S0235: CrossRAT

CrossRAT matters because it is described by ATT&CK as a cross-platform remote access trojan spanning Linux, Windows, and macOS. For leaders, the practical issue is not a single operating system control gap: organizations need to know whether endpoint visibility, persistence monitoring, and incident response playbooks work consistently across mixed fleets. Its ATT&CK relationships emphasize discovery, screen capture, and OS-specific logon persistence mechanisms.

Executive priority

Prioritize CrossRAT as a coverage-validation case for heterogeneous endpoint environments. Security leaders should ask whether SOC and IR teams can prove collection and detection for Windows Run Keys or Startup Folder changes, macOS Launch Agents, Linux XDG Autostart entries, file and directory discovery, and screen capture behavior. This is useful for resilience planning, audit evidence, and budget decisions because weak non-Windows telemetry or inconsistent endpoint baselines can leave material gaps in detection and response.

Technical view

ATT&CK provides no dedicated detection text for CrossRAT, so defenders should pivot from the mapped techniques. Validate monitoring for T1083 File and Directory Discovery, T1113 Screen Capture, T1543.001 macOS Launch Agent persistence, T1547.001 Windows Registry Run Keys or Startup Folder persistence, and T1547.013 Linux XDG Autostart Entries. Because the malware is listed for Linux, Windows, and macOS, detection engineering should compare control depth across all three rather than assuming Windows-centered coverage is sufficient.

Likely telemetry

Endpoint process execution and command-line activity across Linux, Windows, and macOS
File system enumeration activity and access to sensitive directories or network shares
Screenshot or screen-capture API, utility, or process activity where available
Windows Registry Run Key changes and Startup Folder file creation or modification
macOS LaunchAgent plist creation or modification in system and user LaunchAgents paths

Detection direction

Build detections from the related ATT&CK techniques rather than from a CrossRAT-specific signature, since no official detection guidance is provided.
Validate OS-specific persistence rules separately for Windows, macOS, and Linux; a pass on one platform should not be treated as coverage for the others.
Tune discovery detections to distinguish administrative inventory activity from unusual enumeration by user context, process lineage, timing, and target locations.
For screen capture, look for unusual screenshot utilities, APIs, or processes, but account for legitimate collaboration, support, and accessibility tools.
Use the Dark Caracal relationship only as threat-intelligence context from ATT&CK; do not infer current activity or local exposure without environment evidence.

Mitigation priorities

Establish and enforce endpoint logging standards for Linux, Windows, and macOS before relying on detections.
Harden and monitor user-logon persistence locations: Windows Run Keys and Startup Folder, macOS Launch Agents, and Linux XDG Autostart entries.
Maintain least-privilege endpoint administration so user-context persistence has reduced operational impact.
Create IR checklists that include cross-platform persistence review, file discovery traces, and screen-capture evidence collection.
Use the mapped techniques to test SOC coverage and document compliance evidence for endpoint monitoring controls.

Analyst notes and limits

The official ATT&CK description is sparse: CrossRAT is identified as a cross-platform RAT, with relationships to Dark Caracal and five techniques. The most defensible Glexia value is to treat it as a cross-platform coverage and response-readiness test case rather than to make claims about prevalence, current exploitation, or guaranteed detections.

ATT&CK supplies no official detection text, aliases, labels, or tactics directly on the malware object. Local decisions require environment-specific telemetry, endpoint baselines, approved administrative tools, and confirmation of which operating systems are in scope.

Official MITRE ATT&CK definition

CrossRAT

CrossRAT is a cross platform RAT.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 5 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1113	Screen Capture	CrossRAT is capable of taking screen captures.CitationLookout Dark Caracal Jan 2018
Enterprise	T1543.001	Launch Agent Sub-technique	CrossRAT creates a Launch Agent on macOS.CitationLookout Dark Caracal Jan 2018
Enterprise	T1083	File and Directory Discovery	CrossRAT can list all files on a system.CitationLookout Dark Caracal Jan 2018
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	CrossRAT uses run keys for persistence on Windows.CitationLookout Dark Caracal Jan 2018
Enterprise	T1547.013	XDG Autostart Entries Sub-technique	CrossRAT can use an XDG Autostart to establish persistence.CitationRed Canary Netwire Linux 2022

Associated objects

Groups, software, and campaigns

G0070: Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]

Relationship explorer

All related ATT&CK context

uses · Technique T1113: Screen Capture Enterprise uses · Technique T1543.001: Launch Agent Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Group G0070: Dark Caracal Enterprise uses · Technique T1547.013: XDG Autostart Entries Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Oct 17, 2018, 00:14 UTC (UTC+00:00)
Modified: Sep 28, 2023, 21:03 UTC (UTC+00:00)
Raw hash: cd9f1f0eebdaf197...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Sep 28, 2023, 21:03 UTC (UTC+00:00)	Current bundle	`cd9f1f0eebda…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
CrossRAT

(Citation: Lookout Dark Caracal Jan 2018)
[2]
Lookout Dark Caracal Jan 2018

Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
Open source URL
[3]
mitre-attack S0235
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams