{
	"id": "14ebfce1-016f-4013-8372-9d90018bc1ae",
	"created_at": "2026-04-06T00:10:56.643724Z",
	"updated_at": "2026-04-10T13:11:56.696823Z",
	"deleted_at": null,
	"sha1_hash": "4366fc8d7612d560ec800ffb5b13fda164fa6f58",
	"title": "Parasite HTTP RAT cooks up a stew of stealthy tricks | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1018302,
	"plain_text": "Parasite HTTP RAT cooks up a stew of stealthy tricks | Proofpoint\r\nUS\r\nBy July 25, 2018 Proofpoint Staff\r\nPublished: 2018-07-25 · Archived: 2026-04-05 20:32:54 UTC\r\nOverview\r\nProofpoint researchers recently discovered a new remote access Trojan (RAT) available for sale on underground\r\nmarkets. The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it\r\nincorporates for sandbox detection, anti-debugging, anti-emulation, and other protections. The malware is also\r\nmodular in nature, allowing actors to add new capabilities as they become available or download additional\r\nmodules post infection.\r\nTo date, we have only observed Parasite HTTP in a single small email campaign with intended recipients\r\nprimarily in the information technology, healthcare, and retail industries.\r\nCampaign Analysis\r\nOn July 16, 2018, Proofpoint observed a small campaign that appeared to leverage human resources distribution\r\nlists as well as some individual recipients at a range of organizations. Specifically, the campaign targeted the\r\nfollowing distribution lists, among others:\r\nhr@[organization domain]\r\nrecruiting@\r\naccessibility@\r\nresumes@\r\nThe messages purported to be resumes or CV submissions and used subjects including:\r\nadvertised position\r\nwould like to apply\r\napplication\r\nThe messages contained Microsoft Word attachments with names such as (Figure 1):\r\nmy_cv.doc\r\nresume_.doc\r\ncvnew.doc\r\ncv.doc\r\nnew_resume.doc\r\nThe documents contained macros that, if enabled, would download Parasite HTTP from a remote site.\r\nhttps://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks\r\nPage 1 of 10\n\nFigure 1: Document attachment\r\nParasite HTTP Forum Advertisement\r\nThe first insight into the new malware observed in the campaign above came from an advertisement on an\r\nunderground forum. The Parasite HTTP ad details a long list of sophisticated features, many of which focus on\r\nevading detection and analysis. The full text of the advertisement appears below:\r\n*********************\r\nParasite HTTP Remote Administration Tool\r\nWhat is Parasite HTTP?\r\nParasite HTTP is a professionally coded modular remote administration tool for windows written in C that has no\r\ndependencies except the OS itself.\r\nWith the stub size of ~49kb and plugin support it presents perfect solution for controlling large amount of\r\ncomputers from a remote location.\r\nFeatures\r\nNo dependencies (Coded in C)\r\nSmall stub size (~49kb uncompressed, ~23kb compressed)\r\nDynamic API calls (No IAT)\r\nEncrypted strings\r\nBypass Ring3 hooks\r\nSecure C\u0026C panel written in PHP\r\nFirewall bypass\r\nSupports both x86 and x64 Windows OS (from XP to 10)\r\nFull unicode support\r\nhttps://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks\r\nPage 2 of 10\n\nOnline builder tied to your domain/s (Build bot bin anytime with any settings you wish)\r\nEncrypted communication with C\u0026C panel (Optional - SSL using self signed certificate)\r\nPlugin system\r\nMultiple backup domains\r\nSystem wide persistence (x86 processes only) (Optional)\r\nInjection to whitelisted system process (Optional)\r\nInstall \u0026 Melt (Optional)\r\nHidden startup (Optional)\r\nAnti-Emulation (Optional)\r\nAnti-Debug\r\nExtended statistics and informations in the panel\r\nAdvanced task management system\r\nOn Connect task (New clients will execute task/s)\r\nLow resource usage\r\nSpecial login page security code\r\nCaptcha on login page to prevent brute force attacks\r\nDownload \u0026 Execute (Supports both HTTP and HTTPS links)\r\nUpdate\r\nUninstall\r\nAvailable Plugins (Some are created by me)\r\nUser management\r\nBrowser password recovery\r\nFTP password recovery\r\nIM password recovery\r\nEmail password recovery\r\nWindows licence keys recovery\r\nHidden VNC\r\nReverse Socks5 proxy\r\nSystem Req\r\nPHP 5.6 or greater (Gd \u0026 OpenSSL)\r\nIonCube Loader\r\nSQL Database\r\n*********************\r\nMalware Analysis\r\nParasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion\r\ntechniques. In this section we examine the more sophisticated components.\r\nString Obfuscation\r\nhttps://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks\r\nPage 3 of 10\n\nParasite HTTP uses the following encoding for its obfuscated strings:\r\n4-byte XOR key\r\n2-byte string length in characters\r\nN-byte obfuscated ASCII/Unicode string\r\nThis 6-byte header exists prior to the reference to the string in assembly. Parasite HTTP contains four routines for\r\noperating on strings preceded by a 6-byte header. For each type of string, ASCII or Unicode, one variant leaves\r\nthe obfuscated string in place and returns a dynamically-allocated, deobfuscated version of the string. The other\r\nvariant uses VirtualProtect to deobfuscate the string in place, setting the XOR key to 0 after the deobfuscation has\r\nbeen performed, which effectively skips deobfuscation during future access to the string.\r\nSandbox Detection via Sleep Manipulation\r\nParasite HTTP uses a sleep routine to delay execution and check for sandboxes or emulation. Specifically it\r\nemploys the following code to perform its sleeps:\r\nFigure 2: Routine that Parasite HTTP uses to perform sleeps in 10ms increments (decompiled and with functions\r\nrenamed for readability)\r\nThe above function is called by a routine that performs a sandbox check for the expected passage of time as well\r\nas non-interference with its own handling of breakpoint instructions it has placed in the checking routine\r\n(removed from the display below for readability):\r\nhttps://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks\r\nPage 4 of 10\n\nFigure 3: Function that detects sandbox environments by checking for the passage of time and non-interference\r\nwith its own handling of breakpoint instructions\r\nDuring the interval between the installation and removal of the vectored exception handler, several breakpoint\r\ninstructions are executed in the function which triggers execution of this vectored exception handler, shown\r\nbelow. That handler sets the global flag which notifies the parent function that the handler has run and skips over\r\nthe breakpoint instruction. This code has been copied verbatim from an example of anti-debugging code posted in\r\na public repository [1].\r\nhttps://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks\r\nPage 5 of 10\n\nFigure 4: Exception handler\r\nThe sandbox checking routine first checks to ensure that the exception handler in Figure 4 has run. It then checks\r\nwhether between 900ms and two seconds elapsed in response to the routine’s 1 second sleep split into 10ms\r\nincrements. Sandboxes using code like that available in [1] for example, would have run afoul of this particular\r\nsandbox check.\r\nObfuscation of Sandbox Detection via Skipping of Allocation of Critical Buffers\r\nWhen Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not\r\nsimply exit or throw an error, instead making it difficult for researchers to determine  why the malware did not run\r\nproperly and crashed. In the screenshot below, we can see how Parasite HTTP uses its sandbox detection in a\r\nclever way to result in a later crash on attempting to use a buffer whose allocation was skipped:\r\nFigure 5: Code snippet showing mechanism by which critical buffers required for malware functioning are not\r\nallocated if a sandbox is detected\r\nHeap Clearing Bug\r\nParasite HTTP also contains a bug caused by its manual implementation of a GetProcAddress API that results in\r\nthe clearing code not executing. This can be seen in the following commented decompilation:\r\nhttps://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks\r\nPage 6 of 10\n\nFigure 6: Commented decompilation showing a bug in Parasite HTTP\r\nThe malware attempts to resolve a function named HeapSize to its associated address within kernel32.dll.\r\nHowever, its manual GetProcAddress function lacks support for resolving forwarded exports. In this case, since\r\nHeapSize is in fact a forwarded export to NTDLL’s RtlSizeHeap function, the function will return NULL and\r\nHeapSize and the associated clearing will never be called. This is easily confirmed by monitoring calls to\r\nRtlFreeHeap.\r\nUse of Researcher Code from Github for Detecting Sandbox Hooking via Write Watches\r\nParasite HTTP adapts code from a public repository [3] for its own sandbox detection purposes. The code is\r\ncopied verbatim, with the API resolution replaced with its own internal code, the prints removed, and the file and\r\nenvironment variable names generated randomly. Of note is that the GetWriteWatch API in this case detects more\r\nthan just writes. Due to demand paging in Windows, the first access, whether read or write, to the allocation\r\ncreated will result in the page table entries being instantiated and counted as a “write” for the purposes of\r\nGetWriteWatch. Since the APIs being called with invalid arguments would never read or write to the allocated\r\nbuffer, hooks that read from the buffer prematurely or even in the case of failure of the API, as in [2], would fail\r\nthis sandbox detection.\r\nRemapping of NTDLL via KnownDlls32\\ntdll.dll for Hook Evasion\r\nhttps://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks\r\nPage 7 of 10\n\nOn Microsoft Windows, versions 7 and newer that have KnownDlls functionality, Parasite HTTP resolves certain\r\ncritical APIs by using a DLL remapping technique that while previously documented, has not, to our knowledge,\r\n been used recently in other major malware families.  Malware behavior hidden by this technique include process\r\ninjection and the Poweliks technique of including a NUL character in registry value names. The malware\r\npreserves support for older versions of Windows by falling back to using the existing copy of NTDLL loaded in\r\nmemory. This behavior can be seen in the following decompilation listing:\r\nFigure 7: Code snippet showing NTDLL remapping\r\nMapping the new copy of NTDLL effectively provides it with a copy free of any hooks placed on the initial\r\nNTDLL mapping, rendering its thread injection and registry modifications invisible to most userland hooking\r\nimplementations. Further, since this mapping is accomplished with NtOpenSection and NtMapViewOfSection, it\r\nwill not involve the typical calls to filesystem APIs used by other variants of the technique to achieve the same\r\ngoal.\r\nObfuscated Checking for Breakpoints within a Critical Function of the Malware\r\nParasite HTTP includes an obfuscated check for debugger breakpoints within a range of its own code. This\r\nfunctionality is only used in one location to check a single function in the malware that calls out to the sandbox\r\ndetection based on GetWriteWatch checks (Figure 8):\r\nhttps://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks\r\nPage 8 of 10\n\nFigure 8: Obfuscated check for debugger breakpoints\r\nThis code is also copied from [1] with the malware having implemented the added “level of indirection”\r\nmentioned in the code comment. It is worth noting that this technique is naive and unreliable long-term over\r\narbitrary code, as unintentional 0xcc bytes can be found in a simple byte-by-byte scan of code through certain\r\ninstruction encodings, local stack frame offsets, relative references, indirect addresses, or immediate constants.\r\nExtension of Themida/Formbook Technique for Unhooking APIs in NTDLL/Kernel32/Kernelbase\r\nIn its initial process, Parasite HTTP removes hooks on the aforementioned DLLs by reading them in from disk and\r\ncomparing the first 5 bytes of each exported function to that present in the currently mapped version in\r\nmemory. Though this technique is naive in its implementation, not making use of any instruction decoder and\r\nlimiting itself to 5 hardcoded bytes, it is effective in practice. Consider the case of a sandbox using an indirect\r\njump (6 bytes) for its hooks -- the malware will restore only the first 5 bytes to the original, leaving the final byte\r\nof the hook in place, most likely resulting in a crash upon its execution.\r\nConclusion\r\nThreat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection\r\nrates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in\r\nsandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents\r\nthe latest escalation in an ongoing malware arms race that extends even to commodity malware like Parasite.\r\nWhile we have currently only observed Parasite HTTP in a small campaign, we expect to see features like those\r\nused in Parasite continue to propagate across other malware variants.\r\nReferences\r\n[1] https://github.com/spender-sandbox/cuckoomon-modified/blob/MSVC/hook_sleep.c#L122\r\n[2] https://github.com/spender-sandbox/cuckoomon-modified/blob/MSVC/hook_thread.c#L232\r\nIndicators of Compromise (IOCs)\r\nhttps://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks\r\nPage 9 of 10\n\nIOC\r\nIOC\r\nType\r\nDescription\r\n6479a901a17830de31153cb0c9f0f7e8bb9a6c00747423adc4d5ca1b347268dc SHA256\r\nMacro\r\nDocument\r\nhxxp://dboxhost[.]tk/moz/bza.exe URL\r\nDocument\r\nPayload\r\n(Parasite\r\nHTTP)\r\nb52706530d7b56599834615357e8bbc1f5bed669001c06830029784eb4669518 SHA256 Parasite HTTP\r\nxetrodep[.]top Domain\r\nParasite HTTP\r\nC\u0026C\r\njekoslo[.]space Domain\r\nParasite HTTP\r\nC\u0026C\r\nbefrodet[.]top Domain\r\nParasite HTTP\r\nC\u0026C\r\nET and ETPRO Suricata/Snort/ClamAV Signatures\r\n2831834 || ETPRO TROJAN Parasite HTTP Checkin\r\nSource: https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks\r\nhttps://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks"
	],
	"report_names": [
		"parasite-http-rat-cooks-stew-stealthy-tricks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434256,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4366fc8d7612d560ec800ffb5b13fda164fa6f58.pdf",
		"text": "https://archive.orkl.eu/4366fc8d7612d560ec800ffb5b13fda164fa6f58.txt",
		"img": "https://archive.orkl.eu/4366fc8d7612d560ec800ffb5b13fda164fa6f58.jpg"
	}
}