{
	"id": "f64e4817-2dfa-493f-8893-fed9f171fb9f",
	"created_at": "2026-04-06T00:11:10.307285Z",
	"updated_at": "2026-04-10T13:11:30.585796Z",
	"deleted_at": null,
	"sha1_hash": "45436ee1735632c4ae2fd8245f80c5d7ba23188a",
	"title": "Threat actor abuses Gophish to deliver new PowerRAT and DCRAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4257607,
	"plain_text": "Threat actor abuses Gophish to deliver new PowerRAT and\r\nDCRAT\r\nBy Chetan Raghuprasad\r\nPublished: 2024-10-22 · Archived: 2026-04-05 17:54:38 UTC\r\nCisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish\r\nby an unknown threat actor.  \r\nThe campaign involves modular infection chains that are either Maldoc or HTML-based infections and\r\nrequire the victim’s intervention to trigger the infection chain.  \r\nTalos discovered an undocumented PowerShell RAT we’re calling PowerRAT,  as one of the payloads and\r\nanother infamous Remote Access Tool (RAT) DCRAT. \r\nWe found a few placeholders for base64 encoded PowerShell scripts in the PowerRAT, indicating that the\r\nthreat actor is actively developing their tools.  \r\nVictimology \r\nTalos assesses with high confidence that the threat actor is targeting Russian-speaking users based on the language\r\nused in the Phishing emails, luring contents of Malicious documents, a masqueraded HTML webpage of Vkontake\r\n(VK), a popular social media application amongst Russian speakers, especially in Russia, Ukraine, Belarus,\r\nKazakhstan, Uzbekistan, and Azerbaijan.  \r\n   \r\nActor uses Gophish to send phishing emails \r\nOur analysis of the malicious hyperlinks embedded in the phishing emails disclosed to us the attacker-controlled\r\nhosting domains disk-yanbex[.]ru delivered the Malicious Microsoft Word document, and an HTML file\r\nembedded with the malicious JavaScript.   \r\nThe domain disk-yanbex[.]ru resolves to the IP address 34[.]236[.]234[.]165, an AWS EC2 instance with the fully\r\nqualified domain name ec2-34-236-234-165[.]compute-1[.]amazonaws[.]com, during our analysis. We also\r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 1 of 18\n\nobserved that the same server 34[.]236[.]234[.]165 was reverse resolving to another domain e-connection[.]ru,\r\nwhich also delivered malicious JavaScript-embedded HTML files. Our further analysis of the server\r\n34[.]236[.]234[.]165 disclosed to us that the actor hosted the Gophish toolkit on the server running at port number\r\n3333. Gophish is an Open-Source easy-to-deploy phishing toolkit that is developed to conduct security awareness\r\ntraining according to the tool’s developer.  \r\nAttacker hosting Gophish.\r\nTalos analysis of the phishing email sample’s header showed us that the email was first delivered from server\r\n34[.]236[.]234[.]165, indicating that the threat actor is misusing the Gophish framework in this campaign to\r\ndeliver phishing emails to their targets.   \r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 2 of 18\n\nSample Phishing email header. \r\nMulti-modular Campaign delivers PowerRAT and DCRAT \r\nThe campaign has two initial attack vectors, one based on malicious Word documents and another based on\r\nHTML files containing malicious JavaScript. Upon activation, these would lead to the download and activation of\r\nPowerRAT or DCRAT depending on the initial vector. Both the attack chains require user intervention to trigger\r\nthe infections on the compromised machines. \r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 3 of 18\n\nMaldoc-based infection delivers PowerRAT \r\nWhen a victim opens the Microsoft Word document and enables the view contents button displayed in the\r\ndocument banner, the malicious VB macro program executes.  \r\nThe macro program initially executes a function that decodes or translates specific encoded symbols in the lure\r\ncontents of the Word document into their corresponding characters from another alphabet in Cyrillic, transforming\r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 4 of 18\n\nthe lure contents into readable form. \r\nWe spotted a base64 encoded data blob on the third page of the Word document and the actor used the text color\r\nthe same as that of the document's default background color, hiding them from the victim’s view.  \r\nTo identify the hidden encoded data, the macro executes a function that searches for specific strings such as\r\n“DigitalRSASignature:” and “CHECKSUM” in the content section of the Word document, and when found, it\r\ncopies the data following the search strings to an array.  \r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 5 of 18\n\nTo decode the base64 encoded data blob, the actor uses a custom function called CheckContent() in the macro. It\r\nremoves any “=” characters which are the padding characters in the encoded data blob and decodes them into two\r\nparts in a byte array. The first part is the contents of a malicious HTML application (HTA) file and the second is a\r\nPowerShell loader.  \r\nThe macro drops the decoded contents of the malicious HTA file to “UserCache.ini.hta” and the PowerShell\r\nloader into “UserCache.ini” in the victim machine's current user profile folder.   \r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 6 of 18\n\nThe actor has abused the Windows NT current version autorun registry key called “LOAD”. The registry key\r\n“HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LOAD” is used by Windows\r\nto automatically launch applications or processes when a user logs into their account. Specifically, this key stores\r\ninformation about programs that are set to load upon user login. It works similarly to other startup mechanisms in\r\nWindows (such as the Startup folder or the Run registry keys), but this specific key is less commonly used. The\r\nmacro after dropping the malicious HTA and the PowerShell loader script in the victim machine user profile\r\nfolder, it configures the registry key “HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\LOAD” with the value “C:\\Users\\\u003cUsername\u003e\\UserCache.ini.hta”. \r\nFinally, the macro checks if there are any headers in the Word documents and deletes the contents of the headers\r\nfrom all sections of the Word document.  \r\nThe malicious HTA “UserCache.ini.hta” is executed through the LOAD registry key when a victim logs into the\r\nmachine. It drops a JavaScript called “UserCacheHelper.lnk.js” in the victim machine user profile folder and\r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 7 of 18\n\nwrites a single line code embedding with a PowerShell command to execute the dropped PowerShell Loader\r\nmasquerading as “UserCache.ini” file. The HTA file executes the JavaScript “UserCacheHelper.lnk.js” using the\r\nLOLbin “cscript.exe”. \r\nSample of malicious HTA file.\r\nThe dropped JavaScript “UserCacheHelper.lnk.js” loads the contents of the “UserCache.ini” and executes it using\r\nthe Invoke-Expression PowerShell command. The PowerShell Loader script masquerading as the INI file contains\r\nbase64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine\r\nmemory.   \r\nSample PowerShell Loader script embedded with PowerRAT.\r\nPowerRAT expands the attack vector for further infections  \r\nTalos discovered a new PowerShell remote access tool as one of the payloads in this campaign we are calling\r\nPowerRAT that executes in the victim’s machine memory. It has the functionality of executing other PowerShell\r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 8 of 18\n\nscripts or commands as directed by the C2 server, enabling the attack vector for further infections on the victim\r\nmachine.   \r\nThe PowerRAT that executes in the victim machine memory initially checks if the JavaScript\r\n“UserCacheHelper.lnk.js” exists in the user profile folder and if not found, it will reinfect the victim machine by\r\nperforming the actions of the PowerShell loader script described in the previous section. Then it hides the\r\n“UserCache.ini” by modifying the file attributes to “Hidden”. \r\nThe PowerRAT performs reconnaissance on the victim’s machine by executing a function GetID() which collects\r\nthe username, computer name, and the system driver letter through the PowerShell command Get-CimInstance. It\r\nalso collects the drive serial number through the win32_volume class of WMIobject.  The collected data is written\r\nto memory in the format \u003cComputername_Username_drive serial number\u003e. \r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 9 of 18\n\nAfter performing the reconnaissance, the PowerRAT attempts to connect to the C2 server by sending the collected\r\ndata of the victim’s machine using a hardcoded URL through the HTTP GET method.  The C2 servers identified\r\nin this campaign are 94[.]103[.]85[.]47 located in Russia with the ASN 48282 of Hosting Technology LTD and\r\n5[.]252[.]176[.]55 also geographically located in Russia with the ASN 39798 of MivoCloud SRL.  \r\nWhen there is no response from the C2 server, the PowerRAT has a placeholder function called offlineworker()\r\nthat has the functionality to decode an embedded base64 encoded string of a PowerShell script and executes it\r\nusing the Invoke-Expression command. The actor has built this functionality to keep the infection alive in the\r\nvictim machine even if the victim's environment detects the malicious C2 traffic and blocks the connection. We\r\ndidn’t see any embedded base64 encoded strings in the PowerRAT sample that we analyzed and is likely a\r\nplaceholder, indicating that the actor is actively developing and updating their tools.  \r\nThe PowerRAT generates a random number between 7 - 23 and pauses its execution for (300 + random number)\r\nseconds and re-attempts to connect to the C2 server continuously waiting for a response. During our analysis, the\r\nC2 servers were not responding, and still, our further analysis of the PowerRAT showed us that the C2 server will\r\nlikely respond with an XML configuration file having multiple modules with embedded base64 encoded\r\nPowerShell commands or scripts.   \r\nThe PowerRAT has the functionality to parse the received XML file and search for the sections called config.  It\r\nperiodically executes the embedded encoded PowerShell commands or scripts, according to their defined intervals\r\nand run limits. The PowerRAT continues to run until all commands or scripts in the config sections are executed\r\nthe required number of times.   \r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 10 of 18\n\nHTML-based infection delivers DCRAT \r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 11 of 18\n\nTalos discovered that the threat actor is also using HTML files embedded with malicious JavaScript in this\r\ncampaign that are delivered to the victims through the malicious links in the phishing email, leading to the\r\ninfection of the DCRAT payload.  \r\nWhen a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the\r\nmalicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript. The\r\nJavaScript has a base64 encoded data blob of a 7-ZIP archive of a malicious SFXRAR executable. It decodes the\r\nembedded base64 encoded data blob into binary data blob with the type “application/octet-stream” in the memory.\r\nA download URL for the binary data blob is created using the URL.createObjectURL() method and assigned to a\r\nvariable in memory. It calls the click() method on the URL of the binary data blob which triggers the download of\r\nthe binary data to a 7-Zip archive file. The malicious 7-Zip archive masquerades as the VK messenger application\r\narchive file in one of the malicious HTML files and another with a Russian name. The actor is using this technique\r\nin the JavaScript function to masquerade as the actual download activity of a file over the internet through a\r\nbrowser.  \r\nA victim must inflate the 7-Zip archive manually to run the SFXRAR executable which is masquerading as the\r\nlegitimate VK application executable which leads to DCRAT infection. The SFX RAR executable is packaged\r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 12 of 18\n\nwith the malicious loader or dropper executables, batch file, and a decoy document in some samples.  \r\nWhen a victim runs the SFX executable, the SFX script drops the packaged files into a folder and executes the\r\nbatch file which runs another password-protected SFXRAR with the hardcoded password “riverdD” and runs the\r\nDCRAT.   \r\nIn another sample, we observed that the SFXRAR drops the GOLoader and the decoy document Excel\r\nspreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with\r\nopening the decoy document.   \r\nTalos observed an overlap of the technique used by the threat actor in this campaign with an earlier SparkRAT\r\nattack reported by Hunt researchers in April 2024, indicating that SparkRAT is another payload in the threat\r\nactor’s arsenal. \r\nGOLoader downloads and runs the DCRAT \r\nIn DCRAT infection, the SFX script runs a malicious Loader executable and simultaneously opens a decoy\r\ndocument. The malicious loader executable we are calling “GOLoader” is compiled in Golang. It modifies the\r\nconfiguration settings for Microsoft Defender Antivirus, specifically by excluding the root directory “C:\\” and the\r\nfolder “C:\\Users\\$user\\Desktop” in the victim machine by executing the PowerShell commands.  \r\npowershell -Command Add-MpPreference -ExclusionPath 'C:\\Users\\$user\\Desktop'\r\npowershell -Command Add-MpPreference -ExclusionPath 'C:\\'\r\nAfter configuring the exclusion paths, the GOLoader downloads the DCRAT binary data stream from a remote\r\nlocation through a hardcoded URL and writes it into a dropped executable with the file name “file.exe” in the\r\ndesktop folder on the victim’s machine. During our analysis, we found that the remote location URL hardcoded in\r\nthe GOLoader was pointing to a GitHub repository, which was not accessible. However, we found that the hosted\r\npayload binary in the GitHub repository is the Dark Crystal RAT (DCRAT) binary based on open-source\r\nintelligence data.   \r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 13 of 18\n\nThreat actor delivers DCRAT \r\nThe payload Dark Crystal RAT (DCRAT) sample that we analyzed in this campaign is a modular RAT associated\r\nwith plugins to perform the DLL injection and information stealing tasks.  \r\nKey features of the DCRAT sample of this campaign include: \r\nProvides remote control access to the victim machine to the actor who can execute arbitrary commands,\r\nmanage files, and monitor user activities.  \r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 14 of 18\n\nIt has the capability of downloading and executing other files on the victim's machine. \r\nWith its stealer plugin modules, the RAT can steal sensitive information including credentials, files, and\r\nfinancial information from the victim's machine.  \r\nThe RAT can take screenshots and capture the keystrokes on the victim's machine. \r\nWe found that the RAT creates multiple copies of its binary masquerading as legitimate Windows\r\nexecutables including csrss.exe, dllhost.exe, taskhostw.exe, and winlogon.exe in the folders such as\r\nProgramData, Pictures, Saved Games, and Windows start menu. It drops the embedded modules in the\r\nadministrator user desktop folder using random file names and with the “.log” file extension.  \r\nC:\\Users\\admin\\Desktop\\zaHrebVC.log\r\nC:\\Users\\admin\\Desktop\\HQLYdHol.log\r\nC:\\Users\\admin\\Desktop\\qJutJUJW.log\r\nC:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\taskhostw.exe\r\nC:\\ProgramData\\dllhost.exe\r\nC:\\Users\\Default\\Pictures\\csrss.exe\r\nC:\\Users\\Default\\Saved Games\\winlogon.exe\r\nIt establishes persistence on the victim machine by creating several Windows tasks to run at different\r\nintervals or during the Windows login process. \r\nschtasks.exe /create /tn \"winlogonw\" /sc MINUTE /mo 11 /tr \"'C:\\Users\\Default\\Saved Games\\winlogon.exe'\"\r\n/f\r\nschtasks.exe /create /tn \"winlogon\" /sc ONLOGON /tr \"'C:\\Users\\Default\\Saved Games\\winlogon.exe'\" /rl\r\nHIGHEST /f\r\nschtasks.exe /create /tn \"winlogonw\" /sc MINUTE /mo 5 /tr \"'C:\\Users\\Default\\Saved Games\\winlogon.exe'\"\r\n/rl HIGHEST /f\r\nschtasks.exe /create /tn \"csrssc\" /sc MINUTE /mo 12 /tr \"'C:\\Users\\Default\\Pictures\\csrss.exe'\" /f\r\nschtasks.exe /create /tn \"csrss\" /sc ONLOGON /tr \"'C:\\Users\\Default\\Pictures\\csrss.exe'\" /rl HIGHEST /f\r\nschtasks.exe /create /tn \"csrssc\" /sc MINUTE /mo 7 /tr \"'C:\\Users\\Default\\Pictures\\csrss.exe'\" /rl HIGHEST /f\r\nschtasks.exe /create /tn \"dllhostd\" /sc MINUTE /mo 11 /tr \"'C:\\Users\\Public\\dllhost.exe'\" /f\r\nschtasks.exe /create /tn \"dllhost\" /sc ONLOGON /tr \"'C:\\Users\\Public\\dllhost.exe'\" /rl HIGHEST /f\r\nschtasks.exe /create /tn \"dllhostd\" /sc MINUTE /mo 12 /tr \"'C:\\Users\\Public\\dllhost.exe'\" /rl HIGHEST /f\r\nschtasks.exe /create /tn \"dllhostd\" /sc MINUTE /mo 8 /tr \"'C:\\Users\\All Users\\dllhost.exe'\" /f\r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 15 of 18\n\nschtasks.exe /create /tn \"dllhost\" /sc ONLOGON /tr \"'C:\\Users\\All Users\\dllhost.exe'\" /rl HIGHEST /f\r\nschtasks.exe /create /tn \"dllhostd\" /sc MINUTE /mo 11 /tr \"'C:\\Users\\All Users\\dllhost.exe'\" /rl HIGHEST /f\r\nschtasks.exe /create /tn \"taskhostwt\" /sc MINUTE /mo 6 /tr \"'C:\\Users\\Default\\Start Menu\\taskhostw.exe'\" /f\r\nschtasks.exe /create /tn \"taskhostw\" /sc ONLOGON /tr \"'C:\\Users\\Default\\Start Menu\\taskhostw.exe'\" /rl\r\nHIGHEST /f\r\nschtasks.exe /create /tn \"taskhostwt\" /sc MINUTE /mo 10 /tr \"'C:\\Users\\Default\\Start Menu\\taskhostw.exe'\" /rl\r\nHIGHEST /f\r\nschtasks.exe /create /tn \"filef\" /sc MINUTE /mo 13 /tr \"'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'\" /f\r\nschtasks.exe /create /tn \"file\" /sc ONLOGON /tr \"'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'\" /rl\r\nHIGHEST /f\r\nschtasks.exe /create /tn \"filef\" /sc MINUTE /mo 9 /tr \"'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'\" /rl\r\nHIGHEST /f\r\nThe RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file as shown\r\nin the picture and exfiltrates the sensitive data collected from the victim machine. From other DCRAT\r\nsamples identified in this campaign, we found another C2\r\nURL “hxxp[://]cr87986[.]tw1[.]ru/L1nc0In[.]php”.  \r\nSample of DCRAT configuration file. \r\nCoverage \r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 16 of 18\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them. \r\nAdditional protection with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for this threat are 63963 – 63970, 63971 and 301004. \r\nClamAV detections are also available for this threat: \r\nWin.Downloader.RustAgent-10036537-0 \r\nWin.Downloader.RustAgent-10036538-0 \r\nWin.Downloader.RustAgent-10036539-0 \r\nWin.Downloader.GoAgent-10036540-0 \r\nWin.Backdoor.PowershellRAT-10036541-0 \r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 17 of 18\n\nWin.Phishing.VbsAgent-10036542-0 \r\nWin.Phishing.JsAgent-10036543-0 \r\nWin.Loader.PowershellLoader-10036544-0 \r\nWin.Loader.HtaAgent-10036545-0 \r\nWin.Loader.DonutLoader-10036546-0\r\nIOCs \r\nIOCs for this research can be found in our GitHub repository here. \r\nSource: https://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/gophish-powerrat-dcrat/"
	],
	"report_names": [
		"gophish-powerrat-dcrat"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434270,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45436ee1735632c4ae2fd8245f80c5d7ba23188a.pdf",
		"text": "https://archive.orkl.eu/45436ee1735632c4ae2fd8245f80c5d7ba23188a.txt",
		"img": "https://archive.orkl.eu/45436ee1735632c4ae2fd8245f80c5d7ba23188a.jpg"
	}
}