S0348: Cardinal RAT
Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[1]
Analyst context for executives and security teams
Cardinal RAT matters because it represents a Windows remote access capability that may arrive as source code and compile on the endpoint using Microsoft’s built-in csc.exe compiler. That shifts defensive value from only blocking known binaries to validating whether endpoints log compiler use, registry changes, discovery activity, command shell execution, and web-based command-and-control behavior. For leaders, the practical question is whether the organization can prove visibility and response coverage for a low-volume RAT that blends host discovery, credential collection, persistence, obfuscation, and C2 resilience.
Executive priority
Prioritize this as a coverage-validation issue for Windows endpoint monitoring, identity risk, and incident response readiness. The ATT&CK relationships show behaviors tied to persistence, credential access, collection, discovery, defense evasion, and command-and-control. Executives should ask whether SOC and IR teams can reconstruct: how a malicious file executed, whether csc.exe compiled suspicious code, what registry persistence changed, what user or system information was collected, and what outbound web/proxy/fallback channels were used. This is also useful evidence for audit and compliance programs that require demonstrable endpoint logging, malware response procedures, and control validation rather than reliance on signature detection alone.
Technical view
Cardinal RAT is documented for Windows and is notable for use of uncompiled C# source code with the Windows csc.exe compiler. ATT&CK relationships associate it with compile-after-delivery, encoded/encrypted files, deobfuscation, process injection, command shell execution, registry query/modify activity, Run Key or Startup Folder persistence, discovery of users/processes/system/files, keylogging, screen capture, archive-via-library collection, ingress tool transfer, and web/proxy/fallback encrypted C2 patterns. SOC teams should validate correlations across endpoint process creation, compiler invocation, registry writes, file creation/deletion, suspicious child processes from cmd.exe or csc.exe, and outbound network sessions that resemble web traffic but do not match normal application behavior.
Likely telemetry
- Windows endpoint process creation and command-line logging, especially csc.exe and cmd.exe execution context
- File creation, modification, deletion, and temporary source-code or compiled-artifact activity
- Windows Registry query and modification events, including Run Keys and Startup Folder persistence locations
- EDR telemetry for process injection or unusual cross-process memory activity
- User/session discovery, process enumeration, system information discovery, and file/directory enumeration events
Detection direction
- Do not rely only on known malware hashes; the described use of uncompiled C# and csc.exe makes compiler and build-artifact telemetry important.
- Baseline legitimate csc.exe use by developers, build servers, administrative tools, and software installers to reduce false positives before alerting on compiler execution.
- Correlate suspicious csc.exe execution with nearby malicious-file execution, encoded files, deobfuscation, file deletion, registry persistence, or outbound network activity.
- Monitor registry modifications and queries together: discovery of configuration followed by Run Key or Startup Folder changes is higher-value than either event alone.
- Tune command-shell detections around unusual parent/child process chains and execution from user-writable or temporary paths where local evidence supports that pattern.
Mitigation priorities
- Establish and test Windows endpoint logging for process command lines, registry changes, file events, and network connections before an incident occurs.
- Control and monitor use of built-in compilers such as csc.exe on non-development endpoints where business need is limited.
- Harden user execution paths and reduce exposure to malicious files through attachment handling, user awareness, and endpoint prevention controls.
- Restrict persistence opportunities by monitoring and governing Registry Run Keys and Startup Folder locations.
- Apply least privilege so registry modification, process manipulation, and persistence attempts have reduced success likelihood.
Analyst notes and limits
The strongest defensive lead from the supplied object is Cardinal RAT’s reported use of uncompiled C# source code and Windows csc.exe, combined with its ATT&CK relationships across discovery, stealth, persistence, collection, and command-and-control. The object does not provide official detection guidance, so recommended validation is derived from the supplied relationships and platform field rather than a MITRE-provided analytic.
The supplied ATT&CK object lists Windows as the malware platform and provides no official detection text, aliases, labels, or specified malware-level tactics. Relationship techniques include broader platform lists, but those do not expand Cardinal RAT’s supplied platform beyond Windows. Local baselines are required to distinguish legitimate compiler, registry, command shell, web traffic, archive, and administrative activity from malicious behavior.
Cardinal RAT
Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Cardinal RAT can execute commands.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | Cardinal RAT can download and execute additional payloads.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1083 | File and Directory Discovery | Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1033 | System Owner/User Discovery | Cardinal RAT can collect the username from a victim machine.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Cardinal RAT can log keystrokes.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Cardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1560.002 | Archive via Library Sub-technique | Cardinal RAT applies compression to C2 traffic using the ZLIB library.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1012 | Query Registry | Cardinal RAT contains watchdog functionality that periodically ensures |
| Enterprise | T1027.004 | Compile After Delivery Sub-technique | Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1090 | Proxy | Cardinal RAT can act as a reverse proxy.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1055 | Process Injection | Cardinal RAT injects into a newly spawned process created from a native Windows executable.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Cardinal RAT can uninstall itself, including deleting its executable.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1082 | System Information Discovery | Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1008 | Fallback Channels | Cardinal RAT can communicate over multiple C2 host and port combinations.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Cardinal RAT is downloaded using HTTP over port 443.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1112 | Modify Registry | Cardinal RAT sets |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Cardinal RAT establishes Persistence by setting the |
| Enterprise | T1057 | Process Discovery | Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1113 | Screen Capture | Cardinal RAT can capture screenshots.CitationPaloAlto CardinalRat Apr 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded.CitationPaloAlto CardinalRat Apr 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 2d4584079f0b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
PaloAlto CardinalRat Apr 2017
Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
Open source URL -
[2]
Cardinal RAT
(Citation: PaloAlto CardinalRat Apr 2017)
-
[3]
mitre-attack S0348Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.