Full Report
For almost three decades now, threat actors have used remote access trojans (RATs) to monitor user activity and steal sensitive information and credentials. The RAT’s surreptitious nature has cemented its spot in malicious actors’ malware arsenal, and over the years, it has evolved to include advanced functionalities, including remote code execution, browser decryption, C2 communication, and reconnaissance.
Analysis Summary
# Tool/Technique: KarstoRAT
## Overview
KarstoRAT is a novel and stealthy Remote Access Trojan (RAT) first identified in early 2026. It is designed for persistent system monitoring, data exfiltration, and post-compromise control. The malware is notable for its use of social engineering—specifically targeting gamers—and its suite of "nuisance" features designed to confuse or taunt victims alongside traditional espionage capabilities.
## Technical Details
- **Type**: Malware family (Remote Access Trojan)
- **Platform**: Windows (indicated by registry-style persistence and desktop manipulation features)
- **Capabilities**: Reconnaissance, audio/visual monitoring, credential/token theft, remote code execution, and system manipulation.
- **First Seen**: Early 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.003 - Phishing: Spearphishing Service] (Fake virtual marketplaces)
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- [T1057 - Process Discovery]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- [T1123 - Audio Capture]
- [T1125 - Video Capture]
- [T1056.001 - Input Capture: Keylogging]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols] (HTTP POST requests)
- **[TA0040 - Impact]**
- [T1491 - Defacement] (Changing wallpaper/flipping display)
## Functionality
### Core Capabilities
- **System Reconnaissance**: Collects computer name, username, OS version, CPU model, RAM/disk info, and active processes.
- **Persistence Management**: Uses "STARTUP_ON" and "STARTUP_OFF" commands to ensure it launches at login.
- **Data Exfiltration**: Uses a consistent HTTP protocol with a specific User-Agent (`SecurityNotifier`) to send stolen data to C2 endpoints.
- **Surveillance**: captures real-time screenshots, records audio via microphone, and accesses the webcam.
- **Credential Theft**: Specifically targets authentication tokens and logs keystrokes.
### Advanced Features
- **Payload Distribution**: Functions as a downloader to pull and execute secondary malicious payloads.
- **Text-to-Speech (TTS)****: Ability to audibly speak text through the victim's speakers to taunt or distract.
- **UI Manipulation**: Can flip the desktop display upside down and swap mouse button functions (left/right) to hinder user control.
- **Self-Destruction**: Includes a remote command to wipe itself from the system to minimize forensic footprints.
- **Keep-Alive Loop**: Runs an infinite two-second loop to maintain background tasks and process stability.
## Indicators of Compromise
- **File Hashes**: *Specific hashes were not provided in the source text; analysis recommended for local samples.*
- **File Names**: Often masquerades as game-related files (e.g., Blox Fruits/Roblox related marketplace tools).
- **Network Indicators**:
- User-Agent: `SecurityNotifier`
- C2 communication via HTTP POST requests.
- C2 Infrastructure: Multi-purpose servers hosting both C2 listener and payload distribution services on various open ports.
- **Behavioral Indicators**:
- Unexplained microphone or webcam activation.
- Frequent 2-second interval process heartbeats.
- Unexpected desktop orientation changes or mouse behavior modification.
## Associated Threat Actors
- **Unknown**: Specific group attribution is currently unavailable, though the lure suggests targeting of the gaming community (Roblox/Blox Fruits players).
## Detection Methods
- **Signature-based**: Detection of the unique "SecurityNotifier" User-Agent in network traffic.
- **Behavioral detection**: Monitoring for processes that frequently poll or loop (2-second intervals) and unauthorized use of the Windows TTS engine or display setting APIs.
- **Network Monitoring**: Monitoring for outbound HTTP POST requests to unusual endpoints containing binary or encrypted data buffers.
## Mitigation Strategies
- **User Education**: Warn users against downloading third-party tools or "mods" from unofficial virtual marketplaces or social media links.
- **Least Privilege**: Ensure users do not run games or unofficial software with administrative privileges, which prevents the malware from writing to startup directories.
- **Endpoint Protection**: Deploy EDR solutions capable of detecting "living-off-the-land" techniques like display manipulation and unauthorized screen/audio capture.
## Related Tools/Techniques
- **Common RATs**: Similar in function to NjRAT or NanoCore but with unique "prank" sub-routines (screen flipping/TTS).
- **Gaming Lures**: Similar to malware delivery campaigns targeting Steam, Discord, and Roblox users.