Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Parallax RAT

149
Global rank
155 infographic chevron month
Month rank
148 infographic chevron week
Week rank
0
IOCs

Parallax RAT is a versatile malware capable of stealing credentials, recording keystrokes, capturing screenshots, and exfiltrating sensitive data. It hides under legitimate processes like Notepad, uses diverse communication channels, and establishes persistence to maintain control over infected machines.

RAT
Type
Unknown
Origin
1 December, 2019
First seen
18 June, 2025
Last seen

How to analyze Parallax RAT with ANY.RUN

RAT
Type
Unknown
Origin
1 December, 2019
First seen
18 June, 2025
Last seen

IOCs

Last Seen at
Last Seen at

Recent blog posts

post image
MSSP Growth Guide: Scaling Threat Detection f...
watchers 748
comments 0
post image
Major Cyber Attacks in August 2025: 7-Stage T...
watchers 1864
comments 0
post image
How to Enrich IOCs with Actionable Threat Con...
watchers 1196
comments 0

What is Parallax RAT malware?

Parallax RAT, a remote access Trojan (RAT) active since December 2019. It has gained notoriety for its evasion techniques, such as process hollowing, and extensive data exfiltration capabilities.

The malware has been widely used by various APTs around the world, including in attacks during the COVID-19 pandemic. ParallaxRAT has also been linked to the activity of the advanced persistent threat (APT) named TA2541 that has been targeting aviation and defense industry actors since 2017.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Parallax RAT malicious software

Parallax RAT’s architecture enables attackers to engage in diverse malicious activities. The most common of them are:

  • Credential theft: Steals login credentials from various sources, including cached passwords, browser cookies, and Windows credential stores.
  • Keystroke logging: Captures every keystroke typed on the infected machine, including passwords, messages, and other sensitive data.
  • Screen capture: Periodically or on-demand captures screenshots of the infected machine's desktop, providing the attacker with visual information about the user's activity.
  • Uploading and downloading of files: Allows the attacker to upload and download files to/from the infected machine.
  • Information gathering: Beyond basic system information (name, OS), Parallax RAT uses various techniques for extensive data exfiltration. This includes scraping clipboard content.

Similar to other malware families, such as WarzoneRAT and DarkGate, Parallax RAT utilizes a sophisticated process-hollowing technique. It injects its malicious payload into a legitimate Windows process (e.g., pipanel.exe), leveraging the process's existing privileges to bypass security checks and remain undetected.

The malware usually establishes persistence by adding itself to the startup folder and creating scheduled tasks. Afterwards, Parallax RAT opens communication channels with the attacker's command-and-control (C2) server. One of the standout features of the malware is the use of Windows Notepad for communication with the victim. In many instances, attackers used this way of connecting with the victims to instruct them to visit the criminals’ Telegram channel.

Parallax RAT often employs a multi-stage delivery chain to evade detection. Initial stages might involve seemingly harmless files like weaponized Microsoft Word documents with embedded macros. Triggering these macros can download and execute the next stage payload, often a malicious DLL.

Execution process of Parallax RAT

To see how Parallax RAT infection takes place and collect its indicators of compromise, we can use ANY.RUN. Let’s submit a PrallaxRAT sample for analysis.

Parallax utilizes various techniques to infect targeted systems and establish persistence within them. In our analysis, it's evident that this malware generates a child process that promptly initiates malicious activities, including the theft of personal data, execution of injected code in a separate process, and the creation of files in the startup directory. Parallax employs injection techniques to conceal itself within legitimate processes, rendering detection challenging. In this instance, it is injected into the Explorer.exe system process. Furthermore, the Remote Access Trojan (RAT) also establishes connections to a Command and Control (C2) server to receive additional instructions.

ParallaxRAT process graph shown in ANY.RUN ParallaxRAT's process graph demonstrated in ANY.RUN

Distribution methods of the Parallax RAT malware

Attackers that engage in the distribution of Parallax RAT typically leverage phishing campaigns. They use emails impersonating trusted entities (e.g., banks) with malicious attachments or links. For instance, during the COVID-19 pandemic, many ParallaxRAT campaigns involved sending victims messages with attached archives that contained files responsible for further infection of the victim’s device.

Conclusion

Parallax RAT's reliance on email-based social engineering makes it crucial for organizations to ensure that there are appropriate mechanisms in place to prevent infection. One of the essential elements of a layered defense strategy is a malware analysis sandbox. It offers an isolated environment for safely executing any file or opening a link to determine if it poses a danger.

ANY.RUN is a malware analysis sandbox that provides an effortless cloud-based experience for analyzing files and links. The service swiftly identifies ParallaxRAT and dozens of other malware families and provides users with conclusive reports on the threat, featuring the malware’s TTPs and IOCs.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

ValleyRAT screenshot
ValleyRAT
valleyrat
ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group.
Read More
Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More