BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Parallax RAT

Global rank
Month rank
Week rank

Parallax RAT is a versatile malware capable of stealing credentials, recording keystrokes, capturing screenshots, and exfiltrating sensitive data. It hides under legitimate processes like Notepad, uses diverse communication channels, and establishes persistence to maintain control over infected machines.

1 December, 2019
First seen
7 February, 2024
Last seen

How to analyze Parallax RAT with ANY.RUN

1 December, 2019
First seen
7 February, 2024
Last seen


Last Seen at
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 171
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 190
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 341
comments 0

What is Parallax RAT malware?

Parallax RAT, a remote access Trojan (RAT) active since December 2019. It has gained notoriety for its evasion techniques, such as process hollowing, and extensive data exfiltration capabilities.

The malware has been widely used by various APTs around the world, including in attacks during the COVID-19 pandemic. ParallaxRAT has also been linked to the activity of the advanced persistent threat (APT) named TA2541 that has been targeting aviation and defense industry actors since 2017.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Parallax RAT malicious software

Parallax RAT’s architecture enables attackers to engage in diverse malicious activities. The most common of them are:

  • Credential theft: Steals login credentials from various sources, including cached passwords, browser cookies, and Windows credential stores.
  • Keystroke logging: Captures every keystroke typed on the infected machine, including passwords, messages, and other sensitive data.
  • Screen capture: Periodically or on-demand captures screenshots of the infected machine's desktop, providing the attacker with visual information about the user's activity.
  • Uploading and downloading of files: Allows the attacker to upload and download files to/from the infected machine.
  • Information gathering: Beyond basic system information (name, OS), Parallax RAT uses various techniques for extensive data exfiltration. This includes scraping clipboard content.

Similar to other malware families, such as WarzoneRAT and DarkGate, Parallax RAT utilizes a sophisticated process-hollowing technique. It injects its malicious payload into a legitimate Windows process (e.g., pipanel.exe), leveraging the process's existing privileges to bypass security checks and remain undetected.

The malware usually establishes persistence by adding itself to the startup folder and creating scheduled tasks. Afterwards, Parallax RAT opens communication channels with the attacker's command-and-control (C2) server. One of the standout features of the malware is the use of Windows Notepad for communication with the victim. In many instances, attackers used this way of connecting with the victims to instruct them to visit the criminals’ Telegram channel.

Parallax RAT often employs a multi-stage delivery chain to evade detection. Initial stages might involve seemingly harmless files like weaponized Microsoft Word documents with embedded macros. Triggering these macros can download and execute the next stage payload, often a malicious DLL.

Execution process of Parallax RAT

To see how Parallax RAT infection takes place and collect its indicators of compromise, we can use ANY.RUN. Let’s submit a PrallaxRAT sample for analysis.

Parallax utilizes various techniques to infect targeted systems and establish persistence within them. In our analysis, it's evident that this malware generates a child process that promptly initiates malicious activities, including the theft of personal data, execution of injected code in a separate process, and the creation of files in the startup directory. Parallax employs injection techniques to conceal itself within legitimate processes, rendering detection challenging. In this instance, it is injected into the Explorer.exe system process. Furthermore, the Remote Access Trojan (RAT) also establishes connections to a Command and Control (C2) server to receive additional instructions.

ParallaxRAT process graph shown in ANY.RUN ParallaxRAT's process graph demonstrated in ANY.RUN

Distribution methods of the Parallax RAT malware

Attackers that engage in the distribution of Parallax RAT typically leverage phishing campaigns. They use emails impersonating trusted entities (e.g., banks) with malicious attachments or links. For instance, during the COVID-19 pandemic, many ParallaxRAT campaigns involved sending victims messages with attached archives that contained files responsible for further infection of the victim’s device.


Parallax RAT's reliance on email-based social engineering makes it crucial for organizations to ensure that there are appropriate mechanisms in place to prevent infection. One of the essential elements of a layered defense strategy is a malware analysis sandbox. It offers an isolated environment for safely executing any file or opening a link to determine if it poses a danger.

ANY.RUN is a malware analysis sandbox that provides an effortless cloud-based experience for analyzing files and links. The service swiftly identifies ParallaxRAT and dozens of other malware families and provides users with conclusive reports on the threat, featuring the malware’s TTPs and IOCs.

Try ANY.RUN for free – request a demo!


Adwind screenshot
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy