PoetRAT

Cisco Talos recently discovered a new malware campaign named "PoetRAT," which is a remote access Trojan that was initially written in Python but has since evolved into using Lua script. The malware is split into multiple parts and contains various references to William Shakespeare, the English playwright. This campaign uses phishing websites such as gov-az[.]herokuapp[.]com and dellgenius[.]hopto[.]org as its command-and-control infrastructure. The first version of PoetRAT used FTP for exfiltration, while the newer version supports HTTP, which allows attackers to avoid signature-based detection and stay under the radar. Furthermore, Cisco's investigation uncovered potential connections with other threat actors, including overviews with Kasablanka, the operators of LodaRAT, and stronger overlaps in both tooling and target choices with the activity of Stibnite, the operators of PoetRAT. It is essential to be aware of this type of threat as malware can affect computer systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. It is crucial to maintain up-to-date security measures to protect against potential attacks.