SombRAT
SombRAT is a modular backdoor written in C++ that has been used since at least 2019. It has been described as a 64-bit Windows executable and, in Mandiant reporting, as a plugin-based backdoor whose primary purpose is to download and execute plugins delivered by its command-and-control (C2) server. Reported plugin components include core, network, storage, taskman, and debug/debuglog.
Observed capabilities include collecting data and files from compromised hosts, storing harvested data in a custom database under the %TEMP% directory, and uploading collected data and files to its C2 server. It can enumerate services on a victim machine and execute a getinfo command to discover the current time on a compromised host. For communications, SombRAT can SSL/TLS-encrypt C2 traffic, use TCP sockets and ICMP to ping its C2 server, use an embedded SOCKS proxy in C2 communications, and use a custom domain generation algorithm (DGA) to generate subdomains/domains for C2. Mandiant additionally reported C2 via DNS, TLS-encrypted TCP, and potentially WebSockets.
SombRAT has been associated with multiple threat clusters and campaigns. Mandiant observed UNC2447 exploiting the SonicWall SMA 100 Series zero-day CVE-2021-20016 prior to patching and deploying SOMBRAT; UNC2447 activity was described as based on SOMBRAT and Cobalt Strike BEACON infrastructure, and Mandiant later observed SOMBRAT alongside FIVEHANDS ransomware intrusions. BlackBerry Cylance previously reported SOMBRAT in the CostaRicto campaign, where CostaRicto used custom malware including PS1, CostaBricks, and SombRAT. MS-ISAC also described SombRAT as a modular backdoor primarily used after initial compromise to collect/exfiltrate information and deliver additional payloads, and noted malspam as an observed infection vector in Q4 2025.
Mandiant reported a hardened SOMBRAT variant with additional obfuscation and armoring intended to evade detection and hinder analysis. In that variant, compiler metadata was stripped and strings were inlined and XOR-encoded. Deployment involved multiple launcher resources typically installed under C:\ProgramData\Microsoft, with observed paths including C:\programdata\Microsoft\WwanSvc.bat, WwanSvc.txt, WwanSvc.c, WwanSvc.a, and WwanSvc.b. Encrypted storage/configuration files were observed in %TEMP% and C:\ProgramData, sometimes with random names; other filename variations included ntuser and wapsvc.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“CVE-2021-20016 is a critical SQL injection vulnerability that exploits unpatched SonicWall Secure Mobile Access SMA 100 series remote access products… Successful exploitation would grant an attacker the ability to access login credentials (username, password) as well as session information… This vulnerability only impacted the SMA 100 series and was patched by SonicWall in February 2021.”
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueStealth
4 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Discovery
6 techniques"actors used the following command ... to obtain information about services: net start"; "APT1 used the commands net start and tasklist to get a listing of the services on the system"; "OilRig has used sc query on a victim to gather information about services"; "Indrik Spider has used the win32_service WMI class to retrieve a list of services"
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
"...has a command to retrieve metadata for files on disk as well as a command to list the current working directory." / "...can list files and directories." / "...used the following commands... to obtain information about files and directories: dir c:\ >> %temp%\download ..."
Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").
Collection
4 techniquesThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
Command and Control
8 techniques"Aria-body has the ability to use a reverse SOCKS proxy module." / "BADHATCH can use SOCKS4 and SOCKS5 proxies..." / "Neo-reGeorg... establish a SOCKS5 proxy" / "Remcos uses the infected hosts as SOCKS5 proxies"
"APT41 used a tool called CLASSFON to covertly proxy network communications." / "BADCALL functions as a proxy server between the victim and C2 server." / "Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic..."
Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...
"Anchor has used ICMP in C2 communications." / "COATHANGER uses ICMP for transmitting configuration information..." / "PHOREAL communicates via ICMP for C2." / "Regin ... can use ICMP to communicate between infected computers." / "Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications."
APT41 has used DGAs to change their C2 servers monthly. Aria-body has the ability to use a DGA for C2 communications. Astaroth has used a DGA in C2 communications. Bazar can implement DGA using the current date as a seed variable.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Enterprise New Software: ... SombRAT
64-bit Windows backdoor with a plugin-based architecture; communicates with configurable C2 over DNS and TLS-encrypted TCP (and potentially WebSockets). Primary purpose is to download/execute additional plugins delivered via C2, with added obfuscation/anti-analysis and forensic evasion (e.g., patching process command-line arguments).
Remote access malware that uses a custom domain generation algorithm to generate subdomains for command-and-control.
Remote access trojan that can encrypt command-and-control traffic with SSL.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.