Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

FatalRAT

144
Global rank
146 infographic chevron month
Month rank
153 infographic chevron week
Week rank
0
IOCs

FatalRAT is a malware that gives hackers remote access and control of the system and lets them steal sensitive information like login credentials and financial data. FatalRAT has been associated with cyber espionage campaigns, particularly targeting organizations in the Asia-Pacific (APAC) region.

RAT
Type
Unknown
Origin
1 August, 2021
First seen
17 September, 2025
Last seen

How to analyze FatalRAT with ANY.RUN

RAT
Type
Unknown
Origin
1 August, 2021
First seen
17 September, 2025
Last seen

IOCs

IP addresses
156.238.238.111
154.44.30.27
103.199.101.3
8.217.237.123
128.241.225.24
38.14.248.187
156.247.40.47
154.82.76.10
156.247.40.136
121.54.190.122
206.238.196.50
182.16.77.186
206.233.130.82
43.248.173.156
43.132.231.144
43.250.173.179
192.238.177.48
156.245.198.81
206.238.196.239
45.204.217.102
Hashes
210990e36122e0facc7c74373569f052fa0651ab06644330fe00b685793ee0fd
b9e51899e816d3085df4d4f4e7d1f34e18c378ad1332de16997db86f60e8c095
876e6c3f6d3f7ae1d6ca08e6745ccdbf0ae2e99dbeec81b3eb994d78c88b7ecf
af7ba44606b943ddb885c2a225e5e91c17cd15c8ca7f26ac90e7331c3f4094d2
85456510e9cea2ddd6b1396c43e64f8e4eb930c28310bef22036e654c3a5b354
5ffd8ad531fd8351be4ded332a44133e7ac8470afa08fb1fa13b3a46b10e69c1
cdedd426c5b4c57a4bb27c397da543fbfb382b2a8e72cf48c4b11c8770cf3154
275e5b578be6f7e0ce4b7bbe0f2b7cfdef9058508b9ac8cac82ed324f0ae7646
89716752c9cf49eb40cdecd25ce3771d62cc3a75aad86d1ace3a7f5420d576b1
3b79bc26d722162b14619636e96efe06f9586da5fad9d7673555be99bf194e82
b970c327c2e8914749e73713d4dd743ae3907f0a66bd5c34806c6e5f23cf9aa3
187e065265bf2cb0fb0b819e8ba1911e68532c449797799d7a325838974fcc66
10727c8a05b32d9699788a90a684c446f5ec85310949197c7eaa7a666571d69a
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
8ec64bc55e5641d7683288e5e8e27c9391f06eb4da096c3d677d8f25ca4d04df
de2cc795c6349d7059a14ad27ebfd3d797f2429a8ef23349caa962161c41e38a
6059ebad38e2b1a24c8d0e3f476746f82426a33a8ad0fbfa2cb4c59e34ac840e
e9be44b199d99d7175280ec398cd59b636584226469cb9b87e2507cdddaf0ce2
dc026cd76891d1f84f44f6789ac0145a458e2c704a7bc50590ec08966578edb3
759cacb2a6079db007c039f35b9eea7d52cc3b05f434cadc6731c3d88f46f621
Domains
a1.nbdsnb2.top
a7.nbdsnb2.top
longlq.cl
kmhhla.top
youdaoselw.icu
file.seek
a6.nbdsnb2.top
mechctmall.com
a19.nbdsnb2.top
a26.nbdsnb2.top
a19.yydsnb1.top
a17.yydsnb1.top
note.youdao.com
svp7.net
a1.yydsnb1.top
1-27.qq-weixin.org
gerhgvrg.work
k2337787769.e1.luyouxia.net
yuankong12.e3.luyouxia.net
wo878717748.e1.luyouxia.net
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 405
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1803
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 910
comments 0

What is FatalRat malware?

A Remote Access Trojan detected in August 2021, FatalRAT became known for targeting an array of industries in the Asia-Pacific region. It has hit government agencies, manufacturing, construction, IT, telecom, healthcare, energy, logistics, and transportation companies, particularly in countries like Taiwan, Malaysia, Japan, South Korea.

It specializes in unauthorized information access: captures input by keyloggers and makes screenshots; finds, encrypts, corrupts, and deletes user data. It doesn’t always demand a ransom, is often used for espionage, sabotage, stable persistent access to a compromised network, and as a vehicle for further attacks.

It employs a number of attack vectors to infiltrate network, mostly phishing and social engineering tactics. FatalRAT is also known to abuse legitimate services like Chinese myqcloud CDN and Youdao Cloud Notes to host and deliver its payloads. The malware also leverages DLL side-loading techniques, where a legitimate executable is used to load a malicious DLL, initiating the infection chain without raising immediate suspicion.

Once inside the network, FatalRAT gathers extensive system information, including external IP addresses, usernames, and details about installed security products, which it exfiltrates to a command-and-control (C2) server over an encrypted channel. It manipulates system settings, for example, disables the CTRL+ALT+DELETE lock function or changing screen resolution.

FatalRAT is sophisticated in evading detection and maintaining access. It performs up to 17 checks to detect virtual machines or sandbox environments and halts execution to avoid analysis if it detects some.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

FatalRAT Malware’s Prominent Features

  • Broad Industry Targeting: Its operators are versatile in choosing victims across important industries and do not limit themselves by the Asia-Pacific region.
  • Data Theft and Disruption: Beyond encryption (unlike traditional ransomware), FatalRAT focuses on espionage and sabotage — stealing sensitive data, logging keystrokes, and potentially destroying systems via MBR corruption.
  • Sophisticated Infrastructure: Its use of legitimate cloud services and encrypted C2 channels makes attribution and blocking challenging.
  • Persistence and Adaptability: Its ability to maintain access and adapt via remote commands increases the likelihood of prolonged compromise.

FatalRAT Execution Process and Technical Details

In spite of FatalRAT’s anti-detection and sandbox evasion proficiency, there is quite a selection of FatalRAT analysis sessions in ANY.RUN’s Interactive Sandbox — including fresh samples added by the community just recently.

View sandbox analysis

The attack begins with phishing emails or messages distributed through platforms like WeChat and Telegram. These communications often masquerade as legitimate tax documents or invoices, containing ZIP archives packed with loaders protected by tools such as AsProtect or UPX. Once executed, these loaders retrieve dynamically updated command-and-control (C2) configurations from legitimate cloud services, initiating the infection.

The loader sends HTTP requests to specific URLs, which respond with encrypted JSON containing links to additional modules. To evade detection, malware often abuses legitimate software — such as GoogleUpdate.exe — allowing it to operate surreptitiously within the infected system. It may also modify the registry’s autorun value to add itself, ensuring it starts automatically upon system reboot.

FatalRAT is only deployed after extensive anti-analysis checks, including registry scans for virtual environment artifacts and verification of locale settings to match predefined criteria. Once active, FatalRAT logs keystrokes, exfiltrates sensitive data through encrypted C2 channels, and enables remote control of the victim’s machine. Its capabilities include stealing credentials, capturing screenshots, recording audio and video, and manipulating files and processes on the infected system. This robust feature set makes FatalRAT a potent tool for espionage and data theft across targeted industries.

FatalRAT analysis in ANY.RUN’s sandbox FatalRAT sample detonated inside ANY.RUN's Interactive Sandbox

Once inside a network, FatalRAT exhibits a wide range of capabilities designed to maximize damage and maintain control:

  • Besides anti-VM and anti-sandbox checks, it evades detection by obfuscation network traffic; strings and configurations are encrypted using custom routines.
  • FatalRAT scans the system for security apps, is able to terminate security-related processes (e.g., rundll32.exe) or disable antivirus features.
  • By leveraging trusted platforms like Youdao Cloud Notes and myqcloud, FatalRAT disguises its C2 communications as normal cloud traffic.
  • The phased deployment (loader → configurator → payload) complicates detection, as each stage can appear benign until the final RAT is activated.
  • FatalRAT achieves persistence by modifying the Windows Registry (e.g., creating entries like Software\Microsoft\Windows\CurrentVersion\Run\SVP7) or setting up new services to ensure it runs at system startup.
  • It activates a keylogger to capture user inputs and can manipulate system settings, such as disabling the CTRL+ALT+DELETE lock function or changing screen resolution.
  • The malware can search for, delete, or corrupt user data (e.g., targeting browser data from Chrome or Internet Explorer) and even overwrite the Master Boot Record (MBR) to render systems inoperable.
  • It downloads additional tools like AnyDesk or UltraViewer for remote access, executes shell commands, and can start or stop proxies.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

What are the examples of the best-known FatalRAT attacks?

FatalRAT is relatively new compared to legacy RATs like SubSeven or Poison Ivy, and its attacks are often part of broader, less publicized campaigns attributed to Chinese-speaking groups. FatalRAT’s operations prioritize stealth and long-term access over immediate, headline-grabbing disruption. As a result, specific "named" attacks are scarce.

  • Exploitation of Router Vulnerabilities (August 2021): FatalRAT was distributed by exploiting a critical path traversal vulnerability (CVE-2021-20090) in routers with Arcadyan firmware. This vulnerability allowed unauthenticated remote attackers to bypass authentication on millions of routers, facilitating the spread of FatalRAT and compromising numerous devices.
  • Cryptocurrency Phishing Campaign (April 2024): Phishing campaign specifically targeting cryptocurrency users, particularly those using the Exodus crypto wallet. Attackers created deceptive websites mimicking legitimate cryptocurrency applications to lure victims into downloading malicious installers. These installers deployed FatalRAT alongside additional malware components like clippers and keyloggers. The campaign employed DLL side-loading techniques to evade detection, allowing attackers to steal sensitive information and manipulate cryptocurrency transactions.
  • Operation SalmonSlalom (February 2025): A sophisticated cyber campaign targeted industrial organizations across the APAC region. Attackers employed a multi-stage payload delivery system, utilizing Chinese myqcloud and Youdao Cloud Notes for hosting and command-and-control operations. The campaign delivered FatalRAT through phishing emails disguised as tax documents or invoices, aiming to compromise various sectors, including manufacturing, construction, IT, telecommunications, healthcare, energy, and logistics.

Gathering threat intelligence on FatalRAT malware

Threat intelligence helps build proactive defense against threats even as intricate as FatalRAT. Leverage tools like ANY.RUN’s Threat Intelligence Lookup to gather indicators like C2 domains and file hashes and update firewalls and IDS/IPS. Track emerging patterns in APAC-focused campaigns to anticipate new variants.

Via TI Lookup, you can find fresh recently analyzed samples, be sure to get actual IOCs and to stay on top of new tactics and methods of FatalRAT’s beneficiaries.

threatName:"fatalrat"

FatalRAT samples found via TI Lookup FatalRAT new samples

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

FatalRAT stands out as a stealthy, multi-faceted threat that blends espionage, disruption, and persistence. Its reliance on legitimate services, advanced evasion tactics, and broad targeting make it a formidable adversary.

By combining robust endpoint monitoring, network analysis, and real-time threat intelligence, organizations can detect and neutralize FatalRAT before it inflicts irreparable damage. Staying vigilant in high-risk regions like APAC and adapting defenses to its evolving tactics are key to staying ahead of this RAT.

Gather IOCs to defend your network against FatalRat with 50 trial requests to TI Lookup

HAVE A LOOK AT

Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
DarkCloud screenshot
DarkCloud
darkcloud
DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More
ValleyRAT screenshot
ValleyRAT
valleyrat
ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group.
Read More