RIPTIDE
RIPTIDE is a remote access trojan (RAT) associated with APT12. According to the provided content, it communicates with command-and-control infrastructure over HTTP, and at least some payloads are encrypted with RC4. The content specifically attributes use of RIPTIDE to APT12 and identifies HTTP-based C2 as a core characteristic. No additional high-confidence details on infection vector, targeted industries, platforms, or indicators of compromise are provided in the source content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniquePersistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueCredential Access
1 techniqueOne had appeared in password spraying activity, and pivoting from it had uncovered additional servers.
Command and Control
3 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
The architecture is a proxy chain: customer traffic arrives at Riptide, which forwards it through upstream SOCKS5 or HTTP proxies -- likely residential or compromised endpoints. The upstreamselector package handles rotation and load balancing across the upstream pool.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RAT that uses HTTP for C2 communications.
Remote access trojan that communicates over HTTP with RC4-encrypted payloads.
RAT that communicates over HTTP and encrypts payloads using RC4.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.