Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Xeno RAT

84
Global rank
62 infographic chevron month
Month rank
77 infographic chevron week
Week rank
0
IOCs

Xeno RAT is an open-source malware mainly distributed through drive-by downloads. The core capabilities of this threat include remote control, keystroke logging, webcam and microphone access. Equipped with advanced utilities, such as Hidden Virtual Network Computing and Socks5 reverse proxy, Xeno RAT is most frequently used in attacks against individual users.

RAT
Type
Unknown
Origin
1 October, 2023
First seen
3 February, 2025
Last seen

How to analyze Xeno RAT with ANY.RUN

RAT
Type
Unknown
Origin
1 October, 2023
First seen
3 February, 2025
Last seen

IOCs

IP addresses
193.161.193.99
147.185.221.19
147.185.221.24
147.185.221.22
31.220.90.137
148.113.165.11
86.68.222.14
64.52.80.67
213.152.186.168
194.59.30.69
147.45.69.75
94.156.64.213
87.120.121.160
87.120.120.27
172.93.222.33
159.100.29.122
45.87.153.79
167.88.173.173
194.113.106.81
34.229.235.165
Domains
dns.stipamana.com
nanoshield.pro
zenofs.zapto.org
busyestinglsv.site
nanoshd.pro
roollingstonen.sytes.net
wealthyman.ddnsfree.com
swiftwealth.ddns.net
wealthxeno.ddnsfree.com
fusionmelonate.duckdns.org
jctestwindows.airdns.org
dentiste.ddns.net
grand-merchants.gl.at.ply.gg
david-login.gl.at.ply.gg
performance-ha.gl.at.ply.gg
related-directed.gl.at.ply.gg
taking-headquarters.gl.at.ply.gg
people-weekend.gl.at.ply.gg
Last Seen at

Recent blog posts

post image
Release Notes: System Updates, New YARA and S...
watchers 197
comments 0
post image
3 Major Cyber Attacks in January 2025
watchers 1401
comments 0
post image
Interlock Ransomware: Analysis of Attacks on...
watchers 1190
comments 0

What is Xeno RAT malware?

Xeno RAT is an open-source remote access trojan (RAT) distributed openly through GitHub. The creator behind this malicious software states that it was created for educational purposes only. This, however, does not prevent threat actors from leveraging it in their attacks to steal sensitive data and spy on their victims.

Since Xeno RAT is available free-of-charge, there are many amateur and experienced attackers that employ it. Since 2023, the malware has been involved in several campaigns primarily targeting individual users through drive-by downloads.

Xeno RAT is written in C# and is intended to operate on Windows systems. Since the malware is being continuously updated, it poses a serious threat to organizations and users around the world.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Xeno RAT malware technical details

Xeno RAT’s range of capabilities is similar to that of other RATs, such as Asyncrat and njRAT. Some of the malicious activities that can be performed using Xeno RAT include:

  • Xeno RAT allows attackers to remotely control a victim's computer, including accessing and modifying files, installing and uninstalling software, and executing commands.
  • The malware can record every keystroke made on the infected computer, including in the offline mode.
  • One of the standout features of Xeno RAT is the ability to access the webcam and microphone of the infected computer, allowing them to spy on the victim and their surroundings.
  • The malware can be used to steal files from the device, as well as passwords stored in web browsers, email clients, and other software.
  • Attackers using Xeno RAT can also reboot the infected computer, turn off its display, and edit the registry.

Out of all features available to the attackers using the Xeno RAT malware, Hidden Virtual Network Computing offers the most extensive functionality for conducting malicious activities. This utility lets criminals not only take full control of the victim’s computer but also do it stealthily and completely without their notice.

The Socks5 reverse proxy feature of Xeno RAT allows attackers to route their network traffic through a compromised computer, effectively hiding it.

Xeno RAT usually achieves persistence on the compromised system using Scheduled Tasks. It has also been observed to leverage process injection to evade detection.

Xeno RAT execution process

To see how Xeno RAT operates, let’s upload its sample to the ANY.RUN sandbox.

The execution chain of Xeno RAT may be relatively simple, involving only one or two processes, but it can also become complex with the utilization of multiple processes, including built-in OS tools.

XenoRAT scripts in ANY.RUN Xeno RAT script analysis in ANY.RUN

The main malicious activities are carried out by the injected RegAsm process.

In our example, the execution involves multiple processes such as WScript.exe, regsvr32.exe, and RegAsm.exe. The malware creates files in the Startup directory to achieve persistence and loads the dynwrapx.dll (DynamicWrapperX) file. These activities can be monitored using Script Tracer.

For persistence and stealth, XenoRAT can bypass User Account Control (UAC) and maintain its presence even after system reboots using startup functions. It spreads primarily through phishing, exploiting software vulnerabilities, and other typical methods such as downloading from compromised websites or deceptive advertisements.

XenoRAT metadata in ANY.RUN Xeno RAT metadata in ANY.RUN

Sometimes, Xeno RAT builds may inadvertently reveal themselves by naming directories after the malware, such as "xeno rat client" or "XenoManager," or by embedding its name in PE metadata, for instance, as the company name or product name.

Xeno RAT malware distribution methods

As for the most common delivery methods, drive-by downloads constitute the main vector of Xeno RAT attacks. Individual users are the primary target of these. As a result, to trick their victims into downloading and running the malicious software, threat actors may disguise it as video games or software updates.

Conclusion

Xeno RAT’s wide range of features and capabilities, including HVNC, make it a versatile tool for conducting cyber attacks. The open-source nature of this threat highlights the importance of having proper security measures in place to prevent potential attacks.

Using a sandbox like ANY.RUN to analyze suspicious files and URLs should one of such measures. The cloud-based service allows you to detonate any malicious file in a safe and secure environment, while also having the ability to interact with the system just like on your own computer. Use ANY.RUN to study the behavior of malware, understand its TTPs, and collect indicators of compromise.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More