Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

VioletRAT

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
The Quarry

VioletRAT – A RAT promoted in the channel. Its relationship to the primary kit has not been confirmed, but the modular service model allows affiliates to integrate it into their own attack chains.

via malware newsmalware.news
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence1

What looks like a wave of disconnected phishing incidents – some impersonating the IRS, others mimicking the Social Security Administration or DocuSign – can trace back to a single developer selling a Phishing-as-a-Service (PhaaS) toolkit to nearly 200 operators.

T1566.001Spearphishing AttachmentEvidence1

Unlike the web-based kit – which requires the victim to navigate through the lure and click the download – the VBS chain executes autonomously the moment the victim opens the attached file.

Execution

1 technique
T1059.001PowerShellEvidence1

Post-exploitation tools include PowerShell scripts for browser history extraction and W-2 document discovery, with exfiltration routed through Telegram.

Stealth

1 technique
T1027Obfuscated Files or InformationEvidence1

Three VBS variants were identified, ranging from fragmented Base64 concatenation to hexadecimal string encoding to a PS1 second-stage loader implementing AES decryption.

Credential Access

1 technique
T1555Credentials from Password StoresEvidence1

VioletRAT – A RAT promoted regularly in the channel as an alternative or complement to the ScreenConnect approach, with features including cookie recovery, credential dumping, and background control.

Discovery

2 techniques
T1012Query RegistryEvidence1

Browser History Stealer (PS1) – Forcibly closes Chrome or Edge to unlock SQLite database files, exports six months of history to CSV... and sends the complete file to Telegram.

T1083File and Directory DiscoveryEvidence1

W-2 Document Finder (PS1) – Recursively searches the user profile directory (C:Users{username}) for files with “w2” in the name.

Command and Control

1 technique
T1071.001Web ProtocolsEvidence1

Telegram serves as C2 infrastructure, with each affiliate receiving victim notifications in real time through dedicated bots.

Exfiltration

1 technique
T1567Exfiltration Over Web ServiceEvidence1

Post-exploitation tools include PowerShell scripts for browser history extraction and W-2 document discovery, with exfiltration routed through Telegram.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.