BIOPASS RAT
BIOPASS RAT is a remote access trojan referenced in the provided reporting as part of the toolsets used by multiple China-aligned intrusion clusters. It is explicitly listed among the malware and tooling used by FishMonger, a Chinese cyberespionage group assessed to be operated by contractor I-SOON and associated with the broader Winnti Group umbrella; FishMonger is also referred to in the content as Earth Lusca, TAG-22, Aquatic Panda, and Red Dev 10. The content also states that Wicked Panda/APT41/Winnti/Bronze Atlas has used BioPass RAT among a broader set of espionage and cybercrime tools. Campaign references tie BIOPASS RAT to Earth Lusca/FishMonger activity, including a 2021 campaign targeting online gambling companies in China via a watering-hole attack. Additional reporting in the content notes reuse of certificates across BIOPASS RAT and Cobalt Strike activity, including a certificate also used in a BIOPASS RAT campaign and another stolen certificate previously observed in a BIOPASS RAT campaign linked to Earth Lusca. The content further states that BIOPASS RAT uses a technique similar to MKDOOR in which the malware opens an HTTP server on a high-numbered localhost port to listen, and that watering-hole scripts can scan that localhost port to determine whether the victim is already infected. High-confidence victimology directly mentioned in the content includes online gambling companies in China; broader actor-associated targeting mentioned alongside the malware includes government entities, universities, NGOs, think tanks, Catholic organizations, and private-sector organizations, but the content does not directly attribute all of those sectors specifically to BIOPASS RAT.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Their toolkit includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, and the BIOPASS RAT, and expanding SprySOCKS to Windows clearly shows continued investment in offensive capability.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as part of FishMonger’s toolkit.
A remote access trojan listed as part of FishMonger’s toolset.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Remote access trojan referenced as having used the same stolen code-signing certificates in prior campaigns attributed to Earth Lusca.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.