{ "id": "116adb5c-325f-46e6-a833-f8da6cc9da78", "created_at": "2026-04-06T00:09:34.714279Z", "updated_at": "2026-04-10T03:34:16.01649Z", "deleted_at": null, "sha1_hash": "447aafc9072088a52f0349353d7649a05b6f79d7", "title": "Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 388665, "plain_text": "Beware! Undetectable CrossRAT malware targets Windows,\r\nMacOS, and Linux systems\r\nBy The Hacker News\r\nPublished: 2018-01-25 · Archived: 2026-04-05 18:50:22 UTC\r\nAre you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this.\r\nWide-range of cybercriminals are now using a new piece of 'undetectable' spying malware that targets Windows,\r\nmacOS, Solaris and Linux systems.\r\nJust last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced\r\npersistent threat (APT) group, called Dark Caracal, engaged in global mobile espionage campaigns.\r\nAlthough the report revealed about the group's successful large-scale hacking operations against mobile phones\r\nrather than computers, it also shed light on a new piece of cross-platform malware called CrossRAT (version 0.1),\r\nwhich is believed to be developed by, or for, the Dark Caracal group.\r\nCrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems,\r\nWindows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots,\r\nrun arbitrary executables, and gain persistence on the infected systems.\r\nhttps://thehackernews.com/2018/01/crossrat-malware.html\r\nPage 1 of 4\n\nAccording to researchers, Dark Caracal hackers do not rely on any \"zero-day exploits\" to distribute its malware;\r\ninstead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users\r\nto visit hackers-controlled fake websites and download malicious applications.\r\nCrossRAT is written in Java programming language, making it easy for reverse engineers and researchers to\r\ndecompile it.\r\nSince at the time of writing only two out of 58 popular antivirus solutions (according to VirusTotal) can detect\r\nCrossRAT, ex-NSA hacker Patrick Wardle decided to analyse the malware and provide a comprehensive\r\ntechnical overview including its persistence mechanism, command and control communication as well as its\r\ncapabilities.\r\nCrossRAT 0.1 — Cross-Platform Persistent Surveillance Malware\r\nOnce executed on the targeted system, the implant (hmar6.jar) first checks the operating system it's running on\r\nand then installs itself accordingly.\r\nBesides this, the CrossRAT implant also attempts to gather information about the infected system, including the\r\ninstalled OS version, kernel build and architecture.\r\nMoreover, for Linux systems, the malware also attempts to query systemd files to determine its distribution, like\r\nArch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint, among many more.\r\nhttps://thehackernews.com/2018/01/crossrat-malware.html\r\nPage 2 of 4\n\nCrossRAT then implements OS specific persistence mechanisms to automatically (re)executes whenever the\r\ninfected system is rebooted and register itself to the C\u0026C server, allowing remote attackers to send command and\r\nexfiltrate data.\r\nAs reported by Lookout researchers, CrossRAT variant distributed by Dark Caracal hacking group connects to\r\n'flexberry(dot)com' on port 2223, whose information is hardcoded in the 'crossrat/k.class' file.\r\nCrossRAT Includes Inactive Keylogger Module\r\nThe malware has been designed with some basic surveillance capabilities, which get triggered only when received\r\nrespective predefined commands from the C\u0026C server.\r\nInterestingly, Patrick noticed that the CrossRAT has also been programmed to use 'jnativehook,' an open-source\r\nJava library to listen to keyboard and mouse events, but the malware does not have any predefined command to\r\nactivate this keylogger.\r\n\"However, I didn’t see any code within that implant that referenced the jnativehook package—so at this\r\npoint it appears that this functionality is not leveraged? There may be a good explanation for this. As\r\nnoted in the report, the malware identifies it’s version as 0.1, perhaps indicating it’s still a work in\r\nprogress and thus not feature complete,\" Patrick said.\r\nHow to Check If You're Infected with CrossRAT?\r\nSince CrossRAT persists in an OS-specific manner, detecting the malware will depend on what operating system\r\nyou are running.\r\nFor Windows:\r\nCheck the 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\' registry key.\r\nIf infected it will contain a command that includes, java, -jar and mediamgrs.jar.\r\nFor macOS:\r\nhttps://thehackernews.com/2018/01/crossrat-malware.html\r\nPage 3 of 4\n\nCheck for jar file, mediamgrs.jar, in ~/Library.\r\nAlso look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.\r\nFor Linux:\r\nCheck for jar file, mediamgrs.jar, in /usr/var.\r\nAlso look for an 'autostart' file in the ~/.config/autostart likely named mediamgrs.desktop.\r\nHow to Protect Against CrossRAT Trojan?\r\nOnly 2 out of 58 antivirus products detect CrossRAT at the time of writing, which means that your AV would\r\nhardly protect you from this threat.\r\n\"As CrossRAT is written in Java, it requires Java to be installed. Luckily recent versions of macOS do\r\nnot ship with Java,\" Patrick said.\r\n\"Thus, most macOS users should be safe! Of course, if a Mac user already has Java installed, or the\r\nattacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the\r\nlatest version of macOS (High Sierra).\"\r\nUsers are advised to install behaviour-based threat detection software. Mac users can use BlockBlock, a simple\r\nutility developed by Patrick that alerts users whenever anything is persistently installed.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2018/01/crossrat-malware.html\r\nhttps://thehackernews.com/2018/01/crossrat-malware.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2018/01/crossrat-malware.html" ], "report_names": [ "crossrat-malware.html" ], "threat_actors": [ { "id": "8de10e16-817c-4907-bd98-b64cf4a3e77b", "created_at": "2022-10-25T15:50:23.552766Z", "updated_at": "2026-04-10T02:00:05.362919Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "Dark Caracal" ], "source_name": "MITRE:Dark Caracal", "tools": [ "FinFisher", "CrossRAT", "Bandook" ], "source_id": "MITRE", "reports": null }, { "id": "4a62c0be-1583-4d82-8f91-46e3a1c114e6", "created_at": "2023-01-06T13:46:38.73639Z", "updated_at": "2026-04-10T02:00:03.083265Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "G0070" ], "source_name": "MISPGALAXY:Dark Caracal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af704c54-a580-4c29-95f2-82db06fbb6f9", "created_at": "2022-10-25T16:07:23.525064Z", "updated_at": "2026-04-10T02:00:04.64019Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "ATK 27", "G0070", "Operation Dark Caracal", "TAG-CT3" ], "source_name": "ETDA:Dark Caracal", "tools": [ "Bandok", "Bandook", "CrossRAT", "FinFisher", "FinFisher RAT", "FinSpy", "Pallas", "Trupto" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434174, "ts_updated_at": 1775792056, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/447aafc9072088a52f0349353d7649a05b6f79d7.pdf", "text": "https://archive.orkl.eu/447aafc9072088a52f0349353d7649a05b6f79d7.txt", "img": "https://archive.orkl.eu/447aafc9072088a52f0349353d7649a05b6f79d7.jpg" } }