A new RAT, dubbed Borat, has been observed on darknet markets that allows the attacker to take complete control of the device’s mouse, keyboard, stored files, and network points.

The capabilities of Borat

Cyble researchers spotted the RAT in the wild and performed a technical analysis to dig deeper into it.
  • Based on the analysis, Borat is a combination of RAT, spyware, and ransomware.
  • The RAT comes with easy-to-use features for performing DDoS attacks, UAC bypass, and, of course, data stealing.
  • It is not known whether Borat is being sold or freely shared among cybercriminals. However, it comes as a package that includes a builder, malware modules, and a server certificate.

Multiple modules 

The malware has different and dedicated modules serving various tasks and purposes.
  • The modules include keylogging, ransomware, DDoS, audio recording, webcam recording, remote desktop, reverse proxy, device info, process hollowing, credential, and Discord token stealing.
  • Additional functions include capabilities to confuse the victim by playing audio, swapping mouse buttons, hiding the desktop/taskbar, holding mouse, turning off the monitor, or showing a blank screen.

AsyncRat connection

While analyzing the campaign and digging into its origin, researchers from Bleeping Computer discovered the payload executable to be AsyncRAT. Therefore, it is possible that the developers of Borat used AsyncRAT as the base malware.


Borat is a multi-use malware threat that comes with a combination of other malware payloads. Usually, attackers spread such tools via laced executables or files impersonated as cracks for games/applications. Most of these malicious programs are found on untrustworthy sources such as torrents or fake sites.
Cyware Publisher