Revenge RAT
Revenge RAT is a remote access trojan (MITRE S0379) with surveillance, credential access, discovery, persistence, execution, and remote-control capabilities. The provided content states it can access a victim’s webcam, capture audio via a microphone interception plugin, capture screenshots via a screen-capture plugin, perform keylogging, dump OS credentials, gather the username from the system, and conduct system information and network configuration discovery. It also has a plugin to perform RDP access and can transfer tools to the victim.
For execution and evasion, the content states Revenge RAT can execute through Windows command shell and PowerShell, use mshta.exe to run malicious scripts, and use the PowerShell Reflection.Assembly technique to load itself into memory. For persistence, it can establish scheduled-task persistence, including scheduling tasks to run malicious scripts at different intervals, and can also establish persistence through a Winlogon Helper DLL.
For command and control, the content states Revenge RAT communicates through bidirectional web services and uses Base64 to encode information sent to the C2 server. Mentioned infrastructure includes the C2 domain kimjoy[.]ddns[.]net observed in March 2021, and one campaign in which blogpost.com was used as the primary command-and-control server.
The malware is described as publicly available and cross-platform in the context of Bahamut, which utilized NETWIRE and Revenge RAT for remote control. It is also associated in the content with TA2541, a persistent cybercriminal actor targeting aviation, aerospace, transportation, manufacturing, and defense organizations since at least 2017 using phishing-based delivery and commodity RATs; Revenge RAT is listed among the malware families used by that actor. The content also notes 2022 campaigns delivering a mixture of malware including Loda, Revenge RAT, and AsyncRAT.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“In 2022, campaigns delivered a mixture of malware such as, Loda, Revenge RAT, and AsyncRAT.”
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Bahamut utilized the publicly available, cross-platform remote administration tools (RATs) NETWIRE and Revenge RAT for remote control.
“In 2022, campaigns delivered a mixture of malware such as, Loda, Revenge RAT, and AsyncRAT.”
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
TA2541 uses themes related to aviation, transportation, and travel. When Proofpoint first started tracking this actor, the group sent macro-laden Microsoft Word attachments that downloaded the RAT payload. The group pivoted, and now they more frequently send messages with links to cloud services such as Google Drive hosting the payload.
Execution
4 techniques
Execution
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
3 techniques
Persistence
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
Privilege Escalation
3 techniques
Privilege Escalation
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
Stealth
3 techniques
Stealth
"Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses," "Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk," and "Turla has also used PowerShell scripts to load and execute malware in memory."
Credential Access
2 techniques
Credential Access
Discovery
3 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Lateral Movement
1 technique
Lateral Movement
Collection
4 techniques
Collection
Command and Control
8 techniques
Command and Control
TA2541 uses Virtual Private Servers as part of their email sending infrastructure and frequently uses Dynamic DNS (DDNS) for C2 infrastructure.
The adversaries had communicated to both Dropbox and Pastebin. APT28 has used Google Drive for C2. APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.
"Web Service: Bidirectional Communication" (listed under Revenge RAT)
"Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking"; "Revenge RAT used blogpost.com as its primary command and control server"; "Turla JavaScript backdoor has used Google Apps Script as its C2 server"
"Ingress Tool Transfer" (listed under Agent Tesla, AsyncRAT, Imminent Monitor, jRAT, NETWIRE, njRAT, Revenge RAT, Snip3, WarzoneRAT)
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
38 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Revenge RAT is a remote access trojan used by the RevengeHotels group to gain unauthorized access to hotel and travel industry systems, often delivered via malicious documents exploiting Microsoft Office vulnerabilities.
Revenge RAT is a remote access trojan used by C.A.S to gain remote control over infected systems, execute commands, collect information, and maintain persistence. It is used for file management, credential theft, and defense evasion, including disabling security tools and adding itself to Windows Defender exclusions.
Remote administration tool used by Bahamut to remotely control compromised devices.
Remote access trojan used by TA558, historically delivered via malicious Office documents and later via container formats (ISO/RAR) to establish remote access and support data theft.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.