{
	"id": "c794e5c2-c15d-4366-aa34-21f2ec3d1f97",
	"created_at": "2026-04-06T00:15:17.857852Z",
	"updated_at": "2026-04-10T03:36:48.091657Z",
	"deleted_at": null,
	"sha1_hash": "225447e28af4dc3fd5272a5a7d5696736252b32b",
	"title": "Deep Dive Analysis – Borat RAT | Cyble",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1999218,
	"plain_text": "Deep Dive Analysis – Borat RAT | Cyble\r\nPublished: 2022-03-31 · Archived: 2026-04-05 18:32:32 UTC\r\nCyble Research Labs analyzes Borat , a sophisticated RAT variant that boasts a combination of Remote Access Trojan,\r\nSpyware, Ransomware and DDoS capabilities.\r\nRemote Access Trojan Capable of Conducting Ransomware \u0026 DDOS Activities\r\nA Remote Access Trojan or RAT is a tool used by Threat Actors (TAs) to gain full access and remote control on a user’s\r\nsystem, including mouse and keyboard control, files access, and network resources access.\r\nDuring our regular OSINT research, Cyble Research Labs came across a new Remote Access Trojan (RAT) named Borat.\r\nUnlike other RATs, the Borat provides Ransomware, DDOS services, etc., to Threat Actors along with usual RAT features,\r\nfurther expanding the malware capabilities.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 1 of 12\n\nThe developer named this RAT ‘Borat’ after a black comedy mockumentary film, and the photo used in the RAT is of actor\r\nSacha Baron Cohen, who played the main role in the film Borat. The features claimed by the Borat RAT author are given in\r\nFigures 1 \u0026 2 below.\r\nFigure 1: List of Features provided by the Borat RAT\r\nFigure 2: Additional Features provided by Borat RAT\r\nThe Borat RAT provides a dashboard to Threat Actors (TAs) to perform RAT activities and also has an option to compile the\r\nmalware binary for performing DDoS and ransomware attacks on the victim’s machine, as shown in Figure 3.\r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 2 of 12\n\nFigure 3: Borat RAT Dashboard\r\nTechnical Analysis\r\nIn this analysis, we will take a look at Borat RAT and its features in detail. The Borat RAT comes as a package which\r\nincludes builder binary, supporting modules, server certificate, etc., as shown in Figure 4.\r\nFigure 4: Borat Package\r\nThe figure below shows the supporting modules responsible for executing the RAT features, as shown in Figure 5.\r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 3 of 12\n\nFigure 5: DLLs used to execute Features\r\nKeylogger\r\nThe module “keylogger.exe” is responsible for monitoring and storing the keystrokes in the victim’s machine. The below\r\nimage shows the keyboard-related APIs used by the RAT for keylogging purposes. The captured keystrokes are saved in a\r\nfile called “Sa8XOfH1BudXLog.txt” for exfiltration.\r\nFigure 6: Keyboard APIs\r\nRansomware\r\nInterestingly, the RAT has an option to deliver a ransomware payload to the victim’s machine for encrypting users’ files as\r\nwell as for demanding a ransom. Like other ransomware, this RAT also has the capability to create a ransom note on the\r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 4 of 12\n\nvictim’s machine.\r\nFigure 7: Code to generate Ransom Note\r\nThe RAT has the code to decrypt files in the victim’s machine once the ransom is paid – as shown below.\r\nFigure 8: Decryption Method\r\nDDOS\r\nThis RAT can also disrupt the normal traffic of a targeted server by performing a DDOS attack. The below figure shows the\r\ncode used by RAT for the DDOS attack.\r\nFigure 9: Code for DDoS Attack\r\nAudio Recording\r\nBorat RAT can record the audio of a computer. Initially, it checks if a microphone is present in the victim’s machine. If it\r\ncan find a connected microphone, the RAT records all audio and saves it in a file named micaudio.wav.\r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 5 of 12\n\nFigure 10: Code for Mic Recording\r\nWebcam Recording\r\nBorat RAT can capture videos through any webcam present in the victim’s machine. First, it identifies if a webcam is\r\npresent in the victim’s machine, and then it starts recording the video if a webcam is available.  \r\nFigure 11: Webcam Recording\r\nRemote Desktop\r\nThis malware takes the remote desktop of the infected machine. It then gives the Threat Actor (TA) the necessary rights to\r\nperform activities such as controlling the victim’s machine, mouse, keyboard, and capturing the screen. Controlling the\r\nvictim’s machine can allow TAs to perform several activities such as deleting critical files, executing ransomware in the\r\ncompromised machine, etc. The below figure shows the functions used by the RAT for performing Remote Desktop\r\nactivities.\r\nFigure 12: Functions used for performing Remote Desktop Activities\r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 6 of 12\n\nReverse Proxy\r\nThe RAT has code to enable reverse proxy for performing RAT activities anonymously. The TAs can hide their identity\r\nusing this option while communicating with the compromised servers.\r\nFigure 13: Reverse Proxy Code\r\nDevice Information\r\nThe RAT collects information from the victim’s machine, including OS Name, OS Version, System Model, etc. The below\r\nfigure shows the command used for collecting the information.\r\nFigure 14: Command used for Capturing Device Info\r\nProcess hollowing\r\nUsing the RAT, the TAs can inject malicious code into the legitimate processes using the process hollowing technique. The\r\nbelow figure shows the APIs used by the RAT for process hollowing.\r\nFigure 15: Process Hollowing\r\nBrowser Credential Stealing\r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 7 of 12\n\nBorat RAT can steal cookies, history, bookmarks, saved login credentials from chromium-based browsers like Google\r\nChrome, Edge, etc. The below figure shows the functions used by the RAT for stealing browser credentials.\r\nFigure 16: Functions used for Stealing Browser Credentials\r\nDiscord token Stealing:\r\n The RAT also steals Discord tokens and sends the stolen token information to the attacker.\r\nRemote Activities:\r\nThe RAT performs the following activities to disturb the victims: Play Audio, Swap Mouse Buttons, Show/hide the Desktop,\r\nShow/hide the taskbar, Hold Mouse, Enable/Disable webcam light, Hang System, Monitor Off, Blank screen, etc.   \r\nConclusion  \r\nThe Borat RAT is a potent and unique combination of Remote Access Trojan, Spyware, and Ransomware, making it a triple\r\nthreat to any machine compromised by it. With the capability to record audio and control the webcam and conduct\r\ntraditional info stealing behavior, Borat is clearly a threat to keep an eye on. The added functionality to carry out DDOS\r\nattacks makes this an even more dangerous threat that organizations and individuals need to look out for. The Cyble\r\nResearch Team is closely monitoring the RAT’s actions and will keep informing our clients and people worldwide.\r\nOur Recommendations  \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the suggestions given below:  \r\nDon’t keep important files in common locations such as the Desktop, My Documents, etc. \r\nUse strong passwords and enforce multi-factor authentication wherever possible.  \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices wherever\r\npossible and pragmatic.   \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and\r\nmobile.      \r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.  \r\nConduct regular backup practices and keep those backups offline or in a separate network.  \r\nMITRE ATT\u0026CK® Techniques \r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 8 of 12\n\nTactic Technique ID Technique Name \r\nExecution T1204 User Execution \r\nDiscovery   T1518 Security Software Discovery\r\nT1087 Account Discovery\r\nT1083 File and Directory Discovery\r\nCollection T1123 Audio Capture\r\nT1005 Data from Local System\r\nT1056 .001 Keylogging\r\nT1113 Screen Capture\r\nT1125 Video Capture\r\nCommand and Control T1132 Data Encoding\r\nT1219 Remote Access Software\r\nExfiltration T1020 Automated Exfiltration\r\nImpact T1485 Data Destruction\r\nT1486 Data Encrypted for Impact\r\nT1565 Data Manipulation\r\nT1499 Endpoint Denial of Service\r\nIndicators Of Compromise (IoCs)\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\nd3559d9f1ca15f1706af9654fd2f4ccc MD5 Borat.zip\r\nfb120d80a8c3e8891e22f20110c8f0aa59d1b036 SHA1\r\nd2ce3aa530ba6b6680759b79aa691260244ca91f5031aa9670248924cc983fb0 SHA256\r\nddab2fe165c9c02281780f38f04a614e MD5 BoratRAT.exe\r\n2a5ad37e94037a4fc39ce7ba2d66ed8a424383e4 SHA1\r\nb47c77d237243747a51dd02d836444ba067cf6cc4b8b3344e5cf791f5f41d20e SHA256\r\n3e645ccca1c44a00210924a3b0780955 MD5 BoratRat.exe.config\r\n5d8e8115489ac505c1d10fdd64e494e512dba793 SHA1\r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 9 of 12\n\nf29e697efd7c5ecb928c0310ea832325bf6518786c8e1585e1b85cdc8701602f SHA256\r\nf41bfa672cca0ec7a2b30ecebf7eac7e MD5 ServerCertificate.p12\r\nd24d4fbd79967df196e77d127744659bbb2288d6 SHA1\r\n8c300944ae62e17ab05ad408c5fb5473ebccac514c8ddc17c47bc9fda451c91b SHA256\r\n9726d7fe49c8ba43845ad8e5e2802bb8 MD5 Audio.dll\r\n8bcdf790826a2ac7adfc1e8b214e8de43e086b97 SHA1\r\ndf31a70ceb0c481646eeaf94189242200fafd3df92f8b3ec97c0d0670f0e2259 SHA256\r\n7ee673594bbb20f65448aab05f1361d0 MD5 Discord.dll\r\n2a29736882439ef4c9088913e7905c0408cb2443 SHA1\r\n8fa7634b7dca1a451cf8940429be6ad2440821ed04d5d70b6e727e5968e0b5f6 SHA256\r\n62c231bafa469ab04f090fcb4475d360 MD5 Extra.dll\r\n82dda56bc59ac7db05eddbe4bcf0fe9323e32073 SHA1\r\n6a4f32b0228092ce68e8448c6f4b74b4c654f40fb2d462c1d6bbd4b4ef09053d SHA256\r\n4ccd3dfb14ffdddfa598d1096f0190ea MD5 FileManager.dll\r\nc68c30355599461aca7205a7cbdb3bb1830d59c8 SHA1\r\n7f8a306826fcb0ee985a2b6d874c805f7f9b2062a1123ea4bb7f1eba90fc1b81 SHA256\r\n0b7c33c5739903ba4f4b78c446773528 MD5 FileSearcher.dll\r\nb58555bebddf8e695880014d34a863a647da547e SHA1\r\n2d9625f41793f62bfe32c10b2d5e05668e321bcaf8b73414b3c31ef677b9bff4    SHA256\r\n499fc6ac30b3b342833c79523be4a60c MD5 Fun.dll\r\ndcf1ed3fbc56d63b42c88ede88f9cad1d509e7ec SHA1\r\ndcac599b1bab37e1a388ac469e6cc5de1f35eb02beaa6778f07a1c090ce3ea04 SHA256\r\n87651b12453131dafd3e91f60d8aef5a MD5 Information.dll\r\nd5db880256bffa098718894edf684ea0dc4c335d SHA1\r\na15d72d990686d06d89d7e11df2b16bcd5719a40298c19d046fa22c40d56af44 SHA256\r\n0cd62cd02962be20ed92abcd0c9e9a25 MD5 ip2region.db\r\n69fbadc8a4461413c30cd0579d89f8668187e5a2 SHA1\r\n5c124a7e35025d3e94df6b17dca5332e9a5aaabdca2355c113f3c93b572281b7 SHA256\r\na45679bdcf30f068032bd37a194fa175 MD5 Keylogger.exe\r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 10 of 12\n\nf23fd98f28bb0b482f0aae028172e11536e4688c SHA1\r\n16beb1ae2de2974ccc2371d9f619f492295e590abb65d3102e362c8ec27f2bbb SHA256\r\n872145b37d107144894c9aa8729bad42 MD5 Logger.dll\r\n01610587bcfa7ac379b1f0169a2a9ab384b9116b SHA1\r\n2f258949fd95da6cd912beb7203a9fd5e99d050309a40341de67537edb75aadc SHA256\r\n590b00c87d5ff2ffe09079f0406eb2cd MD5 MessagePackLib.dll\r\n92c91f1db8c2c8cc34c2e1a26f4f970f1518a7ed SHA1\r\nadb00dee751b4ba620d3b0e002f5b6d8b89cf63b062f74ec65bba72294d553d1 SHA256\r\n509d41da4a688a2e50fc8e3afca074c7 MD5 Miscellaneous.dll\r\n228de17938071733585842c59ffb99177831b558 SHA1\r\nf91973113fd01465999ce317f3e7a89df8c91a5efadcfa61e5ccce687bf3580a SHA256\r\n509d41da4a688a2e50fc8e3afca074c7 MD5 Miscellaneous.dll\r\n228de17938071733585842c59ffb99177831b558 SHA1\r\nf91973113fd01465999ce317f3e7a89df8c91a5efadcfa61e5ccce687bf3580a SHA256\r\n12911f5654d6346fe99ef91e90849c13 MD5 Netstat.dll\r\n1b8e63d03feb84d995c02dcbb74da7edfaa8c763 SHA1\r\n7eed1b90946a6db1fe978d177a80542b5db0bf3156c979dc8a8869a94811bf4b SHA256\r\n3a474b8dee059562b31887197d94f382 MD5 Options.dll\r\nb31455f9583b89cac9f655c136801673fb7b4b9a SHA1\r\nc9b8e795c5a024f9e3c85ba64534b9bf52cc8c3d29b95ff6417dc3a54bc68b95 SHA256\r\n91edcb945924df5fbf4ff123aa63199c MD5 ProcessManager.dll\r\nd124869aaee9aa1a49def714774b834335aa746e SHA1\r\n5b1f80ff787bdcd7ee12aa64be1f2f5f1f658bd644bbc5fd73527b51da6ce0d6 SHA256\r\nef998529d037fcdb2bde6d046f99db45 MD5 Ransomware.dll\r\n1a38a1182155429ecc64c20ece46ec0836c32ec7 SHA1\r\n54f554b9e330476b3903756f62b577bab35cdef941d3d0f6a3d607862762bf91 SHA256\r\nea1ff113b847312d57fa8621f71f460f MD5 Recovery.dll\r\n535a4e525da7e98f4f4f69abc923a1065bd2d3fa SHA1\r\n58f9e3c90446dfecfec64221eb11167dd41d0e8dedda2ea9f83d9dda2890e6f3 SHA256\r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 11 of 12\n\n8749c78b8ad09a3b240dd1384a17539b MD5 Regedit.dll\r\nb9263ac725ccd8c664ae0f9da5fc0d00adcb8c5e SHA1\r\n657e3f1f449c0b710b0c571ec8eee689ae16793fb63b996e0182420d768f89bd SHA256\r\nacbf0f8b09320f3e967ee83fcda26f5d MD5 RemoteCamera.dll\r\nbbee0fa1c88edcd0469974223fb026e1176256dc SHA1\r\n203300be75ad8f57972324519b2583a44e759cdd57390d6765df10288e249789 SHA256\r\n0f93650dd78557f41b7c5467e3b6b6a7 MD5 RemoteDesktop.dll\r\n382bd4496eb7439fde85832abca87cc21cb7872f SHA1\r\ncc5b49d2a2821d4f6ef6af8a1e50994c6690d6a4daa41bd048fe79bd8b578988 SHA256\r\ne89a0b897f93d7d5cb433b3fd01764c9 MD5 ReverseProxy.dll\r\n9e72e85d13fe70c2518041e30d202f04b14324b6 SHA1\r\nd8a115310142f2e874dc7ea2a393fada679838bddb87f4cfd9aaef631641cb72 SHA256\r\n7f3a6c23c979f840d98b8b04a583cde9 MD5 SendFile.dll\r\n941c50a425479c5f025fbb152a1a0754ac03c252 SHA1\r\n0da1bd8e67d6f499cc3b296fc278103497f7ca2f692fe76e3c0413b0e14df777 SHA256\r\nd405b02cb6c624a7df4ebecefc5d23a9 MD5 SendMemory.dll\r\n0272d8cc3456a9bdfff7431f9ce238c93511cacd SHA1\r\ne06a66122af82580a883ce21609f89628e5dd648726307693d398c0661a1e5c1 SHA256\r\nSource: https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nhttps://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/"
	],
	"report_names": [
		"deep-dive-analysis-borat-rat"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434517,
	"ts_updated_at": 1775792208,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/225447e28af4dc3fd5272a5a7d5696736252b32b.pdf",
		"text": "https://archive.orkl.eu/225447e28af4dc3fd5272a5a7d5696736252b32b.txt",
		"img": "https://archive.orkl.eu/225447e28af4dc3fd5272a5a7d5696736252b32b.jpg"
	}
}