TeviRAT is a Windows backdoor used in TookPS-linked intrusion chains observed in 2025. It was delivered as a later-stage payload after initial compromise by the TookPS downloader and associated PowerShell scripts, and in some cases was deployed through DLL sideloading alongside a modified TeamViewer installation to provide covert remote access while concealing the remote administration software from the victim. Reporting on the broader campaign indicates that TeviRAT was one of multiple payloads used by operators who also established SSH-based access and delivered additional backdoors and tooling. The malware has been described as a well-known backdoor and was later removed from newer 2026 OkoBot rebuilds, apparently after its functions were absorbed by other framework components. Observed activity ties its delivery to fake software download lures and trojanized software distribution targeting Windows systems, including both individual users and organizations.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 distinct techniques documented for this family, organized by ATT&CK tactic.
...establish persistent remote access using SSH reverse tunnels and RATs like MineBridge RAT (aka TeviRAT).
21 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A RAT mentioned only to note that it was removed from the March 2026 rebuild of the malware chain.
A backdoor/RAT delivered in earlier TookPS/OkoBot chains to provide remote access and fetch additional TookPS content; later removed from newer OkoBot variants.
A backdoor/RAT previously delivered by TookPS and used in an earlier OkoBot chain before later being removed from newer variants.
A backdoor delivered by TookPS. In the observed sample, it used DLL sideloading to modify and deploy TeamViewer so it was hidden from the user while providing covert remote access to attackers.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.