The source code of CodeRAT has been leaked on GitHub after malware experts traced the developer and queried him about the malware. The malware was recently used in an attack campaign targeting Farsi-speaking IT professionals.

What happened?

Researchers from SafeBreach spotted the malware and then attempted to contact the malware developer named Mr. Moded. 
  • Upon investigation by researchers, the adversary published the source code of the malware on GitHub. 
  • Experts revealed that it is an Iran-based campaign that targets Farsi-speaking IT employees.
  • It attaches a malicious Word doc containing a Microsoft Dynamic Data Exchange (DDE) exploit which fetches the malware from a GitHub repo.

It was observed that the same GitHub includes the source code of RoboThief Telegram session stealer as well.

Decoding CodeRAT

  • Researchers claim that the RAT spies on sensitive windows for tools, such as Visual Studio, Python, Verilog, and PhpStorm.
  • It targets Farsi-speaking code developers by using a Word document with Dynamic Data Exchange (DDE) exploit.
  • It uses a Telegram-based exfiltration and C2 mechanism, which uses bot API to get commands instead of a dedicated server and public anonymous file upload API.
  • If a victim's country does not use Telegram or banned the platform, CodeRAT offers an anti-filter feature that makes a separate request for a routing channel that helps bypass the blocks.

Communicating through commands

CodeRAT supports 50 commands such as taking screenshots, copying the clipboard, list of running processes, terminating processes, checking GPU usage, downloading, uploading, and deleting files. 
  • The attacker generates the commands by using a UI tool that builds and keep them obscured.
  • Hackers use one of the following three methods to transmit the commands to the malware: Telegram bot API named HellChainBot with proxy, Manual mode (USB option), or Locally stored commands on the 'myPictures' folder.
  • The same methods can also be used for data exfiltration, such as single files, entire folders, or certain file extensions.


After the source code is public on GitHub, CodeRAT is now expected to become more prevalent. The RAT comes with strong capabilities that will attract more and more cybercriminals. Thus, organizations and individuals shall make use of IOCs and YARA rules to stay protected.
Cyware Publisher