{ "id": "45b8b79f-ac24-40af-98cb-1a29ebccd866", "created_at": "2026-04-06T00:07:37.13919Z", "updated_at": "2026-04-10T03:34:54.252347Z", "deleted_at": null, "sha1_hash": "4c61ffc79acb3f842c8a0d64c6d005b75452939f", "title": "TigerRAT – Advanced Adversaries on the Prowl", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 893766, "plain_text": "TigerRAT – Advanced Adversaries on the Prowl\r\nBy Threat Analysis Unit\r\nPublished: 2021-12-03 · Archived: 2026-04-05 21:52:09 UTC\r\nThis article was written by Scott Knight\r\nSummary\r\nOn September 5th, 2021, the Korea Internet \u0026 Security Agency (KISA) released a report on a new threat they\r\ndubbed TigerRAT. The newly found malware shares similarities with malware previously reported by Kaspersky\r\nand Malwarebytes. Kaspersky has previously attributed those malware samples to Andariel, a threat actor group\r\nthe Korean Financial Security Institute has identified as being a sub-group of Lazarus. TigerRAT appears to have\r\nbeen used from late 2020 onwards.\r\nVMware’s Threat Analysis Unit identifies TigerRAT as a payload associated with broader campaign of attacks\r\nagainst target enterprises. The TigerRAT payload capability includes the ability to manipulate files, execute\r\nremote commands, log keystrokes and remotely view and control the screen. TigerRAT may be blocked by\r\nVMware Carbon Black (see Figure 8).\r\nNotably this malware, and the overall attack, originates from a loader application that utilizes a unique approach\r\nto storing the payload. Within the TigerRAT sample, configuration data for Command and Control (C2)\r\ncommunications is stored encrypted within the malware, and communications with the C2 server are customized\r\nto appear like HTTP web traffic.\r\nVMware’s Threat Analysis Unit performed a deep analysis of the TigerRAT malware to document its internal\r\noperations for comparison to other malware families in the wild.\r\nWhen considering how TigerRAT may be used in the wild, defenders should recognize that the TigerRAT malware\r\nwill be used by attackers as part of a broader campaign of attacks and that along the kill-chain, a wide variety of\r\nother malware types and attack techniques are also likely to be used. This is a key point when evaluating how such\r\ncampaigns can be detected and disrupted.\r\nLoader\r\nLoader structure\r\nIn the case of sample , the TigerRAT payload data is stored in a section named “data”. The payload structure is a\r\n4-byte size, a 16-byte key, and then base64 encoded data. The size is the total length of the base64 data.\r\n4 bytes 16 bytes NN bytes\r\nSize of base64 encoded data (NN) Decryption key base64 encoded data\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 1 of 12\n\nThe screenshot below (Figure 1) shows the size in red, the decryption key in green, and the base64 data in blue.\r\nFigure 1: Loader\r\nLoader function\r\nThe Loader’s purpose is to decrypt the final TigerRAT payload and execute it in memory. The data is loaded,\r\nbase64 decoded and then the 16-byte key is used to decrypt the data with a simple XOR. The decoded payload is a\r\nPE file and after decrypting the loader will jump to the entry point.\r\nVariance of loaders in the wild\r\nThe loader sample Malwarebytes reported on had almost identical code to that analyzed here, with the notable\r\ndifference being that the base64 data was stored as overlay data after all the regular PE data. The embedded\r\npayload in the Malware bytes sample also differed. Refer to the Malwarebytes post for additional detail.\r\nTigerRAT\r\nThe embedded PE is referred to as TigerRAT by the KISA report. A handful of different samples were found with\r\ncompilation dates ranging from the end of 2020 to the beginning of 2021, with the only notable differences\r\nbetween different samples being the encrypted C2 information, and the DES/RC4 keys used for encryption and\r\ndecryption.\r\nThe malware is written in C++ and makes use of only a handful of classes. At startup, a main class is created with\r\nreferences to the classes below.\r\nClass name Description\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 2 of 12\n\nProtocolTcpPure Performs all the communication with the C2 server.\r\nCryptorDES Used to decrypt encrypted strings and data in the program.\r\nCryptorRC4 Used to encrypt information sent to the C2 server and decrypt received commands.\r\nIDGeneratorAdapter\r\nCreates a unique ID for the victim machine used during C2 communication\r\ninitialization.\r\nModuleUpdate Handles C2 commands related to shutting down and self-deletion.\r\nModuleInformation Handles C2 commands related to gathering victim machine information.\r\nModuleShell Handles C2 commands related to executing commands.\r\nModuleFileManager\r\nHandles C2 commands related to file manipulation and upload and download of\r\nfiles from the victim machine.\r\nModuleKeyLogger Handles C2 commands related to starting and stopping keylogging functionality.\r\nModuleSocksTunnel Handles C2 commands related to starting and stopping a socks tunnel.\r\nModuleScreenCapture\r\nHandles C2 commands related to remote screen capturing and keyboard event\r\ninjection.\r\nModulePortForwarder Handles C2 commands related to starting and stopping port forwarding.\r\nTable 1: TigerRAT classes\r\nAll of the Module classes inherit from a common base class and the main class stores an array of Module\r\ninstances that are used during C2 communication. The code makes heavy use of threading when running actions\r\nbased on C2 commands.\r\nC2 Communication\r\nDuring the main class initialization, the C2 IP addresses are decrypted using the CryptorDES class and stored in\r\nthe main class. When that initialization is finished, the malware then attempts to initiate the network connection to\r\nthe C2 server. The malware first tries to connect to one of the decrypted C2 IP addresses on port 443 and then\r\nperforms a handshake with the C2 server. The malware starts by sending HTTP 1.1 /index.php?member=sbi2009\r\nSSL3.3.7\\x00 and then the C2 server responds with HTTP 1.1 200 OK SSL2.1\\x00.\r\nFollowing a successful initial handshake, the malware sends a 16-byte hash of the RC4 key being used and\r\nexpects to get back a hardcoded 7-byte value. In the case of all currently found samples, the malware expects the\r\n7-byte value “xPPygOn”.\r\nThe handshake process can be seen from the perspective of the C2 server by running a mockc2 TigerRAT server\r\n(Figure 2).\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 3 of 12\n\nmockc2\u003e debug on\r\n[+] Debug output on\r\nmockc2\u003e listener start tigerrat 443\r\n[DEBUG] Server listening\r\n[i] connection from x.x.x.x:55067\r\n[DEBUG] received00000000  48 54 54 50 20 31 2e 31  20 2f 69 6e 64 65 78 2e  |HTTP 1.1 /index.|\r\n00000010  70 68 70 3f 6d 65 6d 62  65 72 3d 73 62 69 32 30  |php?member=sbi20|\r\n00000020  30 39 20 53 53 4c 33 2e  33 2e 37 00              |09 SSL3.3.7.|\r\n[DEBUG] sent\r\n00000000  48 54 54 50 20 31 2e 31  20 32 30 30 20 4f 4b 20  |HTTP 1.1 200 OK |\r\n00000010  53 53 4c 32 2e 31 00                              |SSL2.1.|\r\n[DEBUG] received\r\n00000000  f2 7c 29 1f a5 75 fa 20  23 f7 7b 5b fa 5b e1 4a  |.|)..u. #.{[.[.J|\r\n00000010  00                                                |.|\r\n[DEBUG] sent\r\n00000000  78 50 50 79 67 4f 6e 00                           |xPPygOn.|\r\nFigure 2: TigerRAT handshake\r\nAfter the handshake process has been completed successfully, the malware will proceed to send all further data in\r\na standard command format and encrypted using the CryptorRC4 class. A single 32-byte RC4 key is used to\r\ninitialize two separate running RC4 ciphers. One is used to decrypt incoming traffic and the other is used to\r\nencrypt outgoing traffic. The encrypted traffic has the following format (Figure 3):\r\nstruct packet {\r\nuint32 size;\r\nuint8 *data;\r\n};\r\nFigure 3: Encrypted traffic structure\r\nOnce decrypted the command format is as follows (Figure 4):\r\nstruct command {\r\nuint32 module;\r\nuint32 opcode;\r\nuint32 size;\r\nuint8 *data;\r\n};\r\nFigure 4: Command structure\r\nAfter the handshake, the malware sends to the C2 server a unique victim machine identifier previously generated\r\nby the IDGeneratorAdapter class. The unique ID is generated by calling the GetAdaptersInfo API and getting the\r\nhardware address for one of the network devices on the victim machine (Figure 5).\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 4 of 12\n\n[DEBUG] received\r\n00000000  18 00 00 00 9d c6 28 3a  a8 14 21 6c 4f 27 81 0a  |……(:..!lO’..|\r\n00000010  5c 4d 4d 42 cd 2e 65 fa  fd 50 b0 29              |\\MMB..e..P.)|\r\n[DEBUG] TigerRAT Command\r\n[DEBUG] Module: 0x0\r\n[DEBUG] Opcode: 0x1\r\n[DEBUG]   Size: 0xc\r\n[DEBUG]   Data:\r\n00000000  f0 18 98 80 95 32 00 00  00 00 00 00              |…..2……|\r\nFigure 5: TigerRAT victim ID\r\nAfter the handshake process and upload of the victim ID, the malware initiates  a heartbeat thread to send periodic\r\npackets to the C2 server, as well as a receive thread to read and process commands sent back from the C2 server.\r\nThe subsequent actions of the malware will depend on the commands received from the C2 server; refer\r\n“Commands”. An example of a heartbeat command can be seen below (Figure 6):\r\n[DEBUG] received\r\n00000000  0c 00 00 00 a5 31 6d a7  8f cd d4 70 aa e1 d4 56  |…..1m….p…V|\r\n[DEBUG] TigerRAT Command\r\n[DEBUG] Module: 0x0\r\n[DEBUG] Opcode: 0x10\r\nDEBUG]   Size: 0x0\r\nFigure 6: TigerRAT heartbeat\r\nCommands\r\nEach Module class has a unique ID associated with it. This ID is set in the command structure sent from the C2\r\nserver down to the malware. The complete list of Module IDs can be seen below:\r\nModule ID Module Name\r\n0x1 ModuleUpdate\r\n0x2 ModuleInformation\r\n0x3 ModuleShell\r\n0x4 ModuleFileManager\r\n0x5 ModuleKeyLogger\r\n0x6 ModuleSocksTunnel\r\n0x7 ModuleScreenCapture\r\n0xa ModulePortForwarder\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 5 of 12\n\nTable 2: Module IDs\r\nThe following tables list the various opcodes used by the different Module classes and their function.\r\nModuleUpdate\r\nOpcode Description\r\n0x20 Calls ExitProcess\r\n0x30 Delete itself and exit\r\nTable 3: ModuleUpdate opcodes\r\nModuleInformation\r\nOpcode Description\r\n0x10 Retrieve victim’s computer name using GetComputerNameW\r\n0x20 Retrieve victim’s Windows version using RtlGetVersion\r\n0x30 Retrieve victiom’s adapter info using GetAdaptersInfo\r\n0x40 Retrieve victim’s username using GetUserNameW\r\nTable 4: ModuleInformation opcodes\r\nModuleShell\r\nOpcode Description\r\n0x10 Execute a command\r\n0x20 Set current directory\r\n0x30 Get current directory\r\n0x40 Test TCP connection\r\nTable 5: ModuleShell opcodes\r\nModuleFileManager\r\nOpcode Description\r\n0x10 Retrieve drive info\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 6 of 12\n\n0x20 List files\r\n0x30 Delete file\r\n0x40 Start file upload to victim machine\r\n0x42 Write data to uploaded file\r\n0x43 Finish file upload to victim machine\r\n0x50 Download file from victim machine\r\n0x57 Set offset in file to download\r\n0x5f Wait for file transfers to finish\r\n0x60 Call CreateProcessW\r\n0x63 Call CreateProcessAsUserW\r\n0x70 Download a directory from victim machine\r\n0x80 Find files\r\n0x90 Find files\r\nTable 6: ModuleFileManager opcodes\r\nModuleKeyLogger\r\nOpcode Description\r\n0x10 Initialize keylogger\r\n0x11 Set keylogger flag\r\n0x20 Stop keylogger\r\n0x21 Set keylogger flag\r\n0x25 Retrieve keylogger output\r\n0x32 Retrieve keylogger file\r\nTable 7: ModuleKeyLogger opcodes\r\nModuleSocksTunnel\r\nOpcode Description\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 7 of 12\n\n0x10 Start socks tunnel\r\n0x20 Forward data\r\n0x30 Stop socks tunnel\r\nTable 8: ModuleSocksTunnel opcodes\r\nModuleScreenCapture\r\nOpcode Description\r\n0x10 Start screen capture\r\n0x20 Stop screen capture\r\n0x50 Modify mouse\r\n0x52 Modify mouse\r\n0x53 Modify mouse\r\n0x60 Send VK_ESCAPE using keybd_event\r\n0x61 Send VK_MENU + VK_TAB using keybd_event\r\n0x62 Send VK_CONTROL + A using keybd_event\r\n0x63 Send VK_RSHIFT + VK_DELETE using keybd_event\r\n0x64 Send VK_MENU + VK_F4 using keybd_event\r\n0x65 Send VK_RETURN using keybd_event\r\n0x66 Send VK_SPACE using keybd_event\r\n0x67 Send VK_TAB using keybd_event\r\nTable 9: ModuleScreenCapture opcodes\r\nModulePortForwarder\r\nOpcode Description\r\n0x11 Retrieve port forwarding status\r\n0x20 Start port forwarding\r\n0x30 Stop port forwarding\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 8 of 12\n\nTable 10: ModulePortForwarder opcodes\r\nDetection and Blocking\r\nThe TigerRAT malware may be detected . Figure 7 below shows TigerRAT launching multiple command\r\ninterpreters in response to simulated commands sent from the mock C2 server. VMware Carbon Black Cloud can\r\nbe configured to block unknown software attempting to run command interpreters as seen in Figure 8 below.\r\nFigure 7: Process tree of TigerRAT executing remote commands\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 9 of 12\n\nFigure 8: VMware Carbon Black Cloud blocking execution on unknown application attempting to run a command\r\ninterpreter\r\nMITRE ATT\u0026CK TIDs\r\nTID Tactic Description\r\nT1059.003 Execution\r\nCommand and Scripting Interpreter: Windows Command\r\nShell\r\nT1134.002\r\nDefense Evasion, Privilege\r\nEscalation\r\nAccess Token Manipulation: Create Process with Token\r\nT1087.001 Discovery Account Discovery: Local Account\r\nT1083 Discovery File and Directory Discovery\r\nT1033 Discovery System Owner/User Discovery\r\nT1005 Collection Data from Local System\r\nT1056.001 Collection, Credential Access Input Capture: Keylogging\r\nT1113 Collection Screen Capture\r\nT1573.001 Command and Control Encrypted Channel: Symmetric Cryptography\r\nT1041 Exfiltration Exfiltration Over C2 Channel\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 10 of 12\n\nIndicators of Compromise (IOCs)\r\nIndicator Type Context\r\n1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392 SHA256\r\nTigerRAT\r\nLoader\r\n00331e5f972a98755811c02ec47301336a824a34 SHA1\r\nTigerRAT\r\nLoader\r\n4df757390adf71abdd084d3e9718c153 MD5\r\nTigerRAT\r\nLoader\r\nf32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c SHA256 TigerRAT\r\nb312dd587e8725edf782e0c176b902fbbfc01468 SHA1 TigerRAT\r\n505262547f8879249794fc31eea41fc6 MD5 TigerRAT\r\n29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3 SHA256 TigerRAT\r\n3d8bdbdc08b6cefc7a44c18fafe7e4032c3b68bf SHA1 TigerRAT\r\na35a8c64870b9a3fe45348b4f2a93e75 MD5 TigerRAT\r\nfed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32 SHA256 TigerRAT\r\ne2f78ec89d80ed5c0299856fee84cc78c5d7f7ba SHA1 TigerRAT\r\nd6121d74dcef566a5e2f9aba179b8cca MD5 TigerRAT\r\n6dcfb2f52521672743f4888e992229896b98ab0e6bd979311ebdb4dcccc2b2e6 SHA256 TigerRAT\r\n4a698b176e34d1c24c4fa13e9a773f90c6ce5413 SHA1 TigerRAT\r\n2961c465a07bc80d206a09a6f5723a34 MD5 TigerRAT\r\ned11e94fd9aa3c7d4dd0b4345c106631fe52929c6e26a0daec2ed7d22e47ada0 SHA256 TigerRAT\r\n0bced0f20ef12fbab59593dcd02e4c75d852b671 SHA1 TigerRAT\r\n525cc10803d9858fca5dc4010925ba68 MD5 TigerRAT\r\n52.202.193.124 TCP/443 TigerRAT C2\r\n185.208.158.204 TCP/443 TigerRAT C2\r\n185.208.158.208 TCP/443 TigerRAT C2\r\nLinks\r\nhttps://twitter.com/heavyrain_89/status/1434696945268756481\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 11 of 12\n\nhttps://www.boho.or.kr/filedownload.do?attach_file_seq=3277\u0026attach_file_id=EpF3277.pdf\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/\r\nSource: https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nhttps://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html" ], "report_names": [ "tigerrat-advanced-adversaries-on-the-prowl.html" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434057, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4c61ffc79acb3f842c8a0d64c6d005b75452939f.pdf", "text": "https://archive.orkl.eu/4c61ffc79acb3f842c8a0d64c6d005b75452939f.txt", "img": "https://archive.orkl.eu/4c61ffc79acb3f842c8a0d64c6d005b75452939f.jpg" } }