{
	"id": "947240d4-457e-4a8b-856e-dc33bae502db",
	"created_at": "2026-04-06T00:22:34.992429Z",
	"updated_at": "2026-04-10T03:20:30.369314Z",
	"deleted_at": null,
	"sha1_hash": "2771dc109670da89d494794dd4ec6c148d629bfa",
	"title": "PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1192602,
	"plain_text": "PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan\r\npublic and private sectors\r\nBy Warren Mercer\r\nPublished: 2020-04-16 · Archived: 2026-04-05 17:10:07 UTC\r\nThursday, April 16, 2020 13:52\r\nBy Warren Mercer, Paul Rascagneres and Vitor Ventura.\r\nNews summary\r\nAzerbaijan government and energy sector likely targeted by an unknown actor.\r\nFrom the energy sector, the actor demonstrates interest in SCADA systems related to wind turbines.\r\nThe actor uses Word documents to drop malware that allows remote control over the victims.\r\nThe new remote access trojan, dubbed PoetRAT, is written in Python and is split into multiple parts.\r\nThe actor collects files, passwords and even images from the webcam, using other tools that it deploys as\r\nneeded.\r\nExecutive summary\r\nCisco Talos has discovered a new malware campaign based on a previously\r\nunknown family we're calling \"PoetRAT.\" At this time, we do not believe this\r\nattack is associated with an already known threat actor. Our research shows the\r\nmalware was distributed using URLs that mimic some Azerbaijan government\r\ndomains, thus we believe the adversaries in this case want to target citizens of the\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 1 of 16\n\ncountry Azerbaijan, including private companies in the SCADA sector like wind\r\nturbine systems. The droppers are Microsoft Word documents that deploy a\r\nPython-based remote access trojan (RAT). We named this malware PoetRAT due\r\nto the various references to William Shakespeare, an English poet and playwright.\r\nThe RAT has all the standard features of this kind of malware, providing full\r\ncontrol of the compromised system to the operation. For exfiltration, it uses FTP,\r\nwhich denotes an intention to transfer large amounts of data.\r\nThe campaign shows us that the operators manually pushed additional tools when they needed them on the\r\ncompromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the\r\nhard disk and exfiltrate data automatically. Besides these, there are keyloggers, browser-focused password\r\nstealers, camera control applications, and other generic password stealers.\r\nIn addition to the malware campaigns, the attacker performed phishing a campaign on the same infrastructure.\r\nThis phishing website mimics the webmail of the Azerbaijan Government webmail infrastructure.\r\nWhat's new?  \r\nThis was a previously undiscovered RAT. It uses two components to avoid detection by a single\r\ncomponent. The dropper uses an old trick in a new way: It appends the RAT to a Word\r\ndocument. Upon opening the document, a macro is executed that will extract the malware and\r\nexecute it. The operation seems to be manual, but it's streamlined to deploy additional tools as\r\nneeded and to avoid unnecessary steps.\r\nSo what?  \r\nThis threat actor is highly motivated and focused on the victims it targets. They target the public\r\nand the private sectors as well as SCADA systems. The quantity and diversification of tools\r\navailable in its toolkit denote a carefully planned attack.\r\nMalware campaigns\r\nWe identified multiple campaigns we believe target the Azerbaijan public and\r\nprivate sectors, especially the energy sector. During our investigation, Talos\r\nidentified the interest of this threat actor for SCADA systems — mainly wind\r\nturbines.\r\nCampaign No. 1: February 2020\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 2 of 16\n\nDecoy document\r\nOnce opened in Microsoft Office, the document is blurred. This can't be fixed — the document is composed of\r\nblurred pictures with no real text. The logo seems to be the logo of the DRDO, the Defense R\u0026G Organisation of\r\nthe Ministry of Defence of India. We have no evidence that India is targeted by this actor.\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 3 of 16\n\nDRDO Logo\r\nThe file was located on hxxp://govaz[.]herokuapp[.]com/content/section_policies.docx\r\nCampaign No. 2: April 2020 — C19.docx\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 4 of 16\n\nDocument image\r\nThe file, in this case, was named \"C19.docx,\" probably a reference to the COVID-19 pandemic, but without\r\nreadable content.\r\nCampaign #3: April 2020 — Coronavirus theme\r\nThe decoy document evolved to look more realistic. The initial stage is a Word document written\r\nin Russian posing as an Azerbaijan government document.\r\nDocument image\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 5 of 16\n\nDocument image\r\nBoth original file names are \"Azerbaijan_special[.]doc,\" which is a dropper that can be found at hxxps://gov-az[.]herokuapp[.]com/content/Azerbaijan_special[.]doc.\r\nPhishing campaign\r\nOn the same server, we identified a phishing campaign against the webmail of the\r\nAzerbaijan government:\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 6 of 16\n\nThis phishing website was available on \"hxxps://gov-az[.]herokuapp[.]com/azGovaz.php?login=\" during the\r\nmalware campaigns. The purpose was obviously to steal credentials.\r\nMalware\r\nWe will present the infection vector of the most recent document. The other\r\ndocuments are not exactly the same (using DDE) but the final goal is the same.\r\nDropper\r\nThe Word document is a dropper. As happens so many times, it contains a Visual Basic script that\r\nwill execute the malicious activities. This one, however, appears to be more innovative. It starts by\r\nloading its own document into memory. Afterward, it copies 7,074,638 bytes from the end of the\r\nfile and writes the remaining bytes back to the disk.\r\nRAT extraction\r\nThe file written to the disk is actually a ZIP file. The actors appended the ZIP at the end of the word document\r\n\"smile.zip.\"\r\nThis ZIP file contains a Python interpreter and Python script that is actually the RAT. The Word macro will unzip\r\nand execute the main script called \"launcher.py.\" The launcher script is responsible for checking the environment\r\nthat the doc is currently being opened in. It assumes that all sandboxes will have hard drives smaller than 62GB. If\r\nit's in a sandbox environment, it will overwrite the malware scripts with the contents of the file \"License.txt\" and\r\nexit, thus deleting itself.\r\nAnti-sandbox code\r\nIf it determines that it is not running in a sandbox environment, it will generate a unique ID, that is then replaced\r\ndirectly with the Python source code of the main scripts before executing it.\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 7 of 16\n\nRAT\r\nThe RAT is composed of two main scripts that need to work together. One, called \"frown.py,\" is\r\nresponsible for the communications with the command and control (C2). It uses TLS to encrypt\r\nthe communication that occurs on port 143. With a successful connection, it will send the word\r\n\"almond\" The server should reply either with \"who\" or \"ice.\" The RAT will answer the \"who\"\r\ncommand with a string that contains the username, computer name and the previously generated\r\nUUID. The \"ice\" command simply makes the RAT finish the connection procedure.\r\nThe other script is called \"smile.py.\" This is responsible for the interpretation and execution of the C2 commands.\r\nThe available commands are:\r\nls - listing files\r\ncd - change current directory\r\nsysinfo - get information about the system\r\ndownload - upload file into the C2 using ftp\r\nupload - download from C2 file into the victim from\r\nshot - takes a screenshot and uploads it to the C2 using ftp\r\ncp - copies files\r\nmv - moves files\r\nlink - creates links between files\r\nregister - makes changes in the registry\r\nhide - hides a file or unhides it depending on its current state\r\ncompress - compresses files using zip function\r\njobs - performs actions, like kill, clear, terminate on processes. By default will list all processes.\r\n\u003cos command to be executed\u003e - this will be executed if none of the above are executed.\r\nSome features need additional credentials (shot, upload, download). These credentials are not hardcoded on the\r\nsample. For each FTP usage, the credentials are provided by the C2 server during the request.\r\nThere is a normal usage of the Windows registry to provide a method of persistence for this RAT by adding in a\r\nregistry key in the RUN hive which will execute the Python script \"launcher.py.\" During our investigation, we\r\nwitnessed several registry modifications that resulted in the malware skipping the sandbox evasion checks and\r\ncarrying out the execution by using a \"police\" keyword.\r\n\"C:\\Users\\Public\\Python37\\pythonw.exe\" \"C:\\Users\\Public\\Python37\\launcher.py\" \"police\"s\\0\r\nIn launcher.py, the police keyword will skip the sandbox checks and initialization process. This could be used for\r\nhosts already infected to ensure they do not re-check this environment.\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 8 of 16\n\nStart routine\r\nThe communication between the scripts is done via a file called \"Abibliophobia23\" Commands and results are\r\nwritten into the file using a custom encryption scheme. The \"23\" at the end of the file is different depending on the\r\nvariant of the RAT.\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 9 of 16\n\nObfuscation algorithm\r\nIt uses a char substitution cipher where the new char code is obtained after performing mathematical operations on\r\nthe char code to be encrypted using the key parameters.\r\nPost-exploitation tools\r\nDuring the campaign, the operator deployed additional tools on the targeted\r\nsystems. In this section, we will describe a few of these tools.\r\nDog\r\nQuickly after the initial compromise, the operator deploys a tool named \"dog.exe.\" This malware\r\nis written in .NET and its purpose is to monitor hard drive paths and to exfiltrate the information\r\nvia an email account or an FTP, depending on the configuration.\r\nThe configuration file is named dconf.json. It is pushed by the operator with the binary. Here is the format:\r\n{\r\n\"FileSize\": 50,\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 10 of 16\n\n\"BasePath\": \"C:/ProgramData/\",\r\n\"MyPath\": \"TARGET_Dog/\",\r\n\"UploadType\": \"ftp\",\r\n\"FtpUsername\": \"username1\",\r\n\"FtpPassword\": \"password1\",\r\n\"FtpUri\": \"ftp://ftp.ftpserver/repo/\",\r\n\"SmtpHost\": \"smtp.servermail.com\",\r\n\"EmailUser\": \"username2@servermail.com\",\r\n\"EmailPass\": \"password2\",\r\n\"Paths\": \"C:/Users/User/Desktop/,C:/Users/User/Downloads/,C:/Users/User/Documents/\"\r\n}\r\nFileSize defines the max size of the file to be exfiltrated (50MB in our example).\r\nThe working directory is defined by the concat of BasePath and MyPat (\"C:/ProgramData/\r\nTARGET_Dog/\" in our example).\r\nUploadType is the exfiltration method. It can be \"ftp\" or \"email.\"\r\nFtpUsername, FtpPassword and FtpUri define the FTP parameters for exfiltration.\r\nSmtpHost, EmailUser and EmailPass define the email parameters for exfiltration.\r\nPaths define the path to monitor on the compromised system.\r\nThe binary uses a file system watcher in order to generate an event each time a file is modified in one of the\r\ndirectories in the \"Paths\" variable of the configuration file.\r\nFilesystem monitoring routine\r\nOnce a file is available, the Dog.exe binary exfiltrates it, using email or FTP depending on the configuration.\r\nBewmac\r\nThe attacker has a short Python script to record the victim's webcam.\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 11 of 16\n\nCamera image capturing routine.\r\nThe script uses the OpenCV library, taking a sequence of 10 captures each time it is executed. The images are\r\nstored on the filesystem and there is no automatic exfiltration.\r\nAdditional tools\r\nDuring our investigation, we identified a couple of additional tools mainly in Python and compiled\r\nfor Windows:\r\nKlog.exe: A keylogger using an output file called \"System32.Log.\"\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 12 of 16\n\nKeylogger special key map\r\n\"Browdec.exe\": A browser credential-stealer\r\n\"voStro.exe\": A compiled pypykatz that'ss a full Python implementation of Mimikatz, a well-known\r\ncredential-stealer.\r\n\"Tre.py\": A script used to create the file with the files/directories tree.\r\nWinPwnage: An open-source framework of privilege escalation.\r\nNmap: An open-source pentesting and network-scanning tool.\r\nThe actor monitored specific directories, signaling they wanted to exfiltrate certain information on the victims.\r\nThe attacker wanted to gain a full picture of the victim by using a keylogger, browser credential stealers and\r\nMimikatz and pypykatz for further credential harvesting. Based on our research, the adversaries may have wanted\r\nto obtain important credentials from officials in Azerbaijan's government. The malware attempts to obtain pictures\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 13 of 16\n\nof the victim and utilizes a mail platform targeting the Azerbaijan government. The attacker wanted not only\r\nspecific information obtained from the victims but also a full cache of information relating to their victim. They\r\nwould have been able to gain potentially very important credentials and information using these techniques given\r\ntheir victimology. By using Python and other Python-based tools during their campaign, the actor may have\r\navoided detection by traditional tools that have whitelisted Python and Python execution techniques.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), Cisco ISR, andMeraki MX can detect malicious activity associated with this threat as sids\r\n53689-53691.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 14 of 16\n\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nOSQuery\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected\r\nwith this specific threat.\r\nFor specific OSqueries on this threat, click below: PoetRAT filepath\r\nPoetRAT registry\r\nHosts C2 -\r\ndellgenius[.]hopto[.]org\r\nPhishing\r\ngov-az[.]herokuapp[.]com\r\ngovaz[.]herokuapp[.]com\r\nUrls\r\nhxxps://gov-az[.]herokuapp[.]com/azGovaz.php?login=\r\nSamples\r\n208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407\r\n252c5d491747a42175c7c57ccc5965e3a7b83eb5f964776ef108539b0a29b2ee\r\n312f54943ebfd68e927e9aa95a98ca6f2d3572bf99da6b448c5144864824c04d\r\n31c327a3be44e427ae062c600a3f64dd9125f67d997715b63df8d6effd609eb3\r\n37118c097b7dbc64fa6ac5c7b28ebac542a72e926d83564732f04aaa7a93c5e3\r\n4eb83253e8e50cd38e586af4c7f7db3c4aaddf78fb7b4c563a32b1ad4b5c677c\r\n5f1c268826ec0dd0aca8c89ab63a8a1de0b4e810ded96cdee4b28108f3476ce7\r\n66679d83d3993ae79229b1ccff5350e083d6631190eeeb3207fa10c3e572ca75\r\n746fbdee1867b5531f2367035780bd615796ebbe4c9043134918d8f9240f98b9\r\n970793967ecbe58d8a6b54f5ec5fd2551ce922cb6b3584f501063e5f45bdd58a\r\na3405cc1fcc6b6b96a1d6604f587aee6aafe54f8beba5dcbaa7322ac8589ffde\r\na703dc8819dca1bc5774de3b6151c355606e7fe93c760b56bc09bcb6f928ba2d\r\nac4e621cc5895f63a226f8ef183fe69e1ae631e12a5dbef97dd16a6dfafd1bfc\r\nb14a8bf8575e46b5356acf3d19667278002935b21b7fc9f62e0957cc1e25209d\r\nb1e7dc16e24ebeb60bc6753c54e940c3e7664e9fcb130bd663129ecdb5818fcd\r\nca8492139c556eac6710fe73ba31b53302505a8cc57338e4d2146bdfa8f69bdb\r\nd4b7e4870795e6f593c9b3143e2ba083cf12ac0c79d2dd64b869278b0247c247\r\nd5d7fad5b745fa04f7f42f61a1db376f9587426c88ce276f06de8ea6889dfae8\r\nd605a01e42d5bb6bca781b7ba32618e2f2870a4624b50d6e3d895e8e96adee6a\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 15 of 16\n\nF842354198cfc0a3296f8d3c6b38389761674f1636129836954f50c2a7aab740\r\ne4e99dc07fae55f2fa8884c586f8006774fe0f16232bd4e13660a8610b1850a2\r\nSource: https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html"
	],
	"report_names": [
		"poetrat-covid-19-lures.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434954,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2771dc109670da89d494794dd4ec6c148d629bfa.pdf",
		"text": "https://archive.orkl.eu/2771dc109670da89d494794dd4ec6c148d629bfa.txt",
		"img": "https://archive.orkl.eu/2771dc109670da89d494794dd4ec6c148d629bfa.jpg"
	}
}