Neptune RAT is a remote access trojan with at least two major versions, V1 and V2. High-confidence reporting indicates Neptune RAT V1 has substantial technical overlap with XWORM and is most likely derived from it rather than independently developed. Researchers observed Neptune RAT samples triggering detections originally written for XWORM, and reverse engineering found closely matching initialization flow, configuration handling, and persistence logic.
Neptune RAT V1 loads configuration at the start of execution and stores configuration values in a single class of static strings. Its configuration strings, except the mutex, are AES-encrypted and Base64-encoded. Neptune RAT V1 and XWORM share a distinctive crypto routine in which the mutex is MD5-hashed and duplicated to form a 32-byte AES key, with AES used in ECB mode. This overlap reportedly caused Neptune RAT V1 configurations to be conflated with XWORM configurations in tracking systems.
Reported persistence mechanisms for Neptune RAT V1 include Task Scheduler, registry entries, and the startup folder. The malware also includes clipper-related logic: Neptune RAT V1 and XWORM reportedly use identical regular expressions targeting BTC, ETH, and TRC cryptocurrency wallets. Neptune RAT V1 specifically targets legacy Bitcoin addresses and largely ignores Bech32 addresses.
Open-source analysis cited in the content identified GitHub repositories that partially reconstruct Neptune RAT development history. A repository referenced as MasonGroup/NeptuneRatV1 is described as a fork of the V1 builder, with activity concentrated in early December 2024 and references to a Discord server named FreemasonryTM. A separate NeptuneRatV2 repository, first committed on February 22, 2025, is described as a trial version of a newer builder. Neptune RAT V2 appears to be a major rewrite or extensive refactor: its builder is described as more polished, its code flow differs from V1, variable names are not obfuscated, and configuration data is stored as plaintext strings in a Settings class rather than encrypted.
The content does not provide a confirmed threat actor attribution for Neptune RAT itself, but it does state that Neptune RAT V1 was linked to the investigated campaign and that ongoing development of the original Neptune RAT repository continued after the public forks, with the original repository later made private. The content also notes that SHA-256 hashes exist for samples labeled Neptune V1 RAT and Neptune V2 RAT, but the specific hashes are not reproduced in the provided material.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
NEPTUNE RAT1
Remote Access Trojan; new versions reported by Gen Digital, identified within historic XWorm-related data.
A .NET remote access trojan with at least two major versions. V1 strongly overlaps with XWORM in configuration initialization, AES(Base64) config handling (ECB mode with MD5-derived key from mutex), and persistence (scheduled tasks, registry, startup folder). It also includes clipper-style cryptocurrency wallet targeting (BTC/ETH/TRC). V2 appears to be a substantial rewrite/refactor with different code flow and plaintext configuration strings (no AES-encrypted settings).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.