Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 3 actors

VileRAT

VileRAT is a Python-based remote access trojan attributed to the Evilnum threat group, also tracked as DeathStalker, and is described as uniquely used by that actor. It was first discovered in Q2 2020 and has also been referred to by other vendors as PyVil. VileRAT is the final known stage of the DeathStalker/Evilnum infection chain and is typically deployed by an accompanying loader, VileLoader, which executes it in memory to reduce on-disk artifacts. Public reporting cited in the content assesses DeathStalker as a likely mercenary or hack-for-hire actor focused on collecting sensitive business information, with targeting that has included governments, law firms, financial firms, cryptocurrency-related entities, and especially foreign exchange and cryptocurrency trading companies across multiple regions including the Americas, the UK, the EU, the Middle East, and countries such as Bulgaria, Cyprus, Germany, Kuwait, Malta, the UAE, and Russia.

The malware is an obfuscated and packed Python 3 RAT bundled as a standalone binary with py2exe. Reported capabilities include remote access, arbitrary command execution, keylogging/keystroke capture, information harvesting, security product enumeration, scheduled-task persistence, self-updating from command and control, and SSH-based tunneling in some versions. Researchers noted that versions analyzed ranged from 2.4 to 8, and that later versions removed some earlier capabilities such as SSH as a C2 channel and screenshotting. Its primary C2 mode polls configured servers every 2 to 5 minutes using HTTP POST requests carrying RC4-encrypted, XOR-encoded, base64-encoded, and URL-encoded JSON host data. Shared tradecraft includes use of the mutex "Global\wU3aqu1t2y8uN" in the broader toolchain.

Observed infection vectors evolved over time. Earlier DeathStalker activity used spear-phishing, including malicious Google Drive-hosted LNK files masquerading as PDFs or ZIPs, and later malicious DOCX documents delivered by email or website chatbots. Those DOCX files fetched malicious DOTM remote templates that used VBA stomping, Office object abuse, hidden form data, and HTTP signaling to C2, ultimately leading to VileDropper, VileLoader, and then VileRAT. More recent reporting identified a newer variant active since at least August 2023 that was likely distributed through fake software piracy sites via trojanized legitimate installers, representing a shift from prior malicious document and LNK delivery. In that activity, a malicious NSIS installer for Nulloy media player, signed by GLOSUB LLC, launched a modified NVIDIA 3D Vision Test Application as VileLoader, which unpacked an obfuscated VileRAT payload from Plugins/platforms/wctSBWZ.tmp. The payload and filename were obfuscated with XOR-based encoding identified as the Type B XOR algorithm, and the decoded configuration contained startup timing values, an encryption key, and C2 servers.

The content also states that Charcoal Stork, a suspected pay-per-install provider associated with fake cracked software and similar lures, delivered EXE files leading to VileRAT in 2023, including campaigns affecting several dozen organizations across a broad range of industries. Known infrastructure directly mentioned for the newer variant includes the control servers eriegentsfsepara.com, licncesispervicear.com, naightdecipientc.com, nscormationw.com, and yclearneriegen.com. Specific file indicators mentioned in the content include install.exe (SHA256 21ae1d88e675c9a2d51a2f68beadf24a21c1b16f58fc042ff97ad8e52501300d), the VileLoader component Plugins/platforms/NvStTest.exe (SHA256 552f9c111bdf18479b2195933649b8dbf80d65113b6d8743ecc9562a4e065a77), the legitimate NVIDIA binary it impersonated (SHA256 d799c32ddea3e0fa8219563d0b662cfe759231cfb90b23e60bf75a53f1391cd1), and the VileRAT payload file Plugins/platforms/wctSBWZ.tmp (SHA256 76f93a5d5a1b6bacb6ce474e8388819a3fdb50be51b0ee59bafdfabf5cc6cbb6). Stairwell estimated that this 2023-2024 VileRAT variant infected between 1,000 and 10,000 systems.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Evilnum

On 26 January 2024, Stairwell’s Threat Research team identified a new variant of VileRAT that has been in use since at least August 2023. VileRAT is a Python-based malware family believed to be unique to the Evilnum threat group (also tracked as DeathStalker).

via stairwellstairwell.com
Deathstalker

On 26 January 2024, Stairwell’s Threat Research team identified a new variant of VileRAT that has been in use since at least August 2023. VileRAT is a Python-based malware family believed to be unique to the Evilnum threat group (also tracked as DeathStalker).

via stairwellstairwell.com
Charcoal Stork

Later in 2023 we also observed VileRAT being delivered by Charcoal Stork, and research from other vendors suggests several other payloads have been observed as well.

via red canary threat reportredcanary.com
MITRE ATT&CK

Techniques & procedures

21 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1566.001Spearphishing AttachmentEvidence2

Evilnum’s past tactics, techniques, and procedures (TTPs) have included sending emails designed to deliver malicious LNK attachments, Word documents, and links to executable files...

T1566.002Spearphishing LinkEvidence1

Evilnum’s past tactics, techniques, and procedures (TTPs) have included sending emails designed to deliver malicious LNK attachments, Word documents, and links to executable files...

T1566.003Spearphishing via ServiceEvidence1

In July 2022, we also noticed that the attackers leveraged chatbots that are embedded in targeted companies’ public websites to send malicious DOCX to their targets.

Execution

5 techniques
T1053.005Scheduled TaskEvidence1

VileDropper... schedules a task to run VileLoader 35 to 65 seconds later, then indefinitely every three hours and 45 minutes... VileRAT functionalities include... Setting up persistence using scheduled tasks.

T1059Command and Scripting InterpreterEvidence2

VileRAT is a Python-based malware family... The functionality of VileRAT is consistent with traditional remote access tools, providing attackers with the ability to remotely capture keystrokes, execute commands, and harvest information.

T1059.003Windows Command ShellEvidence1

The “command” term is quite large: it can either be an existing binary, a shell command, a downloaded executable, a Python package, or an internal VileRAT function.

T1059.006PythonEvidence1

VileRAT is the last known stage... It is an obfuscated and packed Python3 RAT, bundled as a standalone binary with py2exe.

T1204.002Malicious FileEvidence2

Based on public reports and observed filenames, we believe that this variant is being distributed through fake software piracy sites in order to broadly infect systems.

Persistence

1 technique
T1053.005Scheduled TaskEvidence1

VileDropper... schedules a task to run VileLoader 35 to 65 seconds later, then indefinitely every three hours and 45 minutes... VileRAT functionalities include... Setting up persistence using scheduled tasks.

Privilege Escalation

1 technique
T1053.005Scheduled TaskEvidence1

VileDropper... schedules a task to run VileLoader 35 to 65 seconds later, then indefinitely every three hours and 45 minutes... VileRAT functionalities include... Setting up persistence using scheduled tasks.

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence2

This payload and its filename are both obfuscated using XOR-based encoding methods... VileRAT’s core component is stored in a compressed, Xored, and base64 encoded buffer...

T1036MasqueradingEvidence2

Stairwell has observed new activity and has identified new variants of VileRAT being deployed by modified versions of legitimate installers that contain VileLoader.

T1620Reflective Code LoadingEvidence1

This malware is consistently seen being deployed by an accompanying loader known as VileLoader, used to run VileRAT in-memory, limiting on-disk artifacts.

Credential Access

1 technique
T1056.001KeyloggingEvidence2

The functionality of VileRAT is consistent with traditional remote access tools, providing attackers with the ability to remotely capture keystrokes...

Discovery

2 techniques
T1082System Information DiscoveryEvidence1

the DOTM-embedded macro silently gathers information about security products that are installed on the target computer... VileDropper: gathers additional data on the targeted environment... The JSON that is passed to the C2 server can be broken down as follows... host, uname, Windows version.

T1518Software DiscoveryEvidence1

the DOTM-embedded macro silently gathers information about security products that are installed on the target computer (using WMI)... VileRAT functionalities include: Listing security solutions that are installed on the target computer.

Lateral Movement

1 technique
T1021.004SSHEvidence1

Establishing SSH connections to remote servers... VileRAT starts a new process of itself, which connects to a remote SSH server... This connection is leveraged as a tunnel to forward ports from the target computer to the remote server.

Collection

2 techniques
T1005Data from Local SystemEvidence1

The functionality of VileRAT is consistent with traditional remote access tools, providing attackers with the ability to ... harvest information.

T1056.001KeyloggingEvidence2

The functionality of VileRAT is consistent with traditional remote access tools, providing attackers with the ability to remotely capture keystrokes...

Command and Control

5 techniques
T1071Application Layer ProtocolEvidence1

Within the decoded output is a JSON configuration for the implant, that contains the time VileRAT was started, control servers, and the encryption key for C2 communication.

T1071.001Web ProtocolsEvidence1

VileDropper sends data to a C2 server using an HTTP GET request... VileLoader’s second stage builds an HTTP GET request... VileRAT tries to send an HTTP POST request to each of the C2 servers that exist in its configuration.

T1090ProxyEvidence1

Establishing SSH connections to remote servers, possibly leveraging them to forward ports of the targeted computer to the remote server... SSH-tunneled local port forward.

T1105Ingress Tool TransferEvidence1

VileLoader’s main goal is to download and execute an additional payload from a C2 server... If the C2 server answers with an implant package, it sends a Type D XORed blob... contains one or several “files”... Finally, the last dropped file is also immediately executed.

T1132.001Standard EncodingEvidence1

The useful information is stored as a JSON document, which is then XOR-encoded, base64-encoded, URL-encoded... The encrypted blob (cookie value) is initially a JSON dictionary, encrypted with the RC4 algorithm, XORed, base64-encoded and URL-encoded.

INDICATORS OF COMPROMISE

IOCs tracked for this family

449 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
299 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
145 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
5 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app6 months ago
hash.sha256●●●●●●●●●●●●View more in app6 months ago
hash.sha256●●●●●●●●●●●●View more in app6 months ago
domain●●●●●●●●●●●●View more in app6 months ago
domain●●●●●●●●●●●●View more in app6 months ago
hash.sha256●●●●●●●●●●●●View more in app6 months ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
red canary threat reportNews
Jan 1, 2026
Charcoal Stork - Red Canary Threat Detection Report

A Python remote access trojan delivered by Charcoal Stork. The content says it is reportedly uniquely used by DeathStalker.

Read more
red canary threat reportNews
Jan 1, 2026
ChromeLoader - Red Canary Threat Detection Report

Remote access trojan observed being delivered by Charcoal Stork later in 2023.

Read more
stairwellNews
Dec 24, 2025
Technical analysis: The silent torrent of VileRAT - Stairwell

Python-based remote access malware that enables attackers to capture keystrokes, execute commands, harvest information, and extend functionality through a modular framework.

Read more
securelistNews
Dec 9, 2025
VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges | Securelist

An obfuscated, packed Python 3 remote access trojan used by DeathStalker to target foreign exchange and cryptocurrency trading companies. It supports remote command execution, SSH tunneling, keylogging, persistence via scheduled tasks, security product enumeration, and self-updating from C2.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching449

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping21

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.