VileRAT is a Python-based malware that first appeared in a highly intricate attack campaign targeting foreign exchange and cryptocurrency trading companies. The attack was attributed to DeathStalker, a part of the rebranding process by the Evilnum group, in 2020. Since then, the attackers have upgraded the capabilities of VileRAT to perform more sophisticated attacks. 

What’s the new update?

  • According to the researchers from Securelist, DeathStalker has been updating the features of VileRAT through 2021, with the latest update observed in June 2022.
  • Several new samples of the trojan with new infrastructure have been identified since March 2022, which indicates an increase in compromise attempts. 
  • There has also been a change in the infection vector that had initially started with links to a malicious file hosted on Google Drive. In 2021, malicious Word documents were used instead of URLs to drop the malware.
  • However, from July 2022, the attackers have begun leveraging chatbots on targeted companies’ websites to send malicious documents. The documents are named with keywords such as ‘compliance’ or ‘complaint.’

VileRAT dropped using VileDropper

  • The campaign uses the VBA stomping technique to conceal the macros embedded within malicious documents.
  • These macros, when enabled, ultimately execute a malicious obfuscated JavaScript backdoor called VileDropper. Later this VileDropper is scheduled to drop VileRAT. 

VileRAT versions and functionalities

  • Researchers have obtained various versions of VileRAT, ranging from 2.4 to 8. Some of the functionalities are similar across all the samples. 
  • While some are dropped by leveraging SSH as a C2 channel or screenshotting, the latest versions are deployed using VileLoader.
  • The primary functionality of VileRAT includes keylogging, executing arbitrary code, listing security solutions from targeted systems, and self-updating from a C2 server. 
  • So far, the victims of DeathStalker’s VileRAT are foreign exchange and cryptocurrency organizations in Bulgaria, Cyprus, Germany, Kuwait, the UAE, Malta, and the Russian Federation. 


VileRAT and its loader are still being leveraged to persistently target foreign and cryptocurrency exchanges, with a clear intent to escape detection. Given the fact that attackers are continuously changing their evasion techniques and capabilities of VileRAT, organizations should have robust endpoint protection solutions to detect and block most of VileRAT’s related malicious activities.
Cyware Publisher