S0670: WarzoneRAT
WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[1][2]
Analyst context for executives and security teams
WarzoneRAT is a publicly available malware-as-a-service remote access tool for Windows. Its business significance is that commodity RAT capability can give an intruder interactive control, credential collection, discovery, file access, and data theft paths without requiring custom malware. For leaders, this makes coverage less about one malware name and more about whether Windows endpoint, identity, remote access, and network monitoring can expose RAT-style behavior early enough to contain it.
Executive priority
Prioritize WarzoneRAT as a resilience and readiness test case for commodity remote access malware. The ATT&CK relationships connect it to collection, credential access, discovery, command and control, lateral movement via RDP/VNC, registry modification, process injection, and exfiltration over C2. Executives should ask whether the organization can prove visibility into Windows endpoint execution, suspicious remote access, credential capture indicators, and outbound C2-like traffic. Because ATT&CK lists use by multiple groups, including Confucius, Scattered Spider, and TA2541, the behavior is relevant to threat-informed defense, but local risk should be based on the organization’s sector, exposure, and telemetry rather than assuming current targeting.
Technical view
ATT&CK does not provide a dedicated detection section for WarzoneRAT, so SOC and IR teams should validate behavior-based coverage across the related techniques. On Windows, focus on malicious-file execution, PowerShell and cmd activity, native API use, process injection, registry modification, process/system/file discovery, keylogging indicators, video capture attempts, ingress tool transfer, proxy or non-application-layer C2 patterns, RDP/VNC activity, and exfiltration over an established C2 channel. Detection engineering should map alerts and hunts to the related ATT&CK techniques rather than relying only on static malware naming.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution logs and script block/module logging where available
- Windows registry modification events
- Endpoint detection telemetry for process injection, API abuse, and suspicious memory behavior
- File creation, download, and tool transfer evidence
Detection direction
- Validate detections for the related behaviors, especially T1059.001, T1059.003, T1055, T1112, T1056.001, T1021.001, T1021.005, T1041, T1090, T1095, and T1105.
- Tune for context: administrative PowerShell, remote support tools, RDP, VNC, and registry changes are common in enterprises and need baselines, allowlists, and change-management context to reduce false positives.
- Hunt for behavior chains rather than isolated events: user-opened file followed by script or shell execution, discovery commands, registry changes, network beaconing, and remote access activity is more meaningful than any single signal.
- Confirm visibility on Windows endpoints where the malware platform is supported; do not assume coverage from network-only monitoring because process injection, keylogging, registry changes, and local discovery are host-centric.
- Review blind spots around unmanaged endpoints, weak PowerShell logging, encrypted outbound traffic, legitimate remote access infrastructure, and incomplete egress monitoring.
Mitigation priorities
- Reduce initial execution risk by hardening handling of user-opened files and enforcing controls around scripts, attachments, and downloaded executables.
- Strengthen Windows endpoint controls and monitoring for process injection, suspicious script execution, registry persistence or defense-impairment changes, and unauthorized tool transfer.
- Restrict and monitor RDP and VNC usage with least privilege, strong authentication, and clear administrative baselines.
- Apply identity and access controls that limit the value of captured credentials, including privileged access separation and monitoring of unusual interactive logons.
- Control egress paths with proxy, firewall, and network monitoring policies that make unauthorized C2 and exfiltration channels harder to sustain.
Analyst notes and limits
WarzoneRAT is described by ATT&CK as a C++ malware-as-a-service RAT publicly available since at least late 2018. ATT&CK relationships show use by Confucius, Scattered Spider, and TA2541 and map the software to a broad set of techniques spanning execution, discovery, collection, credential access, command and control, lateral movement, stealth, persistence, and exfiltration. The most useful defensive value is to test whether the organization can detect and investigate RAT behavior on Windows across host, identity, and network telemetry.
The official ATT&CK object does not specify tactics directly and provides no official detection guidance. This take is therefore based on the supplied description, external references, Windows platform field, and listed relationships. It does not assert active exploitation, current targeting, specific indicators, guaranteed detection, or applicability to non-Windows deployments beyond the related technique descriptions.
WarzoneRAT
WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | WarzoneRAT can obtain a list of processes on a compromised host.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the `GetAsyncKeyState` Windows API.CitationCheck Point Warzone Feb 2020CitationUptycs Warzone UAC Bypass November 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | WarzoneRAT can add itself to the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UIF2IS20VK` Registry keys.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | WarzoneRAT has relied on a victim to open a malicious attachment within an email for execution.CitationCheck Point Warzone Feb 2020CitationUptycs Confucius APT Jan 2021 |
| Enterprise | T1685 | Disable or Modify Tools | WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | WarzoneRAT can send collected victim data to its C2 server.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.CitationCheck Point Warzone Feb 2020CitationUptycs Warzone UAC Bypass November 2020 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | WarzoneRAT can use `sdclt.exe` to bypass UAC in Windows 10 to escalate privileges; for older Windows versions WarzoneRAT can use the IFileOperation exploit to bypass the UAC module.CitationCheck Point Warzone Feb 2020CitationUptycs Warzone UAC Bypass November 2020 |
| Enterprise | T1005 | Data from Local System | WarzoneRAT can collect data from a compromised host.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | WarzoneRAT can download and execute additional files.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1082 | System Information Discovery | WarzoneRAT can collect compromised host information, including OS version, PC name, RAM size, and CPU details.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1090 | Proxy | WarzoneRAT has the capability to act as a reverse proxy.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | WarzoneRAT can encrypt its C2 with RC4 with the password `warzone160\x00`.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | WarzoneRAT has the ability to control an infected PC using RDP.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1112 | Modify Registry | WarzoneRAT can create `HKCU\Software\Classes\Folder\shell\open\command` as a new registry key during privilege escalation.CitationUptycs Warzone UAC Bypass November 2020CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | WarzoneRAT can perform COM hijacking by setting the path to itself to the `HKCU\Software\Classes\Folder\shell\open\command` key with a `DelegateExecute` parameter.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1564 | Hide Artifacts | WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide its attempts to elevate privileges through `IFileOperation`.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | WarzoneRAT has been distributed as a malicious attachment within an email.CitationCheck Point Warzone Feb 2020CitationUptycs Confucius APT Jan 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | WarzoneRAT can use XOR 0x45 to decrypt obfuscated code.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | WarzoneRAT can use PowerShell to download files and execute commands.CitationCheck Point Warzone Feb 2020CitationUptycs Warzone UAC Bypass November 2020 |
| Enterprise | T1106 | Native API | WarzoneRAT can use a variety of API calls on a compromised host.CitationUptycs Warzone UAC Bypass November 2020 |
| Enterprise | T1125 | Video Capture | WarzoneRAT can access the webcam on a victim's machine.CitationCheck Point Warzone Feb 2020CitationUptycs Warzone UAC Bypass November 2020 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | WarzoneRAT has the ability of performing remote desktop access via a hVNC window for decreased visibility.CitationBitdefender Trickbot VNC module Whitepaper 2021 |
| Enterprise | T1055 | Process Injection | WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | WarzoneRAT can use `cmd.exe` to execute malicious code.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1021.005 | VNC Sub-technique | WarzoneRAT has the ability of performing remote desktop access via a VNC console.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1221 | Template Injection | WarzoneRAT has been install via template injection through a malicious DLL embedded within a template RTF in a Word document.CitationUptycs Confucius APT Jan 2021 |
| Enterprise | T1095 | Non-Application Layer Protocol | WarzoneRAT can communicate with its C2 server via TCP over port 5200.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1083 | File and Directory Discovery | WarzoneRAT can enumerate directories on a compromise host.CitationCheck Point Warzone Feb 2020 |
| Enterprise | T1014 | Rootkit | WarzoneRAT can include a rootkit to hide processes, files, and startup.CitationCheck Point Warzone Feb 2020 |
Groups, software, and campaigns
G1018: TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
G0142: Confucius
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 30f19fc19602… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Check Point Warzone Feb 2020
Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
Open source URL -
[2]
Uptycs Warzone UAC Bypass November 2020
Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
Open source URL -
[3]
Ave Maria
(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)
-
[4]
mitre-attack S0670Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.