S0644: ObliqueRAT
ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.[1][2]
Analyst context for executives and security teams
ObliqueRAT is a Windows remote access trojan associated in ATT&CK with Transparent Tribe use since at least 2020. Its relationship set matters because it is not just remote control: the mapped behaviors include persistence through Run Keys or Startup Folder, user and system discovery, file and removable-media collection, screen/video capture, local staging, and size-limited exfiltration. For leaders, this is a useful test case for whether Windows endpoint monitoring can prove what happened after initial user-driven execution.
Executive priority
Treat this as a coverage validation item for Windows endpoint defense, incident response evidence quality, and sensitive-data protection. The priority is highest for environments where diplomatic, defense, research, removable-media, or camera/screen exposure is business-critical, especially where Transparent Tribe threat intelligence is relevant. Executives should ask whether SOC and IR teams can reconstruct persistence, collection, staging, and exfiltration behaviors without relying on malware signatures alone.
Technical view
ATT&CK provides no official detection text for ObliqueRAT, so defenders should validate behavior-based coverage against the related techniques: malicious-link execution, Registry Run Keys or Startup Folder persistence, system/user/process/file/peripheral discovery, removable-media access, screen and video capture, local data staging, steganography, and size-limited data transfer. Since the malware platform is Windows, prioritize Windows endpoint telemetry, registry auditing, process/file activity, removable device events, and network egress analysis. The Transparent Tribe relationship should inform threat-intelligence enrichment, not be treated as proof of attribution in local incidents.
Likely telemetry
- Windows endpoint process creation and command-line metadata
- Registry Run Key and Startup Folder modification events
- File and directory enumeration and access events
- Removable media connection and file access logs
- User/session and system inventory telemetry
Detection direction
- Build detections around behavior chains rather than a single ObliqueRAT indicator: user-click execution followed by persistence, discovery, collection, staging, and outbound transfer is higher value than any one event alone.
- Tune Registry Run Key and Startup Folder monitoring for uncommon binaries, user-writable paths, and new autoruns created near suspicious execution.
- Validate visibility into removable media collection; many environments log USB insertion but not subsequent file enumeration or copy activity.
- Review false positives for legitimate admin inventory tools, backup agents, screen-sharing software, conferencing tools, and endpoint management platforms before alerting on discovery or capture behaviors.
- Use exfiltration analytics that can identify repeated or size-limited outbound transfers, not only large-volume threshold breaches.
Mitigation priorities
- Reduce malicious-link execution risk through user-facing controls, web/email filtering, and safe handling processes appropriate to the environment.
- Harden Windows persistence paths by monitoring and controlling Run Keys and Startup Folder changes, especially from user-writable locations.
- Limit unnecessary removable media use and ensure policy enforcement plus logging where removable storage is business-required.
- Apply least privilege so user-context persistence and collection have reduced access to sensitive files and devices.
- Restrict or monitor camera, screen capture, and peripheral access on systems where sensitive visual information is present.
Analyst notes and limits
The object is malware S0644, ObliqueRAT, in enterprise ATT&CK version 19.1. ATT&CK describes it as similar to Crimson and used by Transparent Tribe since at least 2020. The strongest defensive value comes from the relationship-mapped behaviors, particularly Windows persistence, collection, discovery, and exfiltration preparation. Use the group relationship for intelligence context, while keeping incident attribution evidence-based.
ATT&CK supplies no official detection guidance, no aliases, and no malware-level tactics for this object. The provided data does not include hashes, infrastructure, exploit details, prevalence, or confirmed current activity. Local telemetry, asset criticality, and exposure to the related behaviors are required to determine actual risk and detection coverage.
ObliqueRAT
ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1113 | Screen Capture | ObliqueRAT can capture a screenshot of the current screen.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1120 | Peripheral Device Discovery | ObliqueRAT can discover pluggable/removable drives to extract files from.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1030 | Data Transfer Size Limits | ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs.CitationTalos Oblique RAT March 2021CitationTalos Transparent Tribe May 2021 |
| Enterprise | T1082 | System Information Discovery | ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1083 | File and Directory Discovery | ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1027.003 | Steganography Sub-technique | ObliqueRAT can hide its payload in BMP images hosted on compromised websites.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1497.001 | System Checks Sub-technique | ObliqueRAT can halt execution if it identifies processes belonging to virtual machine software or analysis tools.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1025 | Data from Removable Media | ObliqueRAT has the ability to extract data from removable devices connected to the endpoint.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1057 | Process Discovery | ObliqueRAT can check for blocklisted process names on a compromised host.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1033 | System Owner/User Discovery | ObliqueRAT can check for blocklisted usernames on infected endpoints.CitationTalos Oblique RAT March 2021 |
| Enterprise | T1125 | Video Capture | ObliqueRAT can capture images from webcams on compromised hosts.CitationTalos Oblique RAT March 2021 |
Groups, software, and campaigns
G0134: Transparent Tribe
Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 133b19880880… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Oblique RAT March 2021
Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
Open source URL -
[2]
Talos Transparent Tribe May 2021
Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
Open source URL -
[3]
mitre-attack S0644Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.