{
	"id": "949cad36-c603-4a71-baea-904f325f83af",
	"created_at": "2026-04-06T00:17:54.855148Z",
	"updated_at": "2026-04-10T03:30:41.216574Z",
	"deleted_at": null,
	"sha1_hash": "33d56385d9aaf9d6692724ce8e253b771e294ae6",
	"title": "How to Remove Lilith RAT: Complete Removal Guide | Trojan Killer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 231974,
	"plain_text": "How to Remove Lilith RAT: Complete Removal Guide | Trojan\r\nKiller\r\nBy Gridinsoft Team\r\nPublished: 2025-04-06 · Archived: 2026-04-02 12:05:33 UTC\r\nLilith RAT is an advanced remote access trojan written in C++ programming language that provides attackers with\r\ncomplete control over an infected computer. This malicious tool allows hackers to remotely execute commands,\r\nsteal sensitive data, and install additional malware. In this guide, we’ll examine how Lilith RAT works, its\r\ndistribution methods, infection symptoms, and provide step-by-step instructions for completely removing this\r\nthreat.\r\nKey Facts\r\nThreat Type: Remote Access Trojan (RAT), Trojan\r\nAffected Platforms: Windows 7, 8, 8.1, 10, 11\r\nDistribution Methods: Phishing emails, malicious attachments, vulnerability exploits\r\nMain Symptoms: Hidden command execution, data theft, system performance issues\r\nDanger Level: High\r\nPotential Damage: Password and banking information theft, identity theft, additional malware installation\r\nDetection Method: Antivirus scanning, process analysis, network traffic monitoring\r\nYear Discovered: 2022\r\nWhat is Lilith RAT?\r\nLilith RAT is a remote access trojan designed to give attackers full control over infected systems. Written in C++,\r\nthis lightweight yet powerful RAT offers a wide range of features for remote control, data theft, and conducting\r\nfurther attacks.\r\nUnlike less sophisticated trojans, Lilith RAT allows attackers to execute commands remotely using CMD\r\n(Command Prompt), PowerShell, or other console-based applications. This gives cybercriminals significant\r\ncontrol over the system, allowing them to run scripts, control system functions, or make changes to the infected\r\ncomputer.\r\nName: Lilith remote access trojan\r\nThreat Type: Remote Access Trojan (RAT)\r\nDetection\r\nNames:\r\nAvast (LNK:Agent-HN [Trj]), ESET-NOD32 (LNK/Agent.AHE), Kaspersky\r\n(HEUR:Trojan.Multi.Agent.gen), Sophos (Troj/LnkDrop-M)\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 1 of 16\n\nSymptoms:\r\nRemote Access Trojans are designed to stealthily infiltrate the victim’s computer and\r\nremain silent, and thus no particular symptoms are clearly visible on an infected machine.\r\nDistribution\r\nMethods:\r\nDeceptive emails containing malicious files or links, malicious online advertisements,\r\nsocial engineering, pirated software, technical support scam.\r\nDamage:\r\nStolen passwords and banking information, identity theft, possible additional infections,\r\nmonetary loss.\r\nLilith RAT Capabilities\r\nLilith RAT features a wide range of functions that make it a dangerous threat to users:\r\nRemote Command Execution: Ability to execute commands through CMD, PowerShell, and other\r\nconsole applications\r\nKeylogger: Records everything the victim types, including passwords, messages, and bank card data\r\nMass Control: Sending a single command to all infected devices simultaneously\r\nAuto-start: Installation without additional input from attackers and automatic execution at every computer\r\nstartup\r\nSelf-destruction: Ability to delete its own files to cover tracks\r\nError Analysis: Finding and logging errors to track functionality issues\r\nArchitecture and Technical Characteristics of Lilith RAT\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 2 of 16\n\nLilith RAT Architecture\r\nOriginal C++ Implementation\r\nCore Module\r\nControl and Management\r\nKeylogger\r\nKeystroke Recording\r\nCommand Module\r\nCommand Execution\r\nPersistence\r\nAutostart Capabilities\r\nC\u0026C Communication\r\nServer Connection\r\nSelf-Protection\r\nAnti-Analysis Features\r\nData Exfiltration\r\nStealing Information\r\nAutoIt Script Implementati\r\nNorth Korean APT Implem\r\nCURKON (LNK File)\r\nInitial Infection Vector\r\nAutoIt Script\r\nPorted Lilith RAT\r\nMutex Check\r\nAnti-Duplication\r\nPersistence\r\nScheduled Tasks\r\nRemote Control\r\nCommand Execution\r\nPorted to\r\nModular architecture of Lilith RAT, showing the original C++ implementation and the AutoIt variant used by the\r\npuNK-003 group from North Korea\r\nHow is Lilith RAT Distributed?\r\nCybercriminals distribute Lilith RAT primarily through targeted phishing attacks. A typical scenario involves\r\nsending emails with malicious attachments or links. These attacks usually use an LNK file (shortcut) disguised as\r\na document. When the LNK file is opened, it displays a fake document and downloads files from an attacker’s\r\nserver. These files include a malicious AutoIt script that launches the Lilith RAT malware.\r\nIn 2024, security researchers identified a North Korean threat actor group dubbed “puNK-003” using Windows\r\nshortcut (LNK) files to distribute a variant of Lilith RAT. This distribution method, named “CURKON” by\r\nresearchers, acts as a downloader that retrieves AutoIt scripts from the attacker’s server. The original C++\r\nimplementation of Lilith RAT has been ported to AutoIt script language, allowing attackers to maintain the same\r\nfunctionality while evading traditional detection methods.\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 3 of 16\n\nLilith RAT Infection Process\r\nStep 1\r\nPhishing email with\r\nmalicious link/file\r\nStep 2\r\nUser opens\r\nmalicious LNK file\r\nStep 3\r\nDownloading malicious\r\nAutoIt script\r\nStep 4\r\nInstallation and launch\r\nof Lilith RAT\r\nStep 5\r\nConnection to command\r\nand control server (C\u0026C)\r\nStep 6\r\nExecution of\r\nattacker’s commands\r\nStep 7\r\nData theft and\r\nkeylogging\r\nStep 8\r\nAdditional\r\nmalicious actions\r\nStep 9\r\nInstallation of\r\nadditional malware\r\nStep 10: Potential Consequences\r\nFinancial losses, identity theft, additional\r\ninfections, data encryption, complete system control\r\nNorth Korean Threat Actor: puNK-003\r\nIn 2024, security researchers identified a specific variant of Lilith RAT being distributed by a North Korean APT\r\n(Advanced Persistent Threat) group named puNK-003. This group has shown connections to the well-known\r\nKONNI threat actor, though with some distinct operational differences.\r\nThe puNK-003 attack chain works as follows:\r\n1. Distribution of malicious LNK files (named “CURKON” by researchers) disguised as tax-related\r\ndocuments\r\n2. When executed, the LNK file drops a decoy document while downloading additional files\r\n3. The malware creates a hidden folder on the C drive and copies the legitimate curl.exe utility\r\n4. Using curl, it downloads both AutoIt3.exe (a legitimate interpreter) and a malicious AutoIt script\r\n5. The downloaded script is a recreation of Lilith RAT, ported from C++ to AutoIt\r\n6. For persistence, the malware creates scheduled tasks to ensure it runs every few minutes\r\nTechnical Details of AutoIt Implementation\r\nThe AutoIt implementation of Lilith RAT created by puNK-003 differs from the original C++ version in several\r\nways:\r\nIt maintains primary functionalities but with a simpler structure\r\nIt uses a mutex named “Global\\RT3AN7C9QS-7UYE-9K6G-A8F1-HY8IT3CNMEQP” to prevent\r\nmultiple instances\r\nIt checks for specific antivirus products (particularly Avast) and adjusts its behavior accordingly\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 4 of 16\n\nIt implements a simplified reverse shell functionality for command execution\r\nIt communicates with hardcoded C2 servers on non-standard ports (e.g., 57860)\r\nTechnical Indicators of Compromise (IoCs)\r\nIndicator\r\nType\r\nValue Notes\r\nFile LNK files with random names\r\nUsually\r\ndisguised as\r\nOffice\r\ndocuments or\r\nPDFs\r\nProcess Random process names, autostart\r\nOften uses code\r\ninjection into\r\nlegitimate\r\nprocesses\r\nRegistry\r\nAutostart entries in\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nUsed for\r\npersistence\r\nNetwork\r\nActivity\r\nUnusual outbound traffic to unknown domains\r\nCommunication\r\nwith command\r\nand control\r\n(C\u0026C) servers\r\nFile Hashes\r\n(CURKON)\r\n9d6c79c0b395cceb83662aa3f7ed0123\r\n2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e\r\n3334d2605c0df26536058f73a43cb074\r\nLNK files used\r\nin puNK-003\r\ncampaigns\r\nFile Hashes\r\n(AutoIt\r\nScript)\r\n5613ba2032bc1528991b583e17bad59a\r\n808425bc599cd60989c90978d179af1d4c72dd7abfe5e0518aca44b48af15725\r\nd5809e5f848f228634aa45ffe4a5ece0\r\nAutoIt script\r\nimplementation\r\nof Lilith RAT\r\nC2 Servers\r\n93.183.93[.]185:57860\r\n185.231.154[.]22:52720\r\n62.113.118[.]157:57860\r\nCommand and\r\ncontrol servers\r\nused by puNK-003\r\nSymantec\r\nDetections\r\nACM.Ps-Rd32!g1, ACM.Ps-RgPst!g1, ACM.Ps-Schtsk!g1, ACM.Ps-SvcReg!g1,\r\nCL.Downloader!gen20, CL.Downloader!gen204, Scr.Mallnk!gen13,\r\nTrojan.Gen.NPE\r\nDetection\r\nsignatures for\r\nthe puNK-003\r\nvariant\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 5 of 16\n\nSigns of Lilith RAT Infection\r\nSince Lilith RAT is designed for stealthy operation, determining its presence in a system can be difficult.\r\nNevertheless, there are certain signs that may indicate infection:\r\nUnexplained system activity: High processor or network usage when no programs are running\r\nUnusual network activity: Outbound connections to unknown IP addresses or domains\r\nStrange computer behavior: Programs or windows opening/closing spontaneously\r\nDisabled protection mechanisms: Antivirus software or firewall shutting down without your knowledge\r\nUnexpected privilege elevation requests: System notifications about access requests from unknown\r\nprograms\r\nAccount issues: Unexplained logins to your online accounts or changes to them\r\nStrange processes in Task Manager: Unusual or suspicious processes with random names\r\nThreats and Potential Damage from Lilith RAT\r\nLilith RAT poses a serious security threat that can lead to significant damage:\r\nTheft of confidential information: Passwords, financial data, personal information\r\nFinancial losses: Access to bank accounts and credit cards\r\nIdentity theft: Use of personal data for fraud or other crimes\r\nEspionage: Monitoring all user activities, including correspondence and communication\r\nAdditional infections: Installation of ransomware or other malware\r\nRemote control: Complete control over the computer without the owner’s knowledge\r\nCorporate espionage: In case of infection of work computers – access to corporate information\r\nThe process of removing Lilith RAT requires a comprehensive approach due to the complexity and stealth of this\r\nthreat. Below are methods for removing the malware.\r\nMethod 1: Removal Using Trojan Killer\r\nFor effective removal of Lilith RAT, it is recommended to use specialized antivirus software, such as Trojan\r\nKiller:\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 6 of 16\n\n1. Download and install Trojan Killer from the official website\r\n2. Run a full system scan:\r\nLaunch the program with administrator privileges\r\nSelect the full scan option\r\nWait for the process to complete (may take 20-40 minutes depending on the system)\r\n3. Review scan results:\r\nThe program will display a list of detected threats\r\nMake sure all Lilith RAT components are selected for removal\r\n4. Remove detected threats:\r\nClick the “Remove Selected” button\r\nFollow the program instructions to complete the removal process\r\n5. Restart your computer to complete the removal process\r\n6. Perform a second scan to verify complete removal of the threat\r\nMethod 2: Manual Removal (for Advanced Users)\r\nWarning: Manual removal of Lilith RAT requires technical knowledge and experience. Incorrect actions may\r\ndamage the operating system. This method is recommended only for experienced users.\r\n1. Boot the computer in Safe Mode with Networking:\r\nRestart the computer\r\nDuring startup, press F8 (or Shift+F8 in Windows 10)\r\nSelect “Safe Mode with Networking”\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 7 of 16\n\n2. Open Task Manager and terminate suspicious processes:\r\nPress Ctrl+Shift+Esc to open Task Manager\r\nLook for processes with unusual or random names\r\nFor each suspicious process: select it and click “End Process”\r\n3. Check startup items and remove suspicious elements:\r\nPress Win+R, type “msconfig” and press Enter\r\nGo to the “Startup” tab (depending on Windows version)\r\nDisable all suspicious items\r\n4. Check the Task Scheduler:\r\nPress Win+R, type “taskschd.msc” and press Enter\r\nReview scheduled tasks and delete suspicious ones\r\n5. Clean the registry:\r\nPress Win+R, type “regedit” and press Enter\r\nCheck the following registry sections:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nDelete suspicious entries\r\n6. Remove malicious files:\r\nCheck the following folders:\r\nC:\\Windows\\Temp\\\r\nC:\\Users\\[username]\\AppData\\Local\\Temp\\\r\nC:\\Users\\[username]\\AppData\\Roaming\\\r\nC:\\ProgramData\\\r\nDelete suspicious files and folders\r\n7. Restart the computer in normal mode\r\n8. Change all passwords for important accounts from another, uninfected device\r\nMethod 3: System Restore\r\nIf the Lilith RAT infection occurred recently, you can try restoring the system to a point before the infection:\r\n1. Open System Restore:\r\nPress Win+R\r\nType “rstrui.exe” and press Enter\r\n2. Select a restore point:\r\nChoose a restore point created before the infection\r\nFollow the wizard instructions to complete the process\r\n3. After system restoration, it is still recommended to perform a full antivirus scan\r\nAdvanced Technical Analysis For Security Researchers\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 8 of 16\n\nThe puNK-003 variant of Lilith RAT represents a significant evolution in the threat landscape, showing how\r\nNorth Korean APT actors are adapting and repurposing existing malware tools. This section provides a detailed\r\nanalysis specifically for security professionals and threat hunters.\r\nNorth Korean puNK-003 Implementation\r\nIn 2024, researchers identified a previously unknown North Korean threat actor group (dubbed “puNK-003”)\r\nusing Windows shortcut (LNK) files to distribute a variant of Lilith RAT. Unlike the original C++ implementation,\r\nthis variant has been completely ported to AutoIt scripting language, providing several advantages:\r\nBypass of signature-based detection that targets the original C++ binary\r\nExecution through a legitimate interpreter (AutoIt3.exe), which appears less suspicious\r\nEasier modification and customization of functionality\r\nSimplified evasion of memory scanning techniques that target C/C++ patterns\r\nAutoIt Script Analysis\r\nThe AutoIt implementation shows evidence of careful manual conversion rather than automated translation, with\r\nseveral functions recreated to achieve similar results through different means:\r\n; Example from AutoIt implementation of Lilith RAT\r\nFunc ISMULTIPLE()\r\nLocal $mutex = \"Global\\RT3AN7C9QS-7UYE-9K6G-A8F1-HY8IT3CNMEQP\"\r\nLocal $handle = DllCall(\"kernel32.dll\", \"handle\", \"CreateMutexA\", \"ptr\", 0, \"bool\", True,\r\n\"str\", $mutex)\r\nIf @error Then Return False\r\nLocal $lastError = DllCall(\"kernel32.dll\", \"dword\", \"GetLastError\")\r\nIf $lastError[0] = 183 Then ; ERROR_ALREADY_EXISTS\r\nReturn True\r\nEndIf\r\nReturn False\r\nEndFunc\r\nInitial Infection Vector (CURKON)\r\nThe initial infection vector, named CURKON, is a specially crafted LNK file that executes PowerShell commands\r\nwhen opened. Analysis of these LNK files reveals sophisticated techniques including:\r\nObfuscation of PowerShell commands using string manipulation and logical operators\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 9 of 16\n\nXOR operations with a hardcoded one-byte key (0xD8) for decryption\r\nDropping and executing decoy documents to maintain the illusion of legitimacy\r\nCreating hidden directories with specific naming patterns (e.g., “GSlLzFnTov”)\r\nUsing legitimate Windows utilities (curl.exe) for secondary payload download\r\nCURKON Infection Chain (puNK-003)\r\nStep 1\r\nLNK File Execution\r\nObfuscated\r\nPowerShell Command\r\nStep 2\r\nXOR Decryption\r\nand Display of\r\nDecoy Document\r\nStep 3\r\nHidden Directory\r\nCreation and\r\ncurl.exe Copy\r\nStep 4\r\nDownload of\r\nAutoIt3.exe and\r\nMalicious Script\r\nStep 5\r\nScheduled Task\r\nCreation for\r\nPersistence\r\nStep 6\r\nExecution of\r\nAutoIt Lilith RAT\r\nImplementation\r\nStep 7\r\nConnection to\r\nCommand \u0026 Control\r\nServer (57860)\r\nFull infection chain for CURKON/Lilith RAT deployment by puNK-003\r\nCommand and Control Infrastructure\r\nThe C2 infrastructure used by puNK-003 shows several distinctive characteristics:\r\nPrimary use of compromised WordPress websites as first-stage C2 servers\r\nSecondary communication with dedicated IP addresses on non-standard ports\r\nSpecific URL patterns in WordPress sites, typically using paths like “/wp-admin/css/temp/”\r\nQuery string parameters that follow predictable patterns (e.g., “?rv=papago\u0026za=honey0”)\r\nTechnical Comparison: Original vs AutoIt Implementation\r\nThe table below compares key features between the original C++ Lilith RAT and the AutoIt implementation used\r\nby puNK-003:\r\nFeature Original C++ Implementation puNK-003 AutoIt Implementation\r\nFile Size ~300KB compiled binary\r\n~40KB script + ~800KB AutoIt3.exe\r\ninterpreter\r\nKeylogging\r\nFull implementation with keystroke\r\nrecording\r\nLimited implementation, focused on\r\nspecific inputs\r\nRemote Command\r\nExecution\r\nComprehensive with multiple shell\r\noptions\r\nLimited to cmd.exe and powershell.exe\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 10 of 16\n\nAnti-Analysis Multiple checks for VMs, debuggers\r\nLimited to security software checks\r\n(Avast)\r\nPersistence Registry and startup folder Primarily scheduled tasks\r\nC2 Protocol Custom binary protocol Simplified text-based communication\r\nMITRE ATT\u0026CK Mapping\r\nThe puNK-003 implementation of Lilith RAT employs the following key MITRE ATT\u0026CK techniques:\r\nT1566.001: Phishing: Spearphishing Attachment – Distribution of LNK files disguised as documents\r\nT1059.001: Command and Scripting Interpreter: PowerShell – Execution of obfuscated commands\r\nT1059.005: Command and Scripting Interpreter: Visual Basic – Use of AutoIt scripting\r\nT1053.005: Scheduled Task/Job: Scheduled Task – Creation of tasks running every 1-10 minutes\r\nT1564.001: Hide Artifacts: Hidden Files and Directories – Creation of hidden folders\r\nT1140: Deobfuscate/Decode Files or Information – XOR decryption of embedded payloads\r\nT1571: Non-Standard Port – Use of uncommon ports like 57860 for C2 communication\r\nT1518.001: Software Discovery: Security Software Discovery – Checks for Avast products\r\nAttribution Evidence\r\nEvidence linking the puNK-003 group to North Korean threat actors includes:\r\nCode similarities with KONNI group implementations, particularly in the ISMULTIPLE() function\r\nInfrastructure patterns consistent with other North Korean operations\r\nSimilar LNK file obfuscation techniques to those used by other North Korean threat actors\r\nTargeting patterns aligned with North Korean strategic interests\r\nHowever, distinct differences from the KONNI group include:\r\npuNK-003 uses CURKON primarily as a downloader, while KONNI’s LINKON acts as a dropper\r\npuNK-003 campaigns lack the VBS and BAT scripts commonly used in KONNI operations\r\nDifferent approaches to persistence and system manipulation\r\nDetection Strategies\r\nKey strategies for detecting this variant include:\r\n1. LNK File Analysis: Monitor for LNK files with obfuscated PowerShell commands\r\n2. PowerShell Command Detection: Look for scripts with encoding bypass parameters and XOR operations\r\n3. Filesystem Monitoring: Watch for hidden directories and copied system utilities (curl.exe)\r\n4. Network Traffic Analysis: Monitor for connections to WordPress sites with specific patterns and non-standard ports\r\n5. Behavioral Analysis: Detection of scheduled tasks with short intervals and mutex creation\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 11 of 16\n\nYARA Rule for Detection\r\nThe following YARA rule (in YAML syntax) can help detect the AutoIt implementation of Lilith RAT:\r\n---\r\nrule: LilithRAT_AutoIt_puNK003\r\nmeta:\r\ndescription: \"Detects puNK-003's AutoIt implementation of Lilith RAT\"\r\nauthor: \"Trojan Killer Research Team\"\r\ndate: \"2025-04\"\r\nhash1: \"5613ba2032bc1528991b583e17bad59a\"\r\nseverity: \"high\"\r\nstrings:\r\nmutex: \"Global\\\\RT3AN7C9QS-7UYE-9K6G-A8F1-HY8IT3CNMEQP ascii wide\"\r\nautoit1: \"#include \u003c ascii\"\r\nautoit2: \"Func ascii\"\r\nautoit3: \"EndFunc ascii\"\r\nfunc1: \"ISMULTIPLE ascii nocase\"\r\nfunc2: \"CheckAV ascii nocase\"\r\nav1: \"AvastUI.exe ascii wide\"\r\nav2: \"AvastSvc.exe ascii wide\"\r\nnet1: \"TCPConnect ascii\"\r\nnet2: \":57860 ascii wide\"\r\ncondition: \u003e\r\n(2 of ($autoit*)) and\r\n(\r\n$mutex or\r\n(1 of ($func*) and 1 of ($av*)) or\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 12 of 16\n\n(1 of ($av*) and 1 of ($net*))\r\n)\r\nSigns of Lilith RAT Infection\r\nSince Lilith RAT is designed for stealthy operation, determining its presence in a system can be difficult.\r\nNevertheless, there are certain signs that may indicate infection:\r\nUnexplained system activity: High processor or network usage when no programs are running\r\nUnusual network activity: Outbound connections to unknown IP addresses or domains\r\nStrange computer behavior: Programs or windows opening/closing spontaneously\r\nDisabled protection mechanisms: Antivirus software or firewall shutting down without your knowledge\r\nUnexpected privilege elevation requests: System notifications about access requests from unknown\r\nprograms\r\nAccount issues: Unexplained logins to your online accounts or changes to them\r\nStrange processes in Task Manager: Unusual or suspicious processes with random names\r\nThreats and Potential Damage from Lilith RAT\r\nLilith RAT poses a serious security threat that can lead to significant damage:\r\nTheft of confidential information: Passwords, financial data, personal information\r\nFinancial losses: Access to bank accounts and credit cards\r\nIdentity theft: Use of personal data for fraud or other crimes\r\nEspionage: Monitoring all user activities, including correspondence and communication\r\nAdditional infections: Installation of ransomware or other malware\r\nRemote control: Complete control over the computer without the owner’s knowledge\r\nCorporate espionage: In case of infection of work computers – access to corporate information\r\nHow to Remove Lilith RAT\r\nThe process of removing Lilith RAT requires a comprehensive approach due to the complexity and stealth of this\r\nthreat. Below are methods for removing the malware.\r\nMethod 1: Removal Using Trojan Killer\r\nFor effective removal of Lilith RAT, it is recommended to use specialized antivirus software, such as Trojan\r\nKiller:\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 13 of 16\n\n1. Download and install Trojan Killer from the official website\r\n2. Run a full system scan:\r\nLaunch the program with administrator privileges\r\nSelect the full scan option\r\nWait for the process to complete (may take 20-40 minutes depending on the system)\r\n3. Review scan results:\r\nThe program will display a list of detected threats\r\nMake sure all Lilith RAT components are selected for removal\r\n4. Remove detected threats:\r\nClick the “Remove Selected” button\r\nFollow the program instructions to complete the removal process\r\n5. Restart your computer to complete the removal process\r\n6. Perform a second scan to verify complete removal of the threat\r\nMethod 2: Manual Removal (for Advanced Users)\r\nWarning: Manual removal of Lilith RAT requires technical knowledge and experience. Incorrect actions may\r\ndamage the operating system. This method is recommended only for experienced users.\r\n1. Boot the computer in Safe Mode with Networking:\r\nRestart the computer\r\nDuring startup, press F8 (or Shift+F8 in Windows 10)\r\nSelect “Safe Mode with Networking”\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 14 of 16\n\n2. Open Task Manager and terminate suspicious processes:\r\nPress Ctrl+Shift+Esc to open Task Manager\r\nLook for processes with unusual or random names\r\nFor each suspicious process: select it and click “End Process”\r\n3. Check startup items and remove suspicious elements:\r\nPress Win+R, type “msconfig” and press Enter\r\nGo to the “Startup” tab (depending on Windows version)\r\nDisable all suspicious items\r\n4. Check the Task Scheduler:\r\nPress Win+R, type “taskschd.msc” and press Enter\r\nReview scheduled tasks and delete suspicious ones\r\n5. Clean the registry:\r\nPress Win+R, type “regedit” and press Enter\r\nCheck the following registry sections:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nDelete suspicious entries\r\n6. Remove malicious files:\r\nCheck the following folders:\r\nC:\\Windows\\Temp\\\r\nC:\\Users\\[username]\\AppData\\Local\\Temp\\\r\nC:\\Users\\[username]\\AppData\\Roaming\\\r\nC:\\ProgramData\\\r\nDelete suspicious files and folders\r\n7. Restart the computer in normal mode\r\n8. Change all passwords for important accounts from another, uninfected device\r\nMethod 3: System Restore\r\nIf the Lilith RAT infection occurred recently, you can try restoring the system to a point before the infection:\r\n1. Open System Restore:\r\nPress Win+R\r\nType “rstrui.exe” and press Enter\r\n2. Select a restore point:\r\nChoose a restore point created before the infection\r\nFollow the wizard instructions to complete the process\r\n3. After system restoration, it is still recommended to perform a full antivirus scan\r\nConclusion\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 15 of 16\n\nLilith RAT represents a serious cybersecurity threat, providing attackers with extensive capabilities to control\r\ninfected systems, steal confidential information, and conduct further attacks. Its stealthy nature and advanced\r\nfeatures make it particularly dangerous for both regular users and organizations.\r\nEffective protection against Lilith RAT and similar threats requires a comprehensive approach to security,\r\nincluding the use of antivirus software, regular software updates, caution when working with email, and general\r\ncyber hygiene. When infection is detected, it’s important to act quickly, using reliable tools to remove the threat\r\nand minimize potential damage.\r\nFor the most effective removal of Lilith RAT, it is recommended to use specialized antivirus software such as\r\nTrojan Killer, which can detect and remove this complex threat, even when it tries to hide from standard security\r\nsolutions.\r\nSource: https://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nhttps://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/"
	],
	"report_names": [
		"how-to-remove-lilith-rat-complete-removal-guide"
	],
	"threat_actors": [
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e525bbd2-d1a5-4f35-bd4a-927ad0517723",
			"created_at": "2025-05-29T02:00:03.206997Z",
			"updated_at": "2026-04-10T02:00:03.86216Z",
			"deleted_at": null,
			"main_name": "puNK-003",
			"aliases": [],
			"source_name": "MISPGALAXY:puNK-003",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434674,
	"ts_updated_at": 1775791841,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/33d56385d9aaf9d6692724ce8e253b771e294ae6.pdf",
		"text": "https://archive.orkl.eu/33d56385d9aaf9d6692724ce8e253b771e294ae6.txt",
		"img": "https://archive.orkl.eu/33d56385d9aaf9d6692724ce8e253b771e294ae6.jpg"
	}
}