Skip to main content
Mallory
Back to malware
MalwareUsed by 5 actors

MASOL RAT

MASOL RAT is an HTTP-based remote access trojan/backdoor, also referred to as Backdr-NQ, observed in China-linked cyberespionage activity. It has been documented on Windows and was also reported as deployed on Linux devices, making it a cross-platform backdoor. High-confidence capabilities mentioned in the source material include backdoor access, arbitrary command execution, file download and upload, keylogging, configuration updates, and in-memory payload execution. One reported Windows sample communicated with command-and-control servers over HTTP POST using AES encryption and contained the PDB path E:\Masol_https190228\x64\Release\Masol.pdb. In the 2025 Southeast Asian government intrusion investigated by Palo Alto Networks Unit 42, MASOL RAT was used by cluster CL-STA-1048 alongside EggStremeFuel, EggStreme Loader/Gorem RAT, and TrackBak Stealer to support long-term persistence and data theft. Unit 42 detected a MASOL RAT sample at C:\Windows\System32\AxInstSVs.dll with SHA256 05995284b59ad0066350f43517382228f7eee63cd297e787b2a271f69ecf2dfc. The malware has been publicly associated with activity overlapping Earth Estries and Crimson Palace, and reporting states Earth Estries deployed MASOL RAT against Southeast Asian government networks, including Linux devices. The broader targeting described in the content centers on government networks in Southeast Asia, with Earth Estries also linked more broadly to telecommunications and government targeting.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Mustang Panda

Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.

via scworldscworld.com
CL-STA-1048

Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.

via scworldscworld.com
CL-STA-1049

Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.

via scworldscworld.com
Salt Typhoon

Masol RAT and EggStreme Loader provided backdoor access, keylogging, and in-memory payload execution, while TrackBak stole keystrokes, clipboard data, and network info.

via security affairssecurityaffairs.com
Crimson Palace

Masol RAT and EggStreme Loader provided backdoor access, keylogging, and in-memory payload execution, while TrackBak stole keystrokes, clipboard data, and network info.

via security affairssecurityaffairs.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1059Command and Scripting InterpreterEvidence2
TacticExecution

MASOL RAT (aka Backdr-NQ), a remote access trojan with file download/upload and arbitrary command execution features.

Stealth

1 technique
T1620Reflective Code LoadingEvidence1
TacticStealth

using ClaimLoader to decrypt and execute shellcode in memory... Masol RAT and EggStreme Loader provided backdoor access, keylogging, and in-memory payload execution

Credential Access

1 technique
T1056.001KeyloggingEvidence1
TacticsCredential AccessCollection

CoolClient could... record keystrokes... Masol RAT and EggStreme Loader provided backdoor access, keylogging... TrackBak stole keystrokes

Collection

1 technique
T1056.001KeyloggingEvidence1
TacticsCredential AccessCollection

CoolClient could... record keystrokes... Masol RAT and EggStreme Loader provided backdoor access, keylogging... TrackBak stole keystrokes

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1
TacticCommand and Control

Variants of PUBLOAD use either HTTP or TCP for command-and-control (C2) communications. The sample we observed is a variant that uses TCP... Masol RAT... communicates with its C2 servers over HTTP POST... This malware uses Google Remote Procedure Call (gRPC) for C2 communication.

T1105Ingress Tool TransferEvidence2
TacticCommand and Control

EggStremeFuel, a lightweight backdoor that's equipped to download/upload files... EggStremeLoader... supports 59 backdoor commands... This includes a variant that facilitates file download/upload over Dropbox. MASOL RAT... with file download/upload... COOLCLIENT... supports file download/upload.

T1219Remote Access ToolsEvidence1
TacticCommand and Control

Masol RAT and EggStreme Loader provided backdoor access... FluffyGh0st... enables remote control and plugin-based functionality

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 months ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
scworldNews
Mar 31, 2026
China-linked groups conduct sophisticated cyber espionage against Southeast Asian government | brief | SC Media

Remote access trojan used in the campaign to provide persistent access to compromised systems.

Read more
security affairsNews
Mar 30, 2026
China-Linked groups target Southeast Asian government with advanced malware in 2025

A remote access trojan that provides backdoor access, keylogging, and in-memory payload execution.

Read more
the hacker newsNews
Mar 30, 2026
Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign

Remote access trojan with file download/upload and arbitrary command execution capabilities.

Read more
palo alto networks unit 42 blogNews
Mar 26, 2026
Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government

HTTP-based Windows backdoor designed to run as a service DLL. It communicates with C2 over AES-encrypted HTTP POST and supports arbitrary command execution, C2 configuration management, and file upload/download.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.