S0428: PoetRAT
PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. [1][2][3]
Analyst context for executives and security teams
PoetRAT is a Windows remote access trojan documented by ATT&CK as used in campaigns against public and private sector organizations in Azerbaijan, including ICS and SCADA systems in the energy sector. For defenders, the material issue is not just the malware name; its related behaviors include credential access, discovery, collection, command execution, file transfer, command-and-control, and exfiltration. That combination can turn one compromised Windows host into an identity, data-loss, and operational-resilience problem, especially where enterprise IT connects to sensitive operational environments.
Executive priority
Prioritize this as a readiness and evidence question: can the organization prove it would see and contain a Windows RAT that dumps or captures credentials, inventories systems and users, collects screenshots/video/files, modifies the registry, deletes files, and communicates over web or file-transfer protocols? Energy, industrial, and public-sector environments should also validate segmentation and incident response handoffs between enterprise SOC and OT/ICS stakeholders, because the official description references ICS/SCADA targeting in the energy sector.
Technical view
ATT&CK provides no official detection text for PoetRAT, so coverage should be validated through the related techniques rather than a single signature. SOC and detection teams should test visibility for LSASS memory access, keylogging indicators, screen/video capture, automated collection, process/user/system/file discovery, Windows command shell execution, Visual Basic/Python/Lua execution, registry modification, file deletion, ingress tool transfer, C2 over web and file-transfer protocols, and exfiltration over C2 or alternate protocols. Correlation matters: isolated discovery or scripting may be benign, but discovery plus credential access, collection, unusual outbound traffic, and cleanup behavior should raise priority.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Script/interpreter execution records for cmd, Visual Basic, Python, and Lua where present
- LSASS access and credential-dumping prevention or alert telemetry
- Registry modification events
- File creation, transfer, archive-like staging, and deletion events
Detection direction
- Build behavior-based coverage around the ATT&CK relationships; do not rely on the malware family name alone.
- Correlate execution, discovery, credential access, collection, outbound communication, and file cleanup into higher-confidence cases.
- Tune for legitimate administrative activity, software inventory, remote support, scripting, and backup/file-transfer workflows to reduce false positives.
- Validate whether Windows endpoints actually log command lines, registry changes, LSASS access, file deletion, and outbound network destinations with sufficient retention for incident response.
- Pay special attention to environments where enterprise Windows hosts can reach operational, ICS, SCADA, or energy-sector systems, since segmentation gaps can make RAT activity more consequential.
Mitigation priorities
- Reduce credential exposure first: enforce least privilege, protect LSASS where feasible, and limit administrative rights on Windows endpoints.
- Restrict unnecessary scripting and interpreter use, including Python, Lua, Visual Basic, and command shell abuse, using approved execution controls.
- Harden egress paths by monitoring and controlling web and file-transfer protocols rather than assuming common protocols are safe.
- Use application control and endpoint hardening to limit unauthorized tool transfer, registry persistence or modification, and post-compromise utilities.
- Strengthen segmentation and incident playbooks between enterprise IT and ICS/SCADA environments where relevant.
Analyst notes and limits
The strongest defensive value comes from mapping PoetRAT to its ATT&CK relationships: credential access, discovery, execution, collection, C2, exfiltration, and stealth behaviors. The official object identifies Windows as the malware platform and references campaigns against Azerbaijan, including ICS/SCADA energy-sector systems, and notes STIBNITE has been observed using the malware. Local risk should be based on exposure, Windows endpoint visibility, identity controls, egress monitoring, and IT/OT architecture.
ATT&CK does not provide official detection guidance, aliases, labels, or explicit tactics for this malware object. The related techniques are behavior context, not proof of current activity in any environment. This take does not include indicators of compromise or claim active exploitation, customer exposure, or guaranteed detection coverage.
PoetRAT
PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. [1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.3 | Current bundle | a02b79418edb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos PoetRAT April 2020
Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
Open source URL -
[2]
Talos PoetRAT October 2020
Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
Open source URL -
[3]
Dragos Threat Report 2020
Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021.
Open source URL -
[4]
mitre-attack S0428Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.