S1182: MagicRAT
MagicRAT is a remote access tool developed in C++ and exclusively used by the Lazarus Group threat actor in operations. MagicRAT allows for arbitrary command execution on victim machines and provides basic remote access functionality.[1]
Analyst context for executives and security teams
MagicRAT matters because ATT&CK describes it as a Windows remote access tool used by Lazarus Group that can execute arbitrary commands and provide basic remote access on victim machines. For leaders, the practical concern is not just the malware name; it is whether endpoint, network, and response teams can prove they would notice a Windows host establishing web-based command-and-control, creating persistence, running command shell activity, transferring tools, collecting host/network details, and potentially exfiltrating data over the same channel.
Executive priority
Treat MagicRAT as a resilience and readiness validation case for Windows endpoint defense, incident response, and threat-informed detection engineering. Priority questions: Do we collect enough Windows endpoint, registry, scheduled task, process, file, and web traffic telemetry to investigate a remote access tool? Can the SOC distinguish suspicious command execution and persistence from administration? Can IR rapidly scope possible tool transfer, data exfiltration over C2, and cleanup/file deletion? This object is also useful for compliance evidence because it maps to concrete control areas: logging, malware defense, persistence monitoring, outbound traffic review, and incident investigation procedures.
Technical view
ATT&CK does not provide a dedicated detection section for MagicRAT, so defenders should validate coverage through its relationships. On Windows, focus on behavior chains involving command shell execution, scheduled task creation, Run key or Startup Folder persistence, encoded/encrypted or masqueraded files, deobfuscation/decoding activity, file deletion, discovery of system and network configuration, ingress tool transfer, web-protocol C2, and exfiltration over that C2 channel. Detection should be behavior-led rather than name-led because the object includes stealth relationships such as file masquerading, encrypted/encoded files, and deletion of artifacts.
Likely telemetry
- Windows process creation telemetry, especially cmd.exe or command shell child processes and unusual parent/child relationships
- Windows Scheduled Task creation/modification events and related command-line context
- Windows Registry monitoring for Run key changes and Startup Folder file creation
- Endpoint file telemetry for new executables, suspicious file type mismatches, encoded/encrypted content, decode/deobfuscation activity, and file deletion
- Host discovery command telemetry for system information and network configuration collection
Detection direction
- Build detections around correlated behavior: persistence plus command shell execution plus outbound web traffic is more meaningful than any single event.
- Tune Windows administrative false positives carefully: scheduled tasks, Run keys, cmd.exe, and web traffic are common in legitimate operations, so include user, host role, parent process, command-line, destination, and timing context.
- Validate blind spots created by stealth behaviors: file masquerading, encoded/encrypted files, decoding activity, and file deletion can reduce the usefulness of static signatures or post-incident artifact review.
- Confirm network monitoring can inspect or at least metadata-analyze HTTP/S-like outbound traffic sufficiently to support C2 and exfiltration investigations.
- Use the Lazarus Group relationship as threat-intelligence context for prioritization, while avoiding attribution based only on a MagicRAT-like behavior match.
Mitigation priorities
- Prioritize Windows endpoint hardening and monitoring for persistence locations such as Scheduled Tasks, Registry Run keys, and Startup Folders.
- Restrict and monitor unnecessary command shell use where operationally feasible, especially on high-value systems.
- Maintain outbound network controls and logging for web-protocol traffic, with review of unusual destinations and host behavior.
- Ensure malware prevention and EDR controls are paired with telemetry retention, because this object includes behaviors that can delete or obscure artifacts.
- Prepare IR playbooks to scope remote access activity: persistence, command execution, discovery, tool transfer, outbound communications, and possible exfiltration over C2.
Analyst notes and limits
The strongest decision value comes from the relationships: MagicRAT is linked to Windows remote access behavior and to techniques covering execution, persistence, discovery, command-and-control, exfiltration, tool transfer, and stealth. The supplied ATT&CK description states exclusive use by Lazarus Group; however, operational decisions should still be based on observed evidence in the local environment, not attribution assumptions alone.
ATT&CK provides no official detection text for this malware object, and the object itself lists Windows as the supported platform with no object-level tactics specified. The technique relationships include broader platform lists, but this take treats MagicRAT validation as Windows-focused because that is the supplied platform for the malware. No claim is made about current exploitation, customer exposure, or guaranteed detection coverage.
MagicRAT
MagicRAT is a remote access tool developed in C++ and exclusively used by the Lazarus Group threat actor in operations. MagicRAT allows for arbitrary command execution on victim machines and provides basic remote access functionality.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | MagicRAT can delete files on victim systems, including itself.CitationCisco MagicRAT 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | MagicRAT can import and execute additional payloads.CitationCisco MagicRAT 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | MagicRAT stores configuration data in files and file paths mimicking legitimate operating system resources.CitationCisco MagicRAT 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | MagicRAT allows for the execution of arbitrary commands on the victim system.CitationCisco MagicRAT 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | MagicRAT stores base64 encoded command and contorl URLs in a configuraiton file, with each URL prefixed with the value `LR02DPt22R`.CitationCisco MagicRAT 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | MagicRAT can persist via scheduled tasks.CitationCisco MagicRAT 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | MagicRAT uses HTTP POST communication for command and control.CitationCisco MagicRAT 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | MagicRAT collects system network information using commands such as `ipconfig /all`.CitationCisco MagicRAT 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | MagicRAT exfiltrates data via HTTP over existing command and control channels.CitationCisco MagicRAT 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | MagicRAT can persist using malicious LNK objects in the victim machine Startup folder.CitationCisco MagicRAT 2022 |
| Enterprise | T1082 | System Information Discovery | MagicRAT collects basic system information from victim machines.CitationCisco MagicRAT 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | MagicRAT stores command and control URLs using base64 encoding in the malware's configuration file.CitationCisco MagicRAT 2022 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | MagicRAT can download additional executable payloads that masquerade as GIF files.CitationCisco MagicRAT 2022 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6c8dc5e0c5e5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cisco MagicRAT 2022
Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024.
Open source URL -
[2]
mitre-attack S1182Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.