S0428: PoetRAT
PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. [1][2][3]
Analyst context for executives and security teams
PoetRAT is a Windows remote access trojan documented by ATT&CK as used in campaigns against public and private sector organizations in Azerbaijan, including ICS and SCADA systems in the energy sector. For defenders, the material issue is not just the malware name; its related behaviors include credential access, discovery, collection, command execution, file transfer, command-and-control, and exfiltration. That combination can turn one compromised Windows host into an identity, data-loss, and operational-resilience problem, especially where enterprise IT connects to sensitive operational environments.
Executive priority
Prioritize this as a readiness and evidence question: can the organization prove it would see and contain a Windows RAT that dumps or captures credentials, inventories systems and users, collects screenshots/video/files, modifies the registry, deletes files, and communicates over web or file-transfer protocols? Energy, industrial, and public-sector environments should also validate segmentation and incident response handoffs between enterprise SOC and OT/ICS stakeholders, because the official description references ICS/SCADA targeting in the energy sector.
Technical view
ATT&CK provides no official detection text for PoetRAT, so coverage should be validated through the related techniques rather than a single signature. SOC and detection teams should test visibility for LSASS memory access, keylogging indicators, screen/video capture, automated collection, process/user/system/file discovery, Windows command shell execution, Visual Basic/Python/Lua execution, registry modification, file deletion, ingress tool transfer, C2 over web and file-transfer protocols, and exfiltration over C2 or alternate protocols. Correlation matters: isolated discovery or scripting may be benign, but discovery plus credential access, collection, unusual outbound traffic, and cleanup behavior should raise priority.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Script/interpreter execution records for cmd, Visual Basic, Python, and Lua where present
- LSASS access and credential-dumping prevention or alert telemetry
- Registry modification events
- File creation, transfer, archive-like staging, and deletion events
Detection direction
- Build behavior-based coverage around the ATT&CK relationships; do not rely on the malware family name alone.
- Correlate execution, discovery, credential access, collection, outbound communication, and file cleanup into higher-confidence cases.
- Tune for legitimate administrative activity, software inventory, remote support, scripting, and backup/file-transfer workflows to reduce false positives.
- Validate whether Windows endpoints actually log command lines, registry changes, LSASS access, file deletion, and outbound network destinations with sufficient retention for incident response.
- Pay special attention to environments where enterprise Windows hosts can reach operational, ICS, SCADA, or energy-sector systems, since segmentation gaps can make RAT activity more consequential.
Mitigation priorities
- Reduce credential exposure first: enforce least privilege, protect LSASS where feasible, and limit administrative rights on Windows endpoints.
- Restrict unnecessary scripting and interpreter use, including Python, Lua, Visual Basic, and command shell abuse, using approved execution controls.
- Harden egress paths by monitoring and controlling web and file-transfer protocols rather than assuming common protocols are safe.
- Use application control and endpoint hardening to limit unauthorized tool transfer, registry persistence or modification, and post-compromise utilities.
- Strengthen segmentation and incident playbooks between enterprise IT and ICS/SCADA environments where relevant.
Analyst notes and limits
The strongest defensive value comes from mapping PoetRAT to its ATT&CK relationships: credential access, discovery, execution, collection, C2, exfiltration, and stealth behaviors. The official object identifies Windows as the malware platform and references campaigns against Azerbaijan, including ICS/SCADA energy-sector systems, and notes STIBNITE has been observed using the malware. Local risk should be based on exposure, Windows endpoint visibility, identity controls, egress monitoring, and IT/OT architecture.
ATT&CK does not provide official detection guidance, aliases, labels, or explicit tactics for this malware object. The related techniques are behavior context, not proof of current activity in any environment. This take does not include indicators of compromise or claim active exploitation, customer exposure, or guaranteed detection coverage.
PoetRAT
PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. [1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | PoetRAT sent username, computer name, and the previously generated UUID in reply to a "who" command from C2.CitationTalos PoetRAT April 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | PoetRAT has exfiltrated data over the C2 channel.CitationTalos PoetRAT October 2020 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | PoetRAT has used FTP for C2 communications.CitationTalos PoetRAT October 2020 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | PoetRAT has `pyminifier` to obfuscate scripts.CitationTalos PoetRAT October 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | PoetRAT has called cmd through a Word document macro.CitationTalos PoetRAT October 2020 |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | PoetRAT has used a .NET tool named dog.exe to exiltrate information over an e-mail account.CitationTalos PoetRAT April 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | PoetRAT has used spearphishing attachments to infect victims.CitationTalos PoetRAT April 2020 |
| Enterprise | T1571 | Non-Standard Port | PoetRAT used TLS to encrypt communications over port 143CitationTalos PoetRAT April 2020 |
| Enterprise | T1112 | Modify Registry | PoetRAT has made registry modifications to alter its behavior upon execution.CitationTalos PoetRAT April 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | PoetRAT was distributed via malicious Word documents.CitationTalos PoetRAT April 2020 |
| Enterprise | T1083 | File and Directory Discovery | PoetRAT has the ability to list files upon receiving the |
| Enterprise | T1105 | Ingress Tool Transfer | PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.CitationTalos PoetRAT April 2020CitationTalos PoetRAT October 2020 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | PoetRAT has the ability to hide and unhide files.CitationTalos PoetRAT April 2020 |
| Enterprise | T1119 | Automated Collection | PoetRAT used file system monitoring to track modification and enable automatic exfiltration.CitationTalos PoetRAT April 2020 |
| Enterprise | T1125 | Video Capture | PoetRAT has used a Python tool named Bewmac to record the webcam on compromised hosts.CitationTalos PoetRAT April 2020 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | |
| Enterprise | T1497.001 | System Checks Sub-technique | PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of "License.txt" and exiting.CitationTalos PoetRAT April 2020 |
| Enterprise | T1018 | Remote System Discovery | PoetRAT used Nmap for remote system discovery.CitationTalos PoetRAT April 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | PoetRAT has used HTTP and HTTPs for C2 communications.CitationTalos PoetRAT October 2020 |
| Enterprise | T1082 | System Information Discovery | PoetRAT has the ability to gather information about the compromised host.CitationTalos PoetRAT April 2020 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | PoetRAT was delivered with documents using DDE to execute malicious code.CitationTalos PoetRAT April 2020 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1057 | Process Discovery | PoetRAT has the ability to list all running processes.CitationTalos PoetRAT April 2020 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | PoetRAT has used Word documents with VBScripts to execute malicious activities.CitationTalos PoetRAT April 2020CitationTalos PoetRAT October 2020 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | PoetRAT used TLS to encrypt command and control (C2) communications.CitationTalos PoetRAT April 2020 |
| Enterprise | T1059.006 | Python Sub-technique | PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.CitationTalos PoetRAT April 2020 |
| Enterprise | T1113 | Screen Capture | PoetRAT has the ability to take screen captures.CitationTalos PoetRAT April 2020CitationDragos Threat Report 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.CitationTalos PoetRAT October 2020 |
| Enterprise | T1027 | Obfuscated Files or Information | PoetRAT has used a custom encryption scheme for communication between scripts.CitationTalos PoetRAT April 2020 |
| Enterprise | T1059.011 | Lua Sub-technique | PoetRAT has executed a Lua script through a Lua interpreter for Windows.CitationTalos PoetRAT October 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | PoetRAT has added a registry key in the |
| Enterprise | T1070.004 | File Deletion Sub-technique | PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.CitationTalos PoetRAT April 2020 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | PoetRAT has used a Python tool named Browdec.exe to steal browser credentials.CitationTalos PoetRAT April 2020 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | PoetRAT has the ability to compress files with zip.CitationTalos PoetRAT April 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | PoetRAT has used a Python tool named klog.exe for keylogging.CitationTalos PoetRAT April 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.3 | Current bundle | a02b79418edb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos PoetRAT April 2020
Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
Open source URL -
[2]
Talos PoetRAT October 2020
Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
Open source URL -
[3]
Dragos Threat Report 2020
Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021.
Open source URL -
[4]
mitre-attack S0428Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.