FatalRAT is a Windows remote access trojan used in campaigns targeting Chinese-language users in Southeast Asia, East Asia, and the broader Asia-Pacific region. Reported targeting has included government and corporate networks, and activity has been associated in multiple reports with Chinese state-sponsored or China-nexus intrusion activity. FatalRAT has also been linked to the broader Chinese-speaking crimeware ecosystem alongside families such as Gh0st RAT, Simay RAT, Winos4.0, and ValleyRAT.
Observed delivery and execution chains have relied on social engineering and search-engine poisoning, including malicious search results for popular software and messaging applications that lead victims to trojanized installers. FatalRAT has also been deployed through DLL sideloading, including abuse of legitimate software components to load the malware while blending into normal application execution. Some reported samples were protected with commercial packers to hinder analysis.
Once installed, FatalRAT provides remote access and post-compromise control over infected systems through command-and-control communications using both a custom protocol and traffic designed to resemble normal encrypted web activity. Its use in targeted campaigns indicates a role in sustained intrusion operations rather than opportunistic nuisance activity. The malware has been observed as part of multi-tool intrusion sets, suggesting operators use it in conjunction with other remote access tools depending on victim environment and operational goals.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
45.192.219.135 — a Hong Kong VPS on Antbox Networks Limited (AS138995) that plays double duty as: FatalRAT C2 backend — tied to a live campaign deploying FatalRAT, Winos4.0, and QQHong sideloaded via Sogou Input Method DLL sideloading (ManualNewWord.dll), VMProtect-packed, beaconing on port 1080 + HTTPS cover on 443...
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Chinese-language speakers in Southeast and East Asia were targeted with poisoned Google search results for popular applications such as the Firefox web browser, and popular messaging apps Telegram and WhatsApp, to install trojanized versions containing the FatalRAT remote access trojan.
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Related coverage Cryptocurrency Users Targeted in Sophisticated ‘FatalRAT’ Phishing Campaign
FatalRAT1
Remote access trojan/backdoor used in a live campaign with DLL sideloading via Sogou Input Method, VMProtect packing, C2 over port 1080 with HTTPS cover on 443, and persistence via registry Run keys and scheduled tasks.
Known RAT delivered via phishing against APAC industrial organizations; uses legitimate Chinese cloud services as part of infrastructure.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.