CrossRAT
CrossRAT is a Java-based, cross-platform remote access trojan/backdoor associated in reporting by Lookout and the Electronic Frontier Foundation (EFF) with the Dark Caracal cyber-espionage campaign. It targets Windows, macOS, and Linux and has been described as providing persistent remote command-and-control of infected systems in a global surveillance operation that targeted individuals and institutions across more than 21 countries, including governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors. Reported infection vectors for the broader Dark Caracal activity included social media, phishing, and in some cases physical access.
CrossRAT performs OS detection and host profiling, collecting data including OS name/version, username, and hostname. Its capabilities include filesystem enumeration and manipulation, creating, copying, moving, reading, and writing files, taking screenshots, and executing files or payloads. Screenshot capture is implemented via java.awt.Robot().createScreenCapture, with captured images saved as randomized .jpg files and exfiltrated to command-and-control. On Windows, execution of specified files has been reported via rundll32 with url.dll,FileProtocolHandler; on non-Windows systems it uses Desktop.getDesktop().open().
Persistence is platform-specific. On macOS, CrossRAT creates a LaunchAgent, writing mediamgrs.plist to /Library/LaunchAgents/ when running as root or ~/Library/LaunchAgents/ otherwise, configured to run java -jar on a persisted copy named mediamgrs.jar. On Linux, it creates an autostart entry named mediamgrs.desktop under ~/.config/autostart/ and uses /usr/var/mediamgrs.jar as an install path in the cited analysis. On Windows, it persists via HKCU\Software\Microsoft\Windows\CurrentVersion\Run using reg add and javaw.exe or java with -jar.
The malware’s main logic has been described as residing in crossrat/client.class. A hardcoded C2 endpoint of flexberry.com on TCP port 2223 was reported. Additional indicators directly mentioned in the content include the sample name hmar6.jar, persisted filename mediamgrs.jar, LaunchAgent name mediamgrs.plist, Linux autostart file mediamgrs.desktop, and MD5 hash 85b794e080d83a91e904b97769e1e770 for the referenced sample/persisted JAR. The content also notes that CrossRAT requires Java to be installed, which may reduce exposure on systems where Java is absent.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Dark Caracal also uses a previously unknown, multiplatform tool that Lookout and EFF have named CrossRAT, which is able to target Windows, OSX, and Linux."
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
3 techniquesBundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
3 techniquesBundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Discovery
1 technique"...has a command to retrieve metadata for files on disk as well as a command to list the current working directory." / "...can list files and directories." / "...used the following commands... to obtain information about files and directories: dir c:\ >> %temp%\download ..."
Collection
1 technique"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cross-platform remote access trojan referenced as an example of a multi-OS RAT; also noted as using XDG Autostart Entries for persistence on Linux-like desktops.
Cross-platform remote access trojan (RAT) used for cyber-espionage, providing persistent remote access and supporting file operations, screen capture, and command execution.
Java-based, cross-platform cyber-espionage implant/RAT. It copies itself to an OS-specific install path as mediamgrs.jar, establishes persistence (macOS LaunchAgent plist, Linux ~/.config/autostart .desktop entry, Windows HKCU Run key), then connects to a hardcoded C2 (flexberry.com:2223) to receive tasking. Capabilities described include filesystem manipulation (enumerate roots/files, create/copy/move/write/read files), screenshot capture and exfiltration, and executing files (Windows via rundll32 url.dll,FileProtocolHandler; non-Windows via Desktop.open()). It also collects host profiling data (OS name/version, username, hostname) and stores a generated UID in Java Preferences.
Remote access trojan that creates a Launch Agent on macOS for persistence.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.