{"id":18719,"date":"2026-02-24T10:49:03","date_gmt":"2026-02-24T10:49:03","guid":{"rendered":"\/cybersecurity-blog\/?p=18719"},"modified":"2026-02-24T10:49:05","modified_gmt":"2026-02-24T10:49:05","slug":"moonrise-rat-detected","status":"publish","type":"post","link":"\/cybersecurity-blog\/moonrise-rat-detected\/","title":{"rendered":"Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences"},"content":{"rendered":"\n<p>Security professionals rely on early detection signals to prioritize and&nbsp;contain&nbsp;incidents. But what happens when a fully capable RAT generates none?&nbsp;<\/p>\n\n\n\n<p>In a recent investigation, the&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;experts&nbsp;uncovered a new Go-based remote access trojan we named&nbsp;<a href=\"https:\/\/x.com\/anyrun_app\/status\/2024124064311222489\/\" target=\"_blank\" rel=\"noreferrer noopener\">Moonrise<\/a>. At&nbsp;the time of analysis, it&nbsp;wasn\u2019t&nbsp;detected on&nbsp;VirusTotal&nbsp;and had no vendor signatures tied to it.&nbsp;<\/p>\n\n\n\n<p>That\u2019s&nbsp;the problem teams&nbsp;can\u2019t&nbsp;ignore:&nbsp;credential theft, remote command execution, and persistence can be active while static checks stay silent. The result is slower triage,&nbsp;and&nbsp;more escalations.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s&nbsp;break down Moonrise\u2019s full attack chain and show how you can detect similar threats&nbsp;earlier, before&nbsp;they turn into longer investigations and&nbsp;real business&nbsp;impact.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Moonrise\u00a0operated\u00a0without early static detection<\/strong>,\u00a0establishing\u00a0active C2 communication before any vendor alerts were triggered.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The RAT supports\u00a0<strong>credential theft, remote command execution, persistence, and user monitoring<\/strong>, enabling full remote control of an infected endpoint.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Silent C2 activity increases business exposure<\/strong>, extending dwell time and raising the risk of data loss, operational disruption, and\u00a0financial impact.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Static reputation checks alone are not enough.\u00a0<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Behavior-based analysis<\/a>\u00a0is critical\u00a0to confirm real attacker activity quickly.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">What Moonrise Means for Organizations&nbsp;<\/h2>\n\n\n\n<p>Moonrise&nbsp;isn\u2019t&nbsp;just a remote access tool. Its command set shows how an attacker can move from access to impact.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Credential theft and\u00a0clipboard monitoring<\/strong>\u00a0can expose passwords, session tokens, and sensitive data copied between systems.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Remote command execution and process control<\/strong>\u00a0let operators run\u00a0scripts, interfere with\u00a0defenses, and manipulate business applications.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>File upload and execution<\/strong>\u00a0creates\u00a0a clean path to drop\u00a0additional\u00a0payloads, including stealers or ransomware.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Screen\u00a0capture,\u00a0webcam, and microphone access<\/strong>\u00a0can reveal\u00a0what\u2019s\u00a0happening inside finance workflows, admin panels, and internal communications.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Persistence and privilege-related functions<\/strong>\u00a0increase dwell time and make removal harder.\u00a0<\/li>\n<\/ul>\n\n\n\n<p>One compromised endpoint can disrupt operations and<strong>&nbsp;lead to financial and reputational damage<\/strong>, especially when the malware stays below static detection thresholds long enough to expand access.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Reduce escalation\n<\/span>and investigation costs <br>Detect\u00a0threats earlier with <span class=\"highlight\">behavior-first<\/span> clarity\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Moonrise-rat-analysis&#038;utm_term=240226&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nIntegrate in your SOC\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Attack&nbsp;Details&nbsp;Exposed: What We Observed in Execution&nbsp;<\/h2>\n\n\n\n<p>You can&nbsp;follow the full Moonrise chain in real time,&nbsp;from execution to C2 control, and note the&nbsp;behaviors&nbsp;you can use for&nbsp;detection and triage.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/d3e5e733-3b0d-4cf7-a7a8-ea1553cd16b9?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Check analysis session with Moonrise<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-RAT-detected-inside-ANY.RUN-sandbox-1024x569.png\" alt=\"\" class=\"wp-image-18735\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-RAT-detected-inside-ANY.RUN-sandbox-1024x569.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-RAT-detected-inside-ANY.RUN-sandbox-300x167.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-RAT-detected-inside-ANY.RUN-sandbox-768x427.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-RAT-detected-inside-ANY.RUN-sandbox-1536x854.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-RAT-detected-inside-ANY.RUN-sandbox-2048x1138.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-RAT-detected-inside-ANY.RUN-sandbox-370x206.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-RAT-detected-inside-ANY.RUN-sandbox-270x150.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-RAT-detected-inside-ANY.RUN-sandbox-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Moonrise\u00a0RAT detected inside ANY.RUN\u00a0sandbox, revealing its full attack chain<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Within minutes of execution, Moonrise&nbsp;established&nbsp;outbound communication and began responding to operator-driven commands. What&nbsp;looked harmless in static checks&nbsp;immediately&nbsp;revealed interactive control once&nbsp;behavior&nbsp;was&nbsp;observed.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\"> Reduce investigation time \n<span class=\"highlight\">from hours to minutes\n<\/span> <br> <span class=\"highlight\">Act on evidence<\/span>, not assumptions\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Moonrise-rat-analysis&#038;utm_term=240226&#038;utm_content=linktoregistration\" rel=\"noopener\" target=\"_blank\">\nRegister now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">1. Session Registration and Persistent Communication&nbsp;<\/h3>\n\n\n\n<p>The communication begins with:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>client_hello\u00a0<\/li>\n\n\n\n<li>connected\u00a0<\/li>\n\n\n\n<li>ping\/pong\u00a0<\/li>\n<\/ul>\n\n\n\n<p>These commands handle&nbsp;client&nbsp;identification and keep the&nbsp;WebSocket&nbsp;session alive. This confirms that the infected system is actively connected and ready to receive instructions.&nbsp;<\/p>\n\n\n\n<p>At this stage, traditional static checks still show nothing suspicious. But&nbsp;behaviorally, the endpoint is already under remote control.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/C2-overview-of-Moonrise-768x1024.jpeg\" alt=\"C2 communication overview of Moonrise RAT\u00a0\" class=\"wp-image-18736\" style=\"width:418px;height:auto\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/C2-overview-of-Moonrise-768x1024.jpeg 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/C2-overview-of-Moonrise-225x300.jpeg 225w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/C2-overview-of-Moonrise-1152x1536.jpeg 1152w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/C2-overview-of-Moonrise-1536x2048.jpeg 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/C2-overview-of-Moonrise-370x493.jpeg 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/C2-overview-of-Moonrise-270x360.jpeg 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/C2-overview-of-Moonrise-740x987.jpeg 740w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/C2-overview-of-Moonrise-scaled.jpeg 1920w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\"><em>C2 communication overview of Moonrise RAT<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">2. Visibility Into the Host Environment&nbsp;<\/h3>\n\n\n\n<p>Once the session is&nbsp;established, the operator starts requesting information about the system.&nbsp;<\/p>\n\n\n\n<p>Observed commands include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>process_list\u00a0<\/li>\n\n\n\n<li>file_list\u00a0<\/li>\n\n\n\n<li>webcam_list\u00a0<\/li>\n\n\n\n<li>monitors_list<\/li>\n\n\n\n<li>screenshot\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<p>This allows the attacker to inspect running processes, review directory structures,&nbsp;identify&nbsp;connected displays, and check for available multimedia devices. Even when&nbsp;screen&nbsp;capture fails in a headless environment, the attempt itself signals active operator-driven interaction.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"454\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/screenshot-functionality-1024x454.png\" alt=\"\" class=\"wp-image-18739\" style=\"width:576px;height:auto\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/screenshot-functionality-1024x454.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/screenshot-functionality-300x133.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/screenshot-functionality-768x340.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/screenshot-functionality-370x164.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/screenshot-functionality-270x120.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/screenshot-functionality-740x328.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/screenshot-functionality.png 1196w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>YARA rule match confirming screenshot functionality inside the Moonrise process<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>This stage provides the attacker with enough context to&nbsp;determine&nbsp;what data is accessible and which actions to take next.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Direct System Interaction and Control&nbsp;<\/h3>\n\n\n\n<p>Moonrise supports active command execution and process manipulation:&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-1 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list wp-container-content-1\">\n<li>cmd\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list wp-container-content-2\">\n<li>process_kill\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list wp-container-content-3\">\n<li>file_upload\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list wp-container-content-4\">\n<li>file_run\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list wp-container-content-5\">\n<li>file_execute\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list wp-container-content-6\">\n<li>file_delete\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>mkdir\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>explorer_restart\u00a0<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<p>Through these commands, the operator can run system commands remotely,&nbsp;terminate&nbsp;selected processes, upload&nbsp;additional&nbsp;payloads, execute them,&nbsp;modify&nbsp;directories, and restart system components.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"436\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/svchost.exe-spawning-cmd.exe--1024x436.png\" alt=\"svchost.exe spawning cmd.exe to execute system commands\" class=\"wp-image-18741\" style=\"width:594px;height:auto\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/svchost.exe-spawning-cmd.exe--1024x436.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/svchost.exe-spawning-cmd.exe--300x128.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/svchost.exe-spawning-cmd.exe--768x327.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/svchost.exe-spawning-cmd.exe--370x158.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/svchost.exe-spawning-cmd.exe--270x115.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/svchost.exe-spawning-cmd.exe--740x315.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/svchost.exe-spawning-cmd.exe-.png 1192w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>svchost.exe spawning cmd.exe to execute system commands inside the ANY.RUN\u00a0sandbox<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>This shifts the attack from observation to full control. At this point, the endpoint is no longer just compromised. It&nbsp;can be used to deploy further tools or prepare deeper access.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Credential Access and Data Extraction&nbsp;<\/h3>\n\n\n\n<p>The sample includes commands associated with data theft and credential harvesting:&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-2 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li>stealer\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>steam\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>file_download\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>keylogger_logs\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>clipboard_history\u00a0<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<p>These functions enable collection of stored credentials, extracted files, logged keystrokes, and&nbsp;clipboard content. If sensitive data is copied between&nbsp;applications, such&nbsp;as passwords or financial details,&nbsp;it becomes accessible to the operator.&nbsp;<\/p>\n\n\n\n<p>This is where technical compromise transitions into business exposure.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Reduce the risk\n<\/span>of silent data exfiltration <br>Turn weak signals into <span class=\"highlight\">clear decisions fast<\/span>\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Moonrise-rat-analysis&#038;utm_term=240226&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nIntegrate now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">5. Active User Monitoring&nbsp;<\/h3>\n\n\n\n<p>Moonrise includes extensive user interaction&nbsp;monitoring&nbsp;capabilities:&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-3 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li>keylogger_start\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>keylogger_stop\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>keylogger_logs\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>input\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>clipboard_monitor_start\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>clipboard_monitor_stop\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>clipboard_history\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>clipper_get_addresses\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>clipper_set_address\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>screenshot\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>screen_stream_start\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>screen_stream_stop\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>webcam_capture\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>microphone_record\u00a0<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<p>These commands allow the operator to&nbsp;monitor&nbsp;user input, track&nbsp;clipboard changes, capture&nbsp;screen&nbsp;content, and access audio or video devices.&nbsp;<\/p>\n\n\n\n<p>The infected endpoint effectively becomes a live surveillance point.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"244\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/checks-for-available-and-operational-camera-1024x244.png\" alt=\"Checks for available and operational camera hardware\" class=\"wp-image-18742\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/checks-for-available-and-operational-camera-1024x244.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/checks-for-available-and-operational-camera-300x71.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/checks-for-available-and-operational-camera-768x183.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/checks-for-available-and-operational-camera-1536x366.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/checks-for-available-and-operational-camera-2048x488.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/checks-for-available-and-operational-camera-370x88.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/checks-for-available-and-operational-camera-270x64.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/checks-for-available-and-operational-camera-740x176.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Moonrise RAT actively checks for available and operational camera hardware before\u00a0attempting\u00a0capture<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">6. Privilege and System-Level Capabilities&nbsp;<\/h3>\n\n\n\n<p>Moonrise also&nbsp;contains&nbsp;commands related to privilege handling and system configuration:&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-4 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li>uac_bypass\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>rootkit_enable\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>rootkit_disable\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>watchdog_status\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>protection_config\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>uxlocker_trigger\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>voltage_drop\u00a0<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<p>These suggest support for privilege manipulation, system configuration changes, and persistence-related&nbsp;behavior. While not all commands may be triggered in every session, their presence&nbsp;indicatesextended control options.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7. Lifecycle Management and Disruption&nbsp;<\/h3>\n\n\n\n<p>Moonrise includes lifecycle management functions:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>update\u00a0<\/li>\n\n\n\n<li>uninstall\u00a0<\/li>\n<\/ul>\n\n\n\n<p>These allow the operator to&nbsp;modify&nbsp;or remove the deployed version of the malware. This&nbsp;indicates&nbsp;support for&nbsp;maintaining&nbsp;or adjusting the infection over time.&nbsp;<\/p>\n\n\n\n<p>The command set also&nbsp;contains&nbsp;user-facing system interaction functions:&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-5 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li>fun\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>fun_message\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>fun_wallpaper\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>fun_openurl\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>fun_shake\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>fun_sound\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>fun_restart\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>fun_shutdown\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>fun_bsod\u00a0<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<p>These commands suggest the ability to trigger visible system actions, including restarts or shutdown events, depending on operator intent.&nbsp;<\/p>\n\n\n\n<p>Their presence reinforces that Moonrise&nbsp;provides&nbsp;broad remote interaction capabilities beyond silent monitoring.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Early Detection: 3-Step&nbsp;Loop That Works for Stealth RATs&nbsp;<\/h2>\n\n\n\n<p>Moonrise is a good example of an annoying reality: sometimes a RAT shows up with no clean static verdict, no reputation you can trust, and nothing obvious to latch onto.&nbsp;In those cases, early detection comes down to how quickly your team can move from unclear signals to evidence-based containment.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Monitoring: Catch the First Weak Signal Early\u00a0<\/h3>\n\n\n\n<p>A lot of RAT incidents start with infrastructure:&nbsp;a fresh IP, a new domain, traffic that&nbsp;doesn\u2019t&nbsp;match your baseline.&nbsp;<\/p>\n\n\n\n<p>This is where&nbsp;ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence&nbsp;Feeds<\/a>&nbsp;help. They continuously surface newly observed indicators and patterns based on telemetry and submissions from&nbsp;<strong>15,000+ organizations and 600,000+ security professionals<\/strong>.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"435\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-1024x435.png\" alt=\"Ti feeds\" class=\"wp-image-18550\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-1024x435.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-300x127.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-768x326.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-1536x652.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-2048x870.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-370x157.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-270x115.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Ti-feeds-740x314.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>100% actionable IOCs delivered by TI\u00a0Feeds\u00a0to your existing stack<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>For SOC managers, that means fewer blind spots in day-to-day monitoring and earlier detection of suspicious infrastructure before it becomes a bigger incident.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">99% unique\n<\/span> threat data for your SOC<br>Catch attacks early to <span class=\"highlight\"> protect your business<\/span> \n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Moonrise-rat-analysis&#038;utm_term=240226&#038;utm_content=linktotifeedslanding#contact-sales\" rel=\"noopener\" target=\"_blank\">\nIntegrate TI Feeds\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">2. Triage: Enrich Fast, Then Confirm with\u00a0Behavior\u00a0<\/h3>\n\n\n\n<p>When static checks&nbsp;don\u2019t&nbsp;help, teams often lose time debating severity.&nbsp;That\u2019s&nbsp;where MTTR grows and escalation pressure builds.&nbsp;<\/p>\n\n\n\n<p>A cleaner path is&nbsp;enrich&nbsp;\u2192 execute \u2192 decide. Use&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence&nbsp;Lookup<\/a>&nbsp;to pull immediate context around a hash, URL, domain, or IP (relationships, related samples, historical sightings). Then run the artifact in the&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN Sandbox<\/a>&nbsp;to confirm what it&nbsp;actually does&nbsp;in a safe environment.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"676\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-ttps-1024x676.png\" alt=\"\" class=\"wp-image-18746\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-ttps-1024x676.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-ttps-300x198.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-ttps-768x507.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-ttps-1536x1015.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-ttps-2048x1353.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-ttps-370x244.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-ttps-270x178.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moonrise-ttps-740x489.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s\u00a0sandbox\u00a0detected full attack chain of Moonrise, including\u00a0the implemented TTPs in a few minutes,\u00a0instead of hours\u00a0<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>This is how teams replace uncertainty with evidence, reduce unnecessary Tier-1 escalations, and&nbsp;contain&nbsp;earlier,&nbsp;before a RAT turns into credential loss or broader access.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">74% of Fortune 100 companies \n<\/span>rely on ANY.RUN <br>for earlier detection and <span class=\"highlight\">faster SOC<\/span> response \n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Moonrise-rat-analysis&#038;utm_term=240226&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nPower your SOC now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">3. Threat Hunting: Turn One Confirmed Case into Wider Coverage\u00a0<\/h3>\n\n\n\n<p>Once you confirm a RAT-like incident, the next step is making sure it&nbsp;doesn\u2019t&nbsp;repeat under a slightly different wrapper.&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence&nbsp;Lookup<\/a>&nbsp;helps you pivot from confirmed indicators to related infrastructure and nearby samples, so hunting stays tied to&nbsp;what\u2019s&nbsp;active now.&nbsp;<\/p>\n\n\n\n<p>From there, you can pivot into related IPs\/domains, cluster similar samples, and&nbsp;validate&nbsp;behavior&nbsp;in the&nbsp;sandbox&nbsp;to decide whether&nbsp;it\u2019s&nbsp;the same activity or a&nbsp;lookalike.&nbsp;<\/p>\n\n\n\n<p>Below is an example of a TI Lookup query for the Moonrise C2 IP&nbsp;observed&nbsp;in the attack:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktotilookup#{%22query%22:%22destinationIP:%5C%22193.23.199.88%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">destinationIP:&#8221;193.23.199.88&#8243;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"552\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/TI-lookup-Moonrise-analyses-1024x552.png\" alt=\"TI Lookup displays sandbox analyses related to the IP address used in the Moonrise attack\u00a0\" class=\"wp-image-18747\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/TI-lookup-Moonrise-analyses-1024x552.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/TI-lookup-Moonrise-analyses-300x162.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/TI-lookup-Moonrise-analyses-768x414.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/TI-lookup-Moonrise-analyses-1536x828.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/TI-lookup-Moonrise-analyses-2048x1104.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/TI-lookup-Moonrise-analyses-370x199.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/TI-lookup-Moonrise-analyses-270x146.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/TI-lookup-Moonrise-analyses-740x399.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup displays sandbox analyses related to the IP address used in the Moonrise attack<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>When these three motions run as a&nbsp;loop,&nbsp;monitoring, fast triage, and targeted&nbsp;hunting, stealth&nbsp;RATs stop being \u201clate discoveries\u201d and become manageable security events with lower response cost and less business exposure.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion: Reducing Exposure Starts&nbsp;with&nbsp;Faster Clarity&nbsp;<\/h2>\n\n\n\n<p>Moonrise is a reminder that the biggest risk&nbsp;isn\u2019t&nbsp;the RAT itself but the time lost before&nbsp;it\u2019s&nbsp;clearly identified. When static checks stay silent, attackers can steal credentials, stage more payloads, and lock in persistence while teams are still debating severity.&nbsp;<\/p>\n\n\n\n<p>Reducing exposure comes down to one thing: faster clarity.&nbsp;Feed&nbsp;fresh infrastructure signals into monitoring, enrich quickly with TI&nbsp;Lookup, and confirm&nbsp;behavior&nbsp;in the&nbsp;sandbox&nbsp;before the case grows into a costly incident.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Bring speed and clarity to your SOC with ANY.RUN<\/strong>\u00a0\u279c<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, a leading provider of interactive&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">malware analysis<\/a>&nbsp;and threat intelligence solutions, fits naturally into modern SOC workflows and supports investigations from&nbsp;initial&nbsp;alert to final containment.&nbsp;<\/p>\n\n\n\n<p>It allows teams to safely execute suspicious files and URLs to&nbsp;observe&nbsp;real&nbsp;behavior, enrich indicators with immediate context through&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, and continuously&nbsp;monitor&nbsp;emerging&nbsp;infrastructure using&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=Moonrise-rat-analysis&amp;utm_term=240226&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>. Together, these capabilities help reduce uncertainty, accelerate triage, and limit unnecessary escalations.&nbsp;<\/p>\n\n\n\n<p>Today, more than 600,000 security professionals across 15,000+ organizations rely on ANY.RUN to make faster decisions, strengthen detection coverage, and stay ahead of evolving phishing and malware campaigns.&nbsp;<\/p>\n\n\n\n<p><em>To stay informed about newly discovered threats&nbsp;and real-world attack&nbsp;analysis, follow&nbsp;ANY.RUN\u2019s team on&nbsp;<\/em><a href=\"https:\/\/www.linkedin.com\/company\/any-run\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>LinkedIn<\/em><\/a><em>&nbsp;and&nbsp;<\/em><a href=\"https:\/\/x.com\/anyrun_app\" target=\"_blank\" rel=\"noreferrer noopener\"><em>X<\/em><\/a><em>, where weekly updates highlight the latest research, detections,&nbsp;and investigation insights.<\/em>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators&nbsp;of&nbsp;Compromise&nbsp;(IOCs)&nbsp;&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>193[.]23[.]199[.]88\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>c7fd265b23b2255729eed688a211f8c3bd2192834c00e4959d1f17a0b697cd5e\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>8a422b8c4c6f9a183848f8d3d95ace69abb870549b593c080946eaed9e5457ad\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>7609c7ab10f9ecc08824db6e3c3fa5cbdd0dff2555276e216abe9eebfb80f59b\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ed5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>082fdd964976afa6f9c5d8239f74990b24df3dfa0c95329c6e9f75d33681b9f4\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>8d7c1bbdb6a8bf074db7fc1185ffd59af0faffb08e0eb46a373c948147787268\u00a0<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Security professionals rely on early detection signals to prioritize and&nbsp;contain&nbsp;incidents. But what happens when a fully capable RAT generates none?&nbsp; In a recent investigation, the&nbsp;ANY.RUN&nbsp;experts&nbsp;uncovered a new Go-based remote access trojan we named&nbsp;Moonrise. At&nbsp;the time of analysis, it&nbsp;wasn\u2019t&nbsp;detected on&nbsp;VirusTotal&nbsp;and had no vendor signatures tied to it.&nbsp; That\u2019s&nbsp;the problem teams&nbsp;can\u2019t&nbsp;ignore:&nbsp;credential theft, remote command execution, and persistence [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":18754,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-18719","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Moonrise RAT: Low-Detection Threat with High Business Impact<\/title>\n<meta name=\"description\" content=\"Moonrise RAT is a Go-based remote trojan that maintains active C2 without early detection. Learn how to detect it before costly consequences.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\n\t    \"@context\": \"https:\/\/schema.org\",\n\t    \"@graph\": [\n\t        {\n\t            \"@type\": \"Article\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/#article\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/\"\n\t            },\n\t            \"author\": {\n\t                \"name\": \"ANY.RUN\",\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"headline\": \"Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences\",\n\t            \"datePublished\": \"2026-02-24T10:49:03+00:00\",\n\t            \"dateModified\": \"2026-02-24T10:49:05+00:00\",\n\t            \"mainEntityOfPage\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/\"\n\t            },\n\t            \"wordCount\": 2029,\n\t            \"commentCount\": 0,\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"keywords\": [\n\t                \"ANYRUN\",\n\t                \"cybersecurity\",\n\t                \"malware analysis\"\n\t            ],\n\t            \"articleSection\": [\n\t                \"Malware Analysis\"\n\t            ],\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"CommentAction\",\n\t                    \"name\": \"Comment\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/#respond\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebPage\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/\",\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/\",\n\t            \"name\": \"Moonrise RAT: Low-Detection Threat with High Business Impact\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"datePublished\": \"2026-02-24T10:49:03+00:00\",\n\t            \"dateModified\": \"2026-02-24T10:49:05+00:00\",\n\t            \"description\": \"Moonrise RAT is a Go-based remote trojan that maintains active C2 without early detection. Learn how to detect it before costly consequences.\",\n\t            \"breadcrumb\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/#breadcrumb\"\n\t            },\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"ReadAction\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"BreadcrumbList\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/#breadcrumb\",\n\t            \"itemListElement\": [\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 1,\n\t                    \"name\": \"Home\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 2,\n\t                    \"name\": \"Malware Analysis\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 3,\n\t                    \"name\": \"Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences\"\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebSite\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN&#039;s Cybersecurity Blog\",\n\t            \"description\": \"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"SearchAction\",\n\t                    \"target\": {\n\t                        \"@type\": \"EntryPoint\",\n\t                        \"urlTemplate\": \"https:\/\/any.run\/?s={search_term_string}\"\n\t                    },\n\t                    \"query-input\": \"required name=search_term_string\"\n\t                }\n\t            ],\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Organization\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"logo\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"contentUrl\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"width\": 1,\n\t                \"height\": 1,\n\t                \"caption\": \"ANY.RUN\"\n\t            },\n\t            \"image\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"sameAs\": [\n\t                \"https:\/\/www.facebook.com\/www.any.run\/\",\n\t                \"https:\/\/twitter.com\/anyrun_app\",\n\t                \"https:\/\/www.linkedin.com\/company\/30692044\",\n\t                \"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"Person\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN\",\n\t            \"image\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\n\t                \"contentUrl\": \"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\n\t                \"caption\": \"ANY.RUN\"\n\t            },\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"\n\t        }\n\t    ]\n\t}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Moonrise RAT: Low-Detection Threat with High Business Impact","description":"Moonrise RAT is a Go-based remote trojan that maintains active C2 without early detection. Learn how to detect it before costly consequences.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences","datePublished":"2026-02-24T10:49:03+00:00","dateModified":"2026-02-24T10:49:05+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/"},"wordCount":2029,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/","url":"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/","name":"Moonrise RAT: Low-Detection Threat with High Business Impact","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-02-24T10:49:03+00:00","dateModified":"2026-02-24T10:49:05+00:00","description":"Moonrise RAT is a Go-based remote trojan that maintains active C2 without early detection. Learn how to detect it before costly consequences.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18719"}],"collection":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=18719"}],"version-history":[{"count":44,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18719\/revisions"}],"predecessor-version":[{"id":18784,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18719\/revisions\/18784"}],"wp:featuredmedia":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/18754"}],"wp:attachment":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=18719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=18719"},{"taxonomy":"post_tag","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=18719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}