- 1.- Main technical compromise vectors
- 2.- Anatomy of a remote-control attack
- 3.- Common RAT tools and families
- 4.- Indicators
- 5.- Mandatory
Introduction: Gaining remote control of a system—without the owner’s knowledge or consent—has become more feasible with the rise of hybrid work and the popularity of remote-access tools. At Detective Hacker we track the surge in Remote Access Trojans (RATs), and the direct exploitation of protocols such as RDP or VNC has dramatically expanded the attack surface.
1.- Main technical compromise vectors
| Vector | Practical description |
|---|---|
| Exploitation of vulnerabilities in RDP / Remote Desktop Gateway | Buffer overflows, heap errors, or default credentials. |
| Brute force & credential stuffing | Use of leaked combinations from the dark web against RDP, SSH, or VNC. |
| Remote Access Trojans (RAT) | Malicious software that opens a persistent channel (HTTP, WebSocket, DNS-tunnel). |
| Abuse of legitimate software (RMM as malware) | Misconfigured or pirated AnyDesk, Atera, ConnectWise Control. |
| Advanced social engineering | “Tech-support” emails that lure users into installing remote binaries or sharing an OTP code. |
2.- Anatomy of a remote-control attack
- Reconnaissance: port scanning and service fingerprinting; searching for leaked credentials.
- Initial access: exploitation of a recent CVE or phishing with a malicious attachment (e.g., XWorm).
- Persistence: creation of a scheduled task, an obfuscated Windows Service Host, or a
runkey in the registry. - Privilege escalation: abuse of the
SYSTEMtoken or an LPE vulnerability. - Command and control: encrypted channel (HTTPS, DNS-over-HTTPS, TryCloudflare tunnels) as seen in AsyncRAT campaigns.
- Actions on objective: exfiltration, encryption (ransomware), pivoting to OT/ICS networks.
3.- Common RAT tools and families
- AsyncRAT: popular in mass-phishing campaigns; C2 via HTTPS and WebSockets.
- QuasarRAT / xRAT: heavily modified open-source in underground forums; plugins for keylogging and credential dumping.
- Remcos: commercial “dual-use” version capable of recording audio, video, and stealing the clipboard.
- Gh0stRAT (reloaded): still present in APT campaigns against government bodies in LATAM.
- Malicious RustDesk: unofficial forks that add a persistent backdoor.
4.- Indicators
- Unexpected creation of persistent services with names that mimic system processes (
svchost32.exe). - Continuous outbound traffic to DDNS domains such as
.duckdns.org,.ngrok.io, or*.trycloudflare.com. - Inbound RDP connections outside business hours or from anomalous IP ranges.
- Registry key modification in
HKCU\Software\Microsoft\Windows\CurrentVersion\Run. - Use of obfuscators like
ConfuserEx,Obsidium, or YARA signatures of modified UPX packers.
5.- Mandatory
Review the disclaimer on our website.