Fatalrat

Malware updated a month ago (2024-11-29T14:17:20.057Z)
Download STIX
Preview STIX
FatalRAT, also known as Sainbox, is a variant of the Gh0st RAT malware that targets Windows platforms. Initially identified by Proofpoint in 2020, it has become popular with the PurpleFox threat actor group. Once infiltrated into a system, FatalRAT can log keystrokes and download and install additional payloads. As per Nuspire's Q1 2023 cyber threat report, out of their top five botnets, Torpig Mebroot remains dominant, but two new botnets have emerged: NetSupport RAT and FatalRAT. In a notable campaign since April 2023, at least 20 instances have been reported where Sainbox was delivered through malicious means. In one instance, KryptoCibule, a cryptocurrency-focused malware that targeted Czech and Slovak users, spread through a popular local file sharing service, masquerading as pirated games or downloadable content (DLC). Another significant case involved Chinese-language speakers in Southeast and East Asia who were targeted with poisoned Google search results for popular applications such as Firefox, WhatsApp, and Telegram, leading to the installation of trojanized versions containing FatalRAT. The malware was also spread through fake browser and messenger apps advertised on Google Ads. The campaign involved malicious advertisements that mimicked websites of popular applications like Firefox, WhatsApp, Signal, Skype, and Telegram. While providing the legitimate software, these sites also delivered a remote access trojan called FatalRAT. This malware continues to pose a significant threat due to its ability to exploit and damage computer systems without the user's knowledge.
Description last updated: 2024-05-04T18:38:03.943Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
gh0st RAT is a possible alias for Fatalrat. Gh0st RAT is a malicious software (malware) that has been in use for over 15 years. It is an open-source remote access tool known for exploiting vulnerabilities in systems, most notably the PHP flaw which it targeted within 24 hours of disclosure. This malware was observed as part of Operation Diplo
2
Sainbox is a possible alias for Fatalrat. Sainbox, also known as FatalRAT, is a variant of the Gh0st RAT trojan malware that has been increasingly deployed in cybercrime activities, particularly those associated with suspected Chinese cybercrime operations. Proofpoint researchers have observed over 30 separate campaigns leveraging this malw
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Telegram
Skype
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Fatalrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more