S0338: Cobian RAT
Cobian RAT is a backdoor, remote access tool that has been observed since 2016.[1]
Analyst context for executives and security teams
Cobian RAT is a Windows remote access backdoor observed since 2016. Its ATT&CK relationships make it material because the behavior spans credential theft through keylogging, interactive execution through Windows Command Shell, persistence through Run keys or Startup folders, command-and-control using DNS and encoded data, and collection through screen, audio, and video capture. For leaders, this is less about one malware name and more about whether Windows endpoint, identity, and network monitoring can prove control over remote-access malware that can observe users and maintain access.
Executive priority
Prioritize this as a validation case for Windows endpoint resilience, SOC visibility, and incident response readiness. The highest-value business questions are: can the organization detect unauthorized persistence in common Windows startup locations, identify suspicious command shell activity, see DNS-based command-and-control patterns, and respond quickly if user credentials or sensitive conversations/screens are captured? This also supports audit and compliance evidence around endpoint monitoring, credential protection, logging retention, and investigation procedures.
Technical view
ATT&CK provides no official detection text for Cobian RAT, so defenders should build coverage from the linked behaviors: T1056.001 Keylogging, T1059.003 Windows Command Shell, T1071.004 DNS, T1113 Screen Capture, T1123 Audio Capture, T1125 Video Capture, T1132.001 Standard Encoding, and T1547.001 Registry Run Keys / Startup Folder. Validate Windows telemetry for process execution, registry and startup-folder modification, suspicious child processes involving cmd.exe, endpoint access to input or capture capabilities, and network/DNS activity that could represent C2 or encoded content. IR playbooks should assume potential credential exposure and user-session surveillance when these behaviors are confirmed.
Likely telemetry
- Windows process creation and command-line logging, especially cmd.exe execution context and parent/child process relationships
- Windows registry auditing for Run key creation or modification
- File-system monitoring for Startup folder additions or changes
- Endpoint security alerts or EDR events related to keyboard, screen, microphone, or camera access
- DNS query logs and resolver telemetry for unusual destinations, volume, timing, or encoded-looking labels
Detection direction
- Do not rely on a Cobian RAT signature alone; validate behavior-level detections mapped to the listed ATT&CK techniques.
- Tune command-shell detections around abnormal parent processes, unusual user context, remote or scripted invocation patterns, and commands inconsistent with normal administration.
- Monitor Run keys and Startup folders for new or modified entries, while accounting for legitimate software installers and enterprise management tools as common false positives.
- Review DNS analytics for suspicious frequency, domain novelty, long or high-entropy labels, and patterns consistent with encoded C2, while recognizing that DNS is noisy and requires baselining.
- Correlate collection indicators such as screen, audio, video, or keylogging-related activity with persistence and C2 signals to raise confidence.
Mitigation priorities
- Harden Windows endpoints by restricting unauthorized persistence mechanisms and monitoring Registry Run keys and Startup folders.
- Limit unnecessary command-shell access where operationally feasible and ensure administrative use is logged and attributable.
- Protect credentials with strong identity controls, rapid password reset procedures after suspected keylogging, and review of anomalous authentication activity.
- Control and monitor access to microphones, cameras, and screen-capture capabilities where business requirements allow.
- Ensure DNS logging, retention, and investigation workflows are sufficient to support C2 analysis.
Analyst notes and limits
The supplied ATT&CK object identifies Cobian RAT as a Windows backdoor/remote access tool and provides behavior relationships but no official detection text, aliases, labels, or explicit tactics on the malware object itself. The strongest defensive value comes from mapping the related techniques into concrete telemetry validation and response planning.
This take is limited to the official STIX fields, external references, and relationships supplied. It does not establish current activity, attribution, prevalence, exploit method, specific indicators of compromise, or guaranteed detection coverage. Local asset roles, logging configuration, endpoint control maturity, and DNS architecture are required to judge real exposure.
Cobian RAT
Cobian RAT is a backdoor, remote access tool that has been observed since 2016.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1113 | Screen Capture | Cobian RAT has a feature to perform screen capture.CitationZscaler Cobian Aug 2017 |
| Enterprise | T1125 | Video Capture | Cobian RAT has a feature to access the webcam on the victim’s machine.CitationZscaler Cobian Aug 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Cobian RAT creates an autostart Registry key to ensure persistence.CitationZscaler Cobian Aug 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Cobian RAT can launch a remote command shell interface for executing commands.CitationZscaler Cobian Aug 2017 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Cobian RAT has a feature to perform keylogging on the victim’s machine.CitationZscaler Cobian Aug 2017 |
| Enterprise | T1071.004 | DNS Sub-technique | Cobian RAT uses DNS for C2.CitationZscaler Cobian Aug 2017 |
| Enterprise | T1123 | Audio Capture | Cobian RAT has a feature to perform voice recording on the victim’s machine.CitationZscaler Cobian Aug 2017 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Cobian RAT obfuscates communications with the C2 server using Base64 encoding.CitationZscaler Cobian Aug 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5073c208f440… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler Cobian Aug 2017
Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
Open source URL -
[2]
Cobian RAT
(Citation: Zscaler Cobain Aug 2017)
-
[3]
mitre-attack S0338Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.