A new remote access trojan (RAT) dubbed Atroposia has been discovered by security researchers at Varonis.
The RAT uses encrypted command channels, hidden remote access, credential and wallet theft and persistence. It forms part of a growing market of criminal toolkits.
It was first identified by the cybersecurity firm on October 15 and has been observed being promoted on underground forums as a modular RAT with a full complement of offensive capabilities.
The package includes hidden remote desktop takeover (branded HRDP Connect), credential and cryptocurrency wallet theft, DNS hijacking and local vulnerability scanning.
Atroposia was seen priced at roughly $200 per month, $500 every three months or $900 for six months.
Varonis noted that the RAT could be combined with tools such as SpamGPT and MatrixPDF and used as a plug-and-play criminal toolkit.
SpamGPT is an AI-driven spam-as-a-service platform that automates phishing campaign creation, SMTP/IMAP cracking and deliverability tooling, effectively packaging marketing-grade campaign features for criminals.
MatrixPDF is a malicious PDF builder that weaponizes ordinary PDF files by adding overlays, redirects and embedded actions that help attackers bypass email filters and deliver phishing or malware lures.
Each package advanced attack capabilities into easy-to-use interfaces that automate phishing, delivery and data theft, the company noted in a recent blog where full technical details about the RAT can be found.
The Atroposia RAT uses techniques like an encrypted command and control (C2) server to foil traffic inspection. The malware also automatically escalates privileges via UAC bypass to gain admin rights and install multiple persistence mechanisms to survive reboots.
These techniques mean Atroposia can bypass antivirus software and maintain long-term access without tipping off users or IT staff.
Daniel Kelley, a senior security researcher that works with Varonis, told Infosecurity, “Defending against Atroposia starts with reducing initial access through strong phishing defenses, regular patching, user training and multifactor authentication (MFA) enforcement. The next step is detecting post-compromise activity by monitoring authentication patterns and data flows to spot when legitimate accounts are used for lateral movement or data theft.”
