S0379: Revenge RAT
Revenge RAT is a freely available remote access tool written in .NET (C#).[1][2]
Analyst context for executives and security teams
Revenge RAT is a freely available .NET/C# remote access tool associated in ATT&CK with Windows activity and a broad set of post-compromise behaviors: credential access, discovery, command execution, persistence, command-and-control, tool transfer, and collection through screen, audio, and video capture. The business significance is that a commodity RAT can still create executive-level risk: once present, it can support hands-on access, credential theft, surveillance, and movement using common Windows features rather than only bespoke malware.
Executive priority
Treat this as a validation point for Windows endpoint resilience and incident response readiness rather than as a niche malware family. Leaders should ask whether the organization can prove coverage for suspicious scheduled tasks, Winlogon persistence, PowerShell/cmd execution, RDP use, credential dumping indicators, and unusual external bidirectional communications. Because ATT&CK links Revenge RAT to both The White Company and TA2541, including sectors such as aviation, aerospace, transportation, manufacturing, defense, government, and military in the related descriptions, organizations in those environments should ensure RAT response playbooks connect endpoint containment, credential reset decisions, and evidence preservation.
Technical view
SOC and detection teams should pivot from the malware name to its mapped behaviors on Windows. Validate detections and triage workflows for T1003 OS Credential Dumping, T1016/T1033/T1082 discovery, T1021.001 RDP, T1053.005 Scheduled Task, T1056.001 Keylogging, T1059.001 PowerShell, T1059.003 Windows Command Shell, T1102.002 bidirectional web-service C2, T1105 tool transfer, T1113/T1123/T1125 capture behaviors, T1132.001 standard encoding, T1202 indirect command execution, T1218.005 Mshta, and T1547.004 Winlogon Helper DLL. Since no official ATT&CK detection text is provided for this software object, local detection engineering should be behavior-led and tested against approved administrative activity to manage false positives.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for PowerShell, cmd, mshta.exe, indirect execution utilities, and suspicious child-process chains
- Windows scheduled task creation, modification, and execution evidence
- Registry monitoring for Winlogon-related persistence paths under HKLM/HKCU Windows NT CurrentVersion Winlogon locations
- Authentication and remote access logs for RDP sessions, especially unusual source, destination, account, or timing patterns
- Endpoint security alerts and memory/process access telemetry relevant to credential dumping and keylogging behaviors
Detection direction
- Prioritize behavior-based analytics over malware-name matching because the official object identifies Revenge RAT as freely available and provides no ATT&CK detection guidance.
- Correlate execution plus persistence plus C2: a scheduled task or Winlogon change followed by PowerShell/cmd/mshta activity and unusual outbound communication is higher value than any single event alone.
- Tune administrative false positives carefully for PowerShell, cmd, RDP, scheduled tasks, and network discovery, since these are common legitimate Windows operations.
- Validate visibility for collection behaviors involving screenshots, microphone/audio, and webcam/video access where privacy, endpoint tooling, and operating system logging permit.
- Use relationship context for threat-informed hunting, but avoid assuming attribution: the supplied ATT&CK relationships show use by The White Company and TA2541, not that every Revenge RAT case belongs to those groups.
Mitigation priorities
- Harden and monitor Windows administrative execution paths first: PowerShell, command shell, mshta.exe, scheduled tasks, and indirect command execution utilities.
- Restrict and audit RDP exposure and usage, with attention to valid-account abuse and unusual interactive logons.
- Protect credentials through least privilege, credential access monitoring, and rapid credential reset procedures during suspected RAT incidents.
- Monitor and control persistence locations, especially scheduled tasks and Winlogon helper-related registry paths.
- Limit unauthorized ingress of tools and files from external systems and review outbound communications for suspicious bidirectional channels or encoded traffic.
Analyst notes and limits
This take is based on the supplied ATT&CK software object, its external references, and stated relationships. The strongest defensive value comes from the mapped techniques rather than from the sparse software description. The object is Windows-scoped, while several related techniques list broader platforms; coverage recommendations here are framed around the supplied Revenge RAT platform and Windows-relevant relationships.
ATT&CK provides no official detection text, no aliases, no explicit tactics on the malware object, and no supplied indicators of compromise in this prompt. The related group descriptions provide context but should not be used as proof of attribution in an incident. Local telemetry, baselines, and asset criticality are required to determine actual exposure and detection coverage.
Revenge RAT
Revenge RAT is a freely available remote access tool written in .NET (C#).[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | Revenge RAT gathers the username from the system.CitationCylance Shaheen Nov 2018 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Revenge RAT has a plugin for keylogging.CitationCylance Shaheen Nov 2018CitationCofense RevengeRAT Feb 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Revenge RAT has the ability to upload and download files.CitationCylance Shaheen Nov 2018 |
| Enterprise | T1003 | OS Credential Dumping | Revenge RAT has a plugin for credential harvesting.CitationCylance Shaheen Nov 2018 |
| Enterprise | T1125 | Video Capture | Revenge RAT has the ability to access the webcam.CitationCylance Shaheen Nov 2018CitationCofense RevengeRAT Feb 2019 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Revenge RAT has a plugin to perform RDP access.CitationCylance Shaheen Nov 2018 |
| Enterprise | T1082 | System Information Discovery | Revenge RAT collects the CPU information, OS information, and system language.CitationCylance Shaheen Nov 2018 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Revenge RAT uses Base64 to encode information sent to the C2 server.CitationCylance Shaheen Nov 2018 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Revenge RAT used blogpost.com as its primary command and control server during a campaign.CitationCofense RevengeRAT Feb 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | Revenge RAT collects the IP address and MAC address from the system.CitationCylance Shaheen Nov 2018 |
| Enterprise | T1218.005 | Mshta Sub-technique | Revenge RAT uses mshta.exe to run malicious scripts on the system.CitationCofense RevengeRAT Feb 2019 |
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | Revenge RAT creates a Registry key at |
| Enterprise | T1123 | Audio Capture | Revenge RAT has a plugin for microphone interception.CitationCylance Shaheen Nov 2018CitationCofense RevengeRAT Feb 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.CitationCofense RevengeRAT Feb 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Revenge RAT uses the PowerShell command |
| Enterprise | T1202 | Indirect Command Execution | Revenge RAT uses the Forfiles utility to execute commands on the system.CitationCofense RevengeRAT Feb 2019 |
| Enterprise | T1113 | Screen Capture | Revenge RAT has a plugin for screen capture.CitationCylance Shaheen Nov 2018 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Revenge RAT schedules tasks to run malicious scripts at different intervals.CitationCofense RevengeRAT Feb 2019 |
Groups, software, and campaigns
G1018: TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]
G0089: The White Company
The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 5eaba19a17e4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Shaheen Nov 2018
Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
Open source URL -
[2]
Cofense RevengeRAT Feb 2019
Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024.
Open source URL -
[3]
mitre-attack S0379Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.