BitRAT
BitRAT is a Windows remote access trojan (RAT) observed as a commodity malware family used in multiple criminal intrusion and malware-delivery campaigns. The content places it among commodity/open-source RATs alongside AsyncRAT, DcRAT, njRAT, LimeRAT, QuasarRAT, Remcos, NanoCore RAT, DarkComet, XWorm, and others. BitRAT has been tracked in command-and-control infrastructure collections, including C2 Tracker, and there is a Nuclei template specifically for detecting BitRAT C2 servers (ssl/c2/bitrat-c2.yaml), indicating identifiable C2 infrastructure in the wild.
BitRAT has been observed delivered or referenced in several campaign contexts. Elastic Security reported a 2021 Blister malware-loader campaign that dropped Cobalt Strike and BitRAT. Proofpoint reported Rhadamanthys campaigns in which Rhadamanthys was delivered as a companion to other malware including BitRAT, Remcos, zgRAT, XWorm, Lumma, and XLoader. Check Point Research also listed BitRAT among malware families delivered by the dotRunpeX .NET process-hollowing injector. The content further links BitRAT to TAG-144 / Blind Eagle activity, where it was one of several RATs used in campaigns primarily targeting Colombian government entities and other organizations in South America. Kaspersky likewise reported BlindEagle cycling through open-source RATs such as AsyncRAT, Lime-RAT, and BitRAT in phishing-led attacks in Colombia.
Associated threat activity in the content includes TAG-144 / Blind Eagle (also known as AguilaCiega, APT-C-36, and APT-Q-98), which has targeted Colombian government entities at local, municipal, and federal levels, as well as sectors including finance, petroleum and energy, education, healthcare, manufacturing, and professional services. Infection vectors mentioned in related Blind Eagle reporting include spearphishing impersonating government agencies, debt-collection and judicial-notification lures, password-protected archives delivered via links, and staged malware loaders. More broadly, BitRAT appears in underground malware sales/distribution contexts, including a forum post advertising it as an "advanced Windows RAT." High-confidence IOC-related information in the content is limited to the existence of BitRAT C2 detections/templates and historical tracking of BitRAT-associated infrastructure; no specific hashes, mutexes, registry keys, or file paths for BitRAT itself are provided.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TAG-144 leverages a range of commodity remote access trojans (RATs), including AsyncRAT, REMCOS RAT, DcRAT, njRAT, LimeRAT, QuasarRAT, BitRAT, and a Quasar variant known as BlotchyQuasar.
TAG-144 leverages a range of commodity remote access trojans (RATs), including AsyncRAT, REMCOS RAT, DcRAT, njRAT, LimeRAT, QuasarRAT, BitRAT, and a Quasar variant known as BlotchyQuasar.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Command and Control
2 techniquesC2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.
The post promoted “EagleSpy v5” as a lifetime-activated Android RAT... additional threads associated with the same user across DarkForums, including posts promoting other tools such as Craxs RAT, XWorm HVNC RAT... On DarkForums itself, the same user was found promoting a range of tools, including: Craxs RAT, XWorm HVNC RAT...
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Windows remote access trojan promoted as an advanced, fully activated RAT.
BitRAT is a remote access trojan (RAT) that provides attackers with persistent remote control over infected systems, often used for data theft, surveillance, and further malware deployment.
Observed as a companion payload delivered alongside Rhadamanthys.
Commodity remote access trojan used by TAG-144.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.