GravityRAT

It is safe to assume that the current GravityRAT campaign uses similar infection methods — targeted individuals are sent links pointing to malicious apps.

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

The Mac version has a similar functionality and adds a cron job.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

The Mac version has a similar functionality and adds a cron job.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The Mac version has a similar functionality and adds a cron job.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

The attackers used a version of the app published on Github in October 2018, adding malicious code and changing the name to Travel Mate Pro.

the Trojan checks if it is running on a virtual machine

The cybercriminals also started using digital signatures to make the apps look more legitimate.

The spyware receives commands from the server, including to: ... intercept keystrokes

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

The spyware receives commands from the server, including to: ... scan ports

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Examples include 'TrickBot can identify the user and groups the user belongs to on a compromised host' and multiple entries checking whether the current user is an administrator or has elevated privileges.

Examples include 'Action RAT can use WMI to gather AV products installed on an infected host,' 'Bumblebee can use WMI to gather system information,' and 'Volt Typhoon has leveraged WMIC for execution, remote system discovery.'

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

Examples include 'Caterpillar WebShell can obtain a list of user accounts from a victim's machine,' 'DRATzarus can obtain a list of users from an infected machine,' 'Woody RAT can retrieve a list of user accounts and usernames from an infected machine,' and 'TrickBot can identify the user and groups the user belongs to on a compromised host.'

Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").

the Trojan checks if it is running on a virtual machine

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

AppleSeed can find and collect data from removable media devices. APT28 backdoor may collect the entire contents of an inserted USB device. Aria-body has the ability to collect data from USB devices. BADNEWS copies files with certain extensions from USB devices to a predefined directory.

The spyware receives commands from the server, including to: ... intercept keystrokes

The spyware receives commands from the server, including to: ... take screenshots

record audio (not implemented in this version)

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

We focused on port 46769, used by the above Trojans. The same port was used by the GravityRAT family.

the Trojan checks if it is running on a virtual machine, collects information about the computer, downloads the payload from the server, and adds a scheduled task.

The spyware’s functions are fairly standard: it sends device data, contact lists, e-mail addresses, and call and text logs to the C&C server.