grep -rl "RAT" ./posts

#RAT

2 matches

FUD .url, WebDAV Delivery, and a NetSupport RAT Phoning Home on Telegram

A Windows URL shortcut disguised as a PDF had 1/75 detections at submission time. It used the WebDAV-over-HTTP UNC trick to silently execute an EXE off a Hong Kong opendir. Two stages later: a silent NetSupport Manager install beaconing to a 16-day-old C2 domain while Telegram told the operator their new victim was live.

2026-07-01 · 11 min

One Tweet, Sixteen Servers: Pivoting the Chopi RAT Vishing Operation

A WsgiDAV opendir gave me staging payloads and a leaked debug log. AES config RE confirmed all six C2 IPs and the full encrypted capability set. PE build timestamp forensics revealed two back-to-back build sessions; the operator's dropper cluster leaked their build-system path on VirusTotal. Neo4j graph of 70 nodes across 3 cloud providers. YARA rules included.

2026-06-30 · 32 min

← back to listing