{ "id": "afd724a1-edd3-4037-a6d9-46c4cae8bd0b", "created_at": "2026-04-06T00:13:02.825272Z", "updated_at": "2026-04-10T03:23:51.363371Z", "deleted_at": null, "sha1_hash": "35d9dfc5d837e380845e60099df4874d18ba5c7e", "title": "Revenge RAT Targeting Users in South America", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2848560, "plain_text": "Revenge RAT Targeting Users in South America\r\nBy Abhijit Mohanta\r\nPublished: 2020-12-29 · Archived: 2026-04-05 20:56:52 UTC\r\nThe Uptycs threat research team recently came across multiple document samples that download Revenge RAT.\r\nThe campaign currently seems to be active in Brazil. All of the malware samples we received have the same\r\nproperties. One of the samples we received has the name “Rooming List Reservas para 3 Familias.docx” (SHA-256: 91611ac2268d9bf7b7cb2e71976c630f6b4bfdbb68774420bf01fd1493ed28c7). The document has only a few\r\ndetections in VirusTotal.\r\nFigure 1: VirusTotal detections for the document. (Image via VirusTotal.)\r\nUpon opening the document, a series of events happen that lead to the download of Revenge RAT malware hosted\r\non a Brazilian website (hxxp://azulviagens[.]online). Azul Viagens is a legitimate hotel chain in Brazil and the\r\nofficial website of the hotel can be found here.\r\nAttackers registered the fake domain name and used a room reservation document file to infect the end user. The\r\nattack is multi-stage with the components used in the attack spread across multiple files on the attacker’s server.\r\nThe WHOIS records for hxxp://azulviagens[.]online seems to have been registered on December 10, 2020 with\r\nthe email ID mmpereiramm30@gmail.com.\r\nThe Attack Flow\r\nThe components of the attack span multiple stages. Figure 2 (below) shows the steps involved in the attack.\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 1 of 13\n\nFigure 2: The attack flow.\r\nStep 1: The DOCX file (“Rooming List Reservas para 3 Familias.docx”) used in the attack vector\r\ndownloads the “1.docx” (template) from the CnC server\r\nSteps 2 and 3: The embedded “Microsoft_Excel_Macro-Enabled_Worsksheet1.xlsm” file in \"1.docx\"\r\n(template) downloads the PowerShell code “A.txt” from the CnC server and executes it in memory.\r\nStep 4: The PowerShell code in “A.txt” downloads “index.mp3” from the CnC server and saves it as\r\n“index.vbs.”\r\nStep 5: Upon execution, “index.vbs” creates “opera.vbs,” which contains code to execute “opera.ps1”\r\ncreated in the next step.\r\nStep 6: “index.vbs” downloads “1.txt” and saves it as “opera.ps1,” which has obfuscated Revenge RAT in\r\nit.\r\nStep 7: “opera.vbs” executes “opera.ps1.”\r\nA detailed analysis of files used during various stages of the attack is provided below.\r\nThe Initial Document\r\nThe initial document, “Rooming List Reservas para 3 Familias.docx,” used as the attack vector is a DOCX file.\r\nThe document uses a technique known as Dynamic Office Template Injection to bypass security products. This\r\nallows the attacker to store the malicious file on a remote server. This technique can evade anti-malware solutions\r\nthat rely on static detection.\r\nThe document has the structure shown in Figure 3 (below). The structure contains a file named “footer.xml.rels.”\r\nThe “target” fields in the file point to the templates hosted on the CnC server. There are several URLs in the\r\n“target” fields that point to files “1.docx” all the way to “9.docx” hosted on the CnC server. Each of the files has\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 2 of 13\n\nthe same content (the same SHA-256:\r\n338b2d8d76f4028bfbd177127371b2509971606553d606c534316dc40cfa8fb9).\r\nFigure 3: Structure of the DOCX and footer.xml.res pointing to the malicious template. (Click to see larger\r\nversion.)\r\nWhen the victim opens the document, one of the templates is downloaded and executed.\r\nThe Template File\r\nThe template file(\"1.docx\" ... \"9x.docx\") follows the structure shown in Figure 4 (below). The settings.xml in the\r\nstructure have the “target” fields that point to XLSM files, which are present in the “embeddings'' directory in the\r\nstructure of the DOCX file.\r\nThe XLSM files “Microsoft_Excel_Macro-Enabled_Worksheet.xlsm” to “Microsoft_Excel_Macro-Enabled_Worksheet9.xlsm” have the same contents (same SHA-256:\r\n32f1a502126b1932e1def04b98d8be235c8d25ef7268f8cb35d460cd073a88b2). When the template file (\"1.docx\" ...\r\n\"9x.docx\") is executed by Microsoft Word, it executes one of the XLSM files (“Microsoft_Excel_Macro-Enabled_Worksheet.xlsm” to “Microsoft_Excel_Macro-Enabled_Worksheet9.xlsm”).\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 3 of 13\n\nFigure 4: XLSM files inside the 1.docx template. (Click to see larger version.)\r\nThe XLSM File\r\nThe XLSM file follows the structure shown in Figure 5 (below). The structure contains macros in the\r\n“VBAProject.bin” file. The following screenshot shows the stream containing the macros.\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 4 of 13\n\nFigure 5: Macros in XLSM.\r\nThere are two important macros present in the BIN file: “Macro 1” kills the Microsoft Word process\r\n“winword.exe” and “Macro 2” downloads and executes the PowerShell code present at the URL\r\n“hxxp://azulviagens[.]online/A.txt” in memory.\r\nFigure 6 (below) shows the contents of “A.txt.”\r\nFigure 6: PowerShell script in hxxp://azulviagens[.]online/A.txt.\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 5 of 13\n\nWhen the PowerShell code in “A.txt” is executed, it downloads the contents of “index.mp3” and saves it to file\r\nthe “index.vbs” and executes it.\r\nIndex.vbs\r\nFigure 7 (below) shows the code in “index.vbs.” When “index.vbs” is executed it creates another two files,\r\n“opera.vbs” and “opera.ps1” in the “C:\\Users\\Public\\” directory. “Index.vbs” downloads the contents of\r\nhxxp://azulviagens[.]online/1.txt and saves it to “opera.ps1.” The “index.vbs” file places the following command\r\nin “opera.vbs”:\r\nl.exe -nologo -ExecutionPolicy Unrestricted -File C:\\Users\\Public\\Opera.ps1\r\nThe command is then executed. When executed, “opera.vbs” executes the file “opera.ps1.\"\r\nFigure 7: Code in index.mp3 (index.vbs). (Click to see larger version.)\r\nOpera.ps1\r\n“Opera.ps1” is a highly obfuscated PowerShell script (see Figure 8, below). One thing that catches our eye is the\r\nstring “4D 5A,” which indicates the magic header of a Windows executable.\r\nFigure 8: 4D5A in opera.ps1.\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 6 of 13\n\nAfter de-obfuscating the PowerShell code, we were able to retrieve the Windows executable, which is the\r\nRevenge RAT. Below is the description of the Revenge RAT we extracted.\r\nSimilar PowerShell code was also found hosted on x-root.net, which has also been registered in recent months.\r\nUptycs’ EDR capabilities can decode the obfuscated PowerShell code, as shown in the screenshot below (Figure\r\n9).\r\nFigure 9: Deobfuscated PowerShell code. (Click to see larger version.)\r\nRevenge RAT was first seen mid-2016. The RAT has been coded in .NET. The Revenge RAT we extracted is not a\r\npacked binary and code is clearly visible. Below is a description of the various classes and methods present in the\r\ndecompiled code.\r\nProgram\r\nThe “Program” class shown in Figure 10 (below) contains the main function of the program. The main()\r\nfunction creates a mutex and then executes the rest of the code.\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 7 of 13\n\nFigure 10: Program class. (Click to see larger version.)\r\nRAT Configuration\r\nFigure 11 (below) contains the configuration for the RAT, which is used during execution.\r\nFigure 11: RAT configuration.\r\nBelow are some members of the config class and their functionality:\r\nhost : CnC server\r\nport : CnC port\r\nid : Unique identity of the installed RAT on the victim machine\r\ncurrentMutex : Mutex placed by the RAT on the system\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 8 of 13\n\nstopwatch() : This is a member function that can be use to reset the stopwatch\r\nIdGenerator\r\nThe class IdGenerator shown in Figure 12 (below) is used for creating a unique ID for the victim machine, which\r\nthe RAT is going to send to the CnC server. A unique string ID is generated by retrieving various system attributes\r\nusing the methods in the class. Below are some of the methods:\r\nGetActiveWindow : Get active window or window of the application used by the user\r\nGetAV : Get the antiviruses installed on the system\r\nGetCamera : Get information about the camera\r\nGetCpu : Get CPU information\r\nGetHardDiskSerialNumber : Get hard disk serial number\r\nGetIp : Get IP address\r\nGetSystem : Get processor information\r\nSendInfo : Concatenate information collected by previous methods into a string “id”\r\nFigure 12: Components of the IdGenerator class. (Click to see larger version.)\r\nClient\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 9 of 13\n\nThe client class implements the network client of the RAT. It has the following methods:\r\nPing : Pings the CnC server\r\nTCPReceive : Received data to the server\r\nTCPSend : Send data to the server\r\nHandler\r\nThe Handler class shown in Figure 13 (below) is used to process the CnC command received from the attacker.\r\nFigure 13: CnC commands. (Click to see larger version.)\r\nBelow is the list of commands:\r\nPNC : Reset the stopwatch\r\nP : Send the active windows to the CnC\r\nIE : Check for installed plugins\r\nLP : Invoke plugin\r\nUNV : ninstall, restart the RAT\r\nVariants of Revenge RAT are known to have many other capabilities as listed below:\r\nScreen capture\r\nKeylogging\r\nVideo capture\r\nCredential dumping\r\nAudio capture\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 10 of 13\n\nUptycs EDR Detections\r\nThe following images show Uptycs EDR detection for the threat.\r\nFigure 14: Uptycs EDR detections. (Click to see larger version.)\r\nFigure 15: Process graph in Uptycs EDR. (Click to see larger version.)\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 11 of 13\n\nFigure 16: Process graph continued. (Click to see larger version.)\r\nIndicators of Compromise\r\nBelow is the list of IOCs seen in the Revenge RAT attack.\r\nHashes\r\nInitial attack document\r\n91611ac2268d9bf7b7cb2e71976c630f6b4bfdbb68774420bf01fd1493ed28c7\r\nInitial attack document\r\n77d6651de47bff4c24fc26fa018ea648b0e14e276e8240fae6b1724b8638c46a\r\n1.docx(template)\r\n338b2d8d76f4028bfbd177127371b2509971606553d606c534316dc40cfa8fb9\r\nMicrosoft_Excel_Macro-Enabled_Worksheet.xlsm\r\n32f1a502126b1932e1def04b98d8be235c8d25ef7268f8cb35d460cd073a88b2\r\nA.txt\r\n4b65e5785692950f8100b22f2827d65ba93e99dd717eb444af035e96fcd84763\r\nopera.ps1\r\n03f5ff9b6a6b24f76799cc15fe3f1fbf1ca9d6dda30a4154125ed5dd5834290c\r\nRevenge RAT\r\n73f113a6146224c4a1f92f89055922a28322787c108e30000a0a420fa46ed9e2\r\nURLs\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 12 of 13\n\nhxxp://azulviagens[.]online\r\nCdtpitbull[.]hopto[.]org\r\nYARA Rule\r\nrule upt_Revenge_RAT {\r\nmeta:\r\ndescription=\"Revenge-RAT\"\r\nsha256=\"73f113a6146224c4a1f92f89055922a28322787c108e30000a0a420fa46ed9e2\"\r\nauthor = \"abhijit mohanta\"\r\ndate = \"20 Dec 2020\"\r\nstrings:\r\n$upt_Revenge_RAT0 = \"Revenge-RAT\" ascii wide nocase\r\n$upt_Revenge_RAT1 = \"mscoree.dll\" ascii wide nocase\r\n$upt_Revenge_RAT2 = \"REVEGERRRRR.exe\" ascii wide nocase\r\n$upt_Revenge_RAT3 = \"keepAlivePing!\" ascii wide nocase\r\n$upt_Revenge_RAT4 = \"AntiVirusProduct\" ascii wide nocase\r\n$upt_Revenge_RAT5 = \"FirewallProduct\" ascii wide nocase\r\ncondition:\r\nall of ($upt_Revenge_RAT*)\r\n}\r\nSource: https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nhttps://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america\r\nPage 13 of 13\n\n https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america \nUptycs EDR Detections \nThe following images show Uptycs EDR detection for the threat.\nFigure 14: Uptycs EDR detections. (Click to see larger version.)\nFigure 15: Process graph in Uptycs EDR. (Click to see larger version.)\n Page 11 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america" ], "report_names": [ "revenge-rat-targeting-users-in-south-america" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434382, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35d9dfc5d837e380845e60099df4874d18ba5c7e.pdf", "text": "https://archive.orkl.eu/35d9dfc5d837e380845e60099df4874d18ba5c7e.txt", "img": "https://archive.orkl.eu/35d9dfc5d837e380845e60099df4874d18ba5c7e.jpg" } }