What is FatalRat malware?

A Remote Access Trojan detected in August 2021, FatalRAT became known for targeting an array of industries in the Asia-Pacific region. It has hit government agencies, manufacturing, construction, IT, telecom, healthcare, energy, logistics, and transportation companies, particularly in countries like Taiwan, Malaysia, Japan, South Korea.

It specializes in unauthorized information access: captures input by keyloggers and makes screenshots; finds, encrypts, corrupts, and deletes user data. It doesn’t always demand a ransom, is often used for espionage, sabotage, stable persistent access to a compromised network, and as a vehicle for further attacks.

It employs a number of attack vectors to infiltrate network, mostly phishing and social engineering tactics. FatalRAT is also known to abuse legitimate services like Chinese myqcloud CDN and Youdao Cloud Notes to host and deliver its payloads. The malware also leverages DLL side-loading techniques, where a legitimate executable is used to load a malicious DLL, initiating the infection chain without raising immediate suspicion.

Once inside the network, FatalRAT gathers extensive system information, including external IP addresses, usernames, and details about installed security products, which it exfiltrates to a command-and-control (C2) server over an encrypted channel. It manipulates system settings, for example, disables the CTRL+ALT+DELETE lock function or changing screen resolution.

FatalRAT is sophisticated in evading detection and maintaining access. It performs up to 17 checks to detect virtual machines or sandbox environments and halts execution to avoid analysis if it detects some.

FatalRAT Malware’s Prominent Features

• Broad Industry Targeting: Its operators are versatile in choosing victims across important industries and do not limit themselves by the Asia-Pacific region.
• Data Theft and Disruption: Beyond encryption (unlike traditional ransomware), FatalRAT focuses on espionage and sabotage — stealing sensitive data, logging keystrokes, and potentially destroying systems via MBR corruption.
• Sophisticated Infrastructure: Its use of legitimate cloud services and encrypted C2 channels makes attribution and blocking challenging.
• Persistence and Adaptability: Its ability to maintain access and adapt via remote commands increases the likelihood of prolonged compromise.

FatalRAT Execution Process and Technical Details

In spite of FatalRAT’s anti-detection and sandbox evasion proficiency, there is quite a selection of FatalRAT analysis sessions in ANY.RUN’s Interactive Sandbox — including fresh samples added by the community just recently.

View sandbox analysis

The attack begins with phishing emails or messages distributed through platforms like WeChat and Telegram. These communications often masquerade as legitimate tax documents or invoices, containing ZIP archives packed with loaders protected by tools such as AsProtect or UPX. Once executed, these loaders retrieve dynamically updated command-and-control (C2) configurations from legitimate cloud services, initiating the infection.

The loader sends HTTP requests to specific URLs, which respond with encrypted JSON containing links to additional modules. To evade detection, malware often abuses legitimate software — such as GoogleUpdate.exe — allowing it to operate surreptitiously within the infected system. It may also modify the registry’s autorun value to add itself, ensuring it starts automatically upon system reboot.

FatalRAT is only deployed after extensive anti-analysis checks, including registry scans for virtual environment artifacts and verification of locale settings to match predefined criteria. Once active, FatalRAT logs keystrokes, exfiltrates sensitive data through encrypted C2 channels, and enables remote control of the victim’s machine. Its capabilities include stealing credentials, capturing screenshots, recording audio and video, and manipulating files and processes on the infected system. This robust feature set makes FatalRAT a potent tool for espionage and data theft across targeted industries.

FatalRAT sample detonated inside ANY.RUN's Interactive Sandbox

Once inside a network, FatalRAT exhibits a wide range of capabilities designed to maximize damage and maintain control:

• Besides anti-VM and anti-sandbox checks, it evades detection by obfuscation network traffic; strings and configurations are encrypted using custom routines.
• FatalRAT scans the system for security apps, is able to terminate security-related processes (e.g., rundll32.exe) or disable antivirus features.
• By leveraging trusted platforms like Youdao Cloud Notes and myqcloud, FatalRAT disguises its C2 communications as normal cloud traffic.
• The phased deployment (loader → configurator → payload) complicates detection, as each stage can appear benign until the final RAT is activated.
• FatalRAT achieves persistence by modifying the Windows Registry (e.g., creating entries like Software\Microsoft\Windows\CurrentVersion\Run\SVP7) or setting up new services to ensure it runs at system startup.
• It activates a keylogger to capture user inputs and can manipulate system settings, such as disabling the CTRL+ALT+DELETE lock function or changing screen resolution.
• The malware can search for, delete, or corrupt user data (e.g., targeting browser data from Chrome or Internet Explorer) and even overwrite the Master Boot Record (MBR) to render systems inoperable.
• It downloads additional tools like AnyDesk or UltraViewer for remote access, executes shell commands, and can start or stop proxies.

What are the examples of the best-known FatalRAT attacks?

FatalRAT is relatively new compared to legacy RATs like SubSeven or Poison Ivy, and its attacks are often part of broader, less publicized campaigns attributed to Chinese-speaking groups. FatalRAT’s operations prioritize stealth and long-term access over immediate, headline-grabbing disruption. As a result, specific "named" attacks are scarce.

• Exploitation of Router Vulnerabilities (August 2021): FatalRAT was distributed by exploiting a critical path traversal vulnerability (CVE-2021-20090) in routers with Arcadyan firmware. This vulnerability allowed unauthenticated remote attackers to bypass authentication on millions of routers, facilitating the spread of FatalRAT and compromising numerous devices.
• Cryptocurrency Phishing Campaign (April 2024): Phishing campaign specifically targeting cryptocurrency users, particularly those using the Exodus crypto wallet. Attackers created deceptive websites mimicking legitimate cryptocurrency applications to lure victims into downloading malicious installers. These installers deployed FatalRAT alongside additional malware components like clippers and keyloggers. The campaign employed DLL side-loading techniques to evade detection, allowing attackers to steal sensitive information and manipulate cryptocurrency transactions.
• Operation SalmonSlalom (February 2025): A sophisticated cyber campaign targeted industrial organizations across the APAC region. Attackers employed a multi-stage payload delivery system, utilizing Chinese myqcloud and Youdao Cloud Notes for hosting and command-and-control operations. The campaign delivered FatalRAT through phishing emails disguised as tax documents or invoices, aiming to compromise various sectors, including manufacturing, construction, IT, telecommunications, healthcare, energy, and logistics.

Gathering threat intelligence on FatalRAT malware

Threat intelligence helps build proactive defense against threats even as intricate as FatalRAT. Leverage tools like ANY.RUN’s Threat Intelligence Lookup to gather indicators like C2 domains and file hashes and update firewalls and IDS/IPS. Track emerging patterns in APAC-focused campaigns to anticipate new variants.

Via TI Lookup, you can find fresh recently analyzed samples, be sure to get actual IOCs and to stay on top of new tactics and methods of FatalRAT’s beneficiaries.

threatName:"fatalrat"

FatalRAT new samples

Conclusion

FatalRAT stands out as a stealthy, multi-faceted threat that blends espionage, disruption, and persistence. Its reliance on legitimate services, advanced evasion tactics, and broad targeting make it a formidable adversary.

By combining robust endpoint monitoring, network analysis, and real-time threat intelligence, organizations can detect and neutralize FatalRAT before it inflicts irreparable damage. Staying vigilant in high-risk regions like APAC and adapting defenses to its evolving tactics are key to staying ahead of this RAT.

Gather IOCs to defend your network against FatalRat with 50 trial requests to TI Lookup