MagicRAT
MagicRAT is a Lazarus Group/Andariel-associated remote access trojan first publicly reported by Cisco Talos in 2022. It was observed deployed after exploitation of publicly exposed VMware Horizon servers, and later reporting links related Lazarus activity using ManageEngine ServiceDesk exploitation and broader DPRK intrusion operations. The malware is written in C++ and statically links the Qt framework despite having no GUI, a design choice reported to complicate reverse engineering and reduce heuristic or ML-based detection reliability. MagicRAT is a relatively simple RAT that performs host reconnaissance, including commands such as whoami, systeminfo, and ipconfig /all, and can exfiltrate data over existing HTTP command-and-control channels. Reported capabilities include arbitrary command execution via remote shell, file operations such as renaming, moving, and deleting files, downloading additional executable payloads, changing C2 URLs, configurable sleep timing, and self-deletion in some variants. MagicRAT stores configuration data on disk using Qt QSettings in files and paths made to resemble legitimate operating system resources; Talos reported a configuration file named "visual.1991-06.com.microsoft_sd.kit" under "\ProgramData\WindowsSoftwareToolkit," while other reporting noted paths such as AppData\Roaming\MagicMon with an initialization file named "MagicSystem.ini." Persistence has been observed via Windows Scheduled Tasks, and Talos also reported use of a Startup folder link. Additional payloads delivered from the same infrastructure included executables masquerading as GIF files, including a simple port scanner hosted as "pct.gif." MagicRAT activity overlapped with Lazarus infrastructure previously associated with DTrack, and Talos observed infections where MagicRAT was later removed and replaced with other Lazarus implants such as VSingle; related reporting also links it with TigerRAT, YamaBot, and QuiteRAT, the latter assessed as belonging to the MagicRAT family. The malware has been associated with DPRK operations targeting sectors including energy providers and, in later Lazarus/Andariel reporting, internet backbone infrastructure, healthcare, defense, aerospace, nuclear, engineering, cryptocurrency, and fintech organizations. Reported network and host indicators include C2 infrastructure such as 64[.]188[.]27[.]73 and encoded C2 values prefixed with "LR02DPt22R," as well as the upload artifact name "zero_dump.mix."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Over the last 15 years, the group has developed RATs, including the following... ▪ MagicRAT
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
MagicRAT, a new C++ malware delivered after exploitation of publicly exposed VMware Horizon platforms
Over the last 15 years, the group has developed RATs, including the following... ▪ MagicRAT
Over the last 15 years, the group has developed RATs, including the following... ▪ MagicRAT
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
4 techniques
Persistence
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Multiple entries describe creating .lnk shortcuts in Startup folders, such as BACKSPACE creating a shortcut to itself in the CSIDL_STARTUP directory and DarkGate creating an LNK object in the victim startup folder. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.
Privilege Escalation
4 techniques
Privilege Escalation
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Multiple entries describe creating .lnk shortcuts in Startup folders, such as BACKSPACE creating a shortcut to itself in the CSIDL_STARTUP directory and DarkGate creating an LNK object in the victim startup folder. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.
Stealth
8 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Kapeka masquerades as a Microsoft Word Add-In file, with the extension .wll, but is a malicious DLL file.
Many entries explicitly describe deleting artifacts 'to cover tracks,' 'evade detection,' 'remove evidence,' 'reduce their footprint,' or as part of 'post-intrusion cleanup process.' Examples include APT28 deleting files to cover tracks, FIN5 using SDelete to clean up the environment, and Dragonfly deleting operational files as part of cleanup.
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Discovery
2 techniques
Discovery
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Command and Control
3 techniques
Command and Control
The actors disguise their malware within HTTP packets to appear as benign network traffic... [T1090, T1071].
Exfiltration
1 technique
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Recent activity
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced for shared/overlapping implementation artifacts (a hardcoded session ID) with DLRAT; described as part of Lazarus’ shift toward non-traditional development frameworks (e.g., Qt).
Qt-based remote access trojan/implant used by Lazarus Group, observed in campaigns including those leveraging Log4j; described as similar to QuiteRAT (with QuiteRAT likely a compacted variant).
Qt-framework-based Lazarus Group RAT family described as larger/bulkier than QuiteRAT and including built-in persistence (e.g., scheduled tasks). Shares core capabilities with QuiteRAT such as arbitrary command execution, obfuscated strings (base64 plus additional measures like XOR), and C2-controlled dormancy/sleep behavior.
Remote access trojan used by Andariel; described as limited-functionality and written using the QT framework; compared to EarlyRat for similarities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.