Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-06 02:01:47 UTC
Home > List all groups > List all tools > List all groups using tool 9002 RAT
 Tool: 9002 RAT
Names
9002 RAT
McRAT
MdmBot
Homux
Hydraq
HidraQ
HOMEUNIX
Aurora
Roarur
Category Malware
Type Backdoor, Info stealer
Description
9002 RAT is a Remote Access Tool typically observed to be used by an APT to control a
victim's machine. It has been spread over via zero day exploits (e.g. targeting Internet
Explorer) as well as via email attachments. The infection chain starts by opening a .LNK
(an OLE packager shell object) that executes a Powershell command.
Information

with-a-new-exploit.html>
MITRE ATT&CK Malpedia AlienVault OTX Last change to this tool card: 30 December 2022
Download this tool card in JSON format
All groups using tool 9002 RAT
Changed Name Country Observed
APT groups
 APT 17, Deputy Dog, Elderwood, Sneaky Panda 2009-Jun 2024
 APT 31, Judgment Panda, Zirconium 2016-Mar 2024
 APT 41 2012-Jul 2025
 Axiom, Group 72 2008-2008/2014
 Bronze Butler, Tick, RedBaldNight, Stalker Panda 2006-Apr 2021
 Mustang Panda, Bronze President 2012-Jun 2025
 Nightshade Panda, APT 9, Group 27 2013-Sep 2016
 Operation Red Signature 2018
 Space Pirates 2017-Nov 2024
9 groups listed (9 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f3993a74-3133-4926-aeab-2b93ef6ed81d
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f3993a74-3133-4926-aeab-2b93ef6ed81d
Page 2 of 2