Black RAT
Black RAT is a remote access trojan associated with North Korean threat activity, specifically the Andariel group, a subordinate element within Lazarus and publicly tracked as Onyx Sleet. Reporting states Andariel has developed Black RAT as part of its broader custom RAT and implant arsenal. Black RAT was mentioned in connection with an attack campaign in which Andariel delivered Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers and through supply chain attacks involving South Korean asset management software. The broader Andariel activity is assessed as cyber espionage and ransomware-enabled operations targeting defense, aerospace, nuclear, and engineering organizations for sensitive military and technical information, with additional targeting of medical and energy sectors. The provided content does not include specific technical capabilities, persistence mechanisms, or indicators of compromise unique to Black RAT itself.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Over the last 15 years, the group has developed RATs, including the following... ▪ Black RAT
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
It also follows a new attack campaign orchestrated by the North Korea-linked Andariel group – another subordinate element within Lazarus – to deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers as well as via supply chain attacks using a South Korean asset management software.
Over the last 15 years, the group has developed RATs, including the following... ▪ Black RAT
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan reportedly delivered by the North Korea-linked Andariel group via compromised MS-SQL servers and supply chain attacks involving South Korean asset management software.
RAT used for remote access and lateral movement.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.