it alive indefinitely, sustain persistence, and manage background features.
-
KarstoRAT communicates with its C2 server using a consistent HTTP protocol with the user agent “SecurityNotifier”. It exfiltrates stolen data, such as screenshots, audio files, and webcam images, by sending POST requests to dedicated endpoints.
-
It establishes persistence via the “STARTUP_ON” and “STARTUP_OFF” capabilities, enabling it to launch automatically upon user login.
-
It collects system information on an infected machine, including computer name, username, OS version, CPU model, memory information, disk information, and a snapshot of all the running processes.
-
KarstoRAT has a text-to-speech capability that allows threat actors to make a compromised machine to audibly speak arbitrary text through the system’s speakers. This functionality can deliver messages, taunt users, or create distractions.
-
It allows threat actors to change a victim’s desktop background image downloaded from a URL.
-
KarstoRAT allows attackers to flip a victim’s entire desktop display upside down and switch the functions of the left and right mouse buttons, which aims to disrupt normal user interaction, potentially causing confusion or hindering the victim’s ability to control the system effectively.
-
It has a self-destruct capability that remotely removes itself from a victim’s machine to avoid detection and reduce forensic traces.
Please check out the full report here.
