{ "id": "c2b6fd75-7a1b-4220-8181-0002367e610c", "created_at": "2026-04-06T00:21:02.44389Z", "updated_at": "2026-04-10T03:29:38.436465Z", "deleted_at": null, "sha1_hash": "4f13d213b76574f359cc6f4e63f1360ff84958f9", "title": "Imminent Monitor – a RAT Down Under", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3424912, "plain_text": "Imminent Monitor – a RAT Down Under\r\nBy Unit 42\r\nPublished: 2019-12-02 · Archived: 2026-04-05 13:01:50 UTC\r\nOverview\r\nThe availability of “commodity malware” – malware offered for sale – empowers a large population of criminals,\r\nwho make up for their lack of technical sophistication with an abundance of malicious intent.\r\nRather than looking just at the malware samples and functionality themselves, we’ve taken an interest in the\r\ncommodity malware ecosystem; especially into the malware authors who fundamentally empower and profit from\r\nit.\r\nOur previous research into commodity Remote Access Tools (RATs) has assisted law enforcement efforts in\r\nprosecuting the authors and customers of malware including Orcus, LuminosityLink and Adwind. Our\r\n“SilverTerrier” research into the immensely prevalent West-African financial cybercrime has shown the\r\ntremendous popularity of commodity malware empowering the largest financial cybercrime threat at this time, and\r\nespecially their evolution towards using commodity RATs in their attacks.\r\nOne example is of the actors behind the Orcus RAT, which are the subject of recent and ongoing legal action in\r\nCanada. This case continues to be prosecuted with vigor. Palo Alto Networks has collected more than 16,000\r\ndistinct samples of Orcus RAT since April 2016 through to publishing, and we have observed more than 46,000\r\nunique attacks using this RAT against Palo Alto Networks customers.\r\nWe next focused on “Imminent Monitor,” a RAT offered for sale since 2012. In comparison to Orcus RAT, we\r\nhave more than 65,000 samples of Imminent Monitor, and observed its use in more than 115,000 unique attacks\r\nagainst Palo Alto Networks customers. This total number of samples includes those shared between antivirus\r\nvendors, not just those directly detected by Palo Alto Networks customers. However, the observed attacks figure\r\nonly reflects actual, in-the-wild samples from Palo Alto Networks customers. In most cases, repeated attacks using\r\nthe same samples and/or blocked by signature detection will not be reflected in this figure, and so the actual total\r\nnumber of attack attempts will be much higher than reflected in this metric. With such prevalence, we had to\r\nwonder why the author of this malware has been allowed to continue to profit from this for almost seven years,\r\nunchecked.\r\nIn order to evaluate the potential of success of legal action against a malware author, some of the first questions\r\nwe ask are who are they, and where are they? This fundamental intelligence will drive the interest and ability of\r\nlaw enforcement to prosecute and inform researchers to which agency they might refer to this case. In the case of\r\nImminent Monitor, Unit 42’s referral and subsequent, ongoing cooperation helped initiate and drive international\r\nlaw enforcement action to proceed with charging those responsible for the development and management of this\r\nmalware, their customers, and the disabling of access to their victims.\r\nhttps://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nPage 1 of 11\n\nShockwave™’s RAT\r\nIn 2012, a developer, “Shockwave™”, registered the domain imminentmethods[.]info, and in April 2013 started\r\nselling his “Imminent Monitor” RAT on online forums and at his site, which later changed to\r\nimminentmethods[.]net. Earlier in 2012, he had offered a Distributed Denial of Service (DDoS) tool,\r\n“Shockwave™Booter,” but seemed to drop that project in favor of his new RAT.\r\nHe proudly claimed “the fastest remote administration tool ever created using new socket technology that has\r\nnever been used before.”\r\nFigure 1. Imminent Monitor 1.0 Client Control Panel\r\nThe ImminentMonitor Client Control Panel offers a clean, easy-to-use interface to build (Figure 1) and control\r\n(Figure 2) ImminentMonitor client malware. As well as the full Remote Desktop access of any RAT, features less\r\nnoticeable by the victim include:\r\nFile manager\r\nProcess manager\r\nWindow manager\r\nClipboard manager\r\nRegistry manager\r\nStartup manager\r\nCommand prompt\r\nTCP connection\r\nRemote webcam monitoring\r\nRemote microphone monitoring\r\nPassword recovery\r\nShockwave™ claimed: “We use new methods not used in any rat, the remote desktop has the potential to get\r\naround 60 fps, and the cam I have personally gotten 130 with this.”\r\nhttps://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nPage 2 of 11\n\nIn 2014, Imminent Monitor started supporting third-party plugins. The first of these offered the ability to turn the\r\nwebcam light off while monitoring. Shockwave™ wrote: “Hey, good job on being the first to release a plugin for\r\nImminent Monitor.” – a plugin with an obviously illegitimate intent.\r\nFigure 2. Client control\r\nThe features of a(n il)legitimate Remote Access Tool\r\nAs very typical with commodity RATs, the authors attempt to profess innocence and distance themselves from the\r\nillegitimate features and intent of their malware:\r\n“We at Imminent Methods are not responsible for the nature in which you use our services. The services sold on\r\nthis website are for personal, not distributed, use and should only be used on your own machines or the machines\r\nof those who have given you expressed consent for remote management. Remember that our tools are made for\r\neducational purpose, so we do not take any responsiblity for any damage caused by any of or tools or services.\r\nMisuse of our tools or services can be very illegal. Certain misuse could cause possible jail time or fines, which\r\ndiffer depending on your local laws.” … “You agree that you will NOT distribute malicious files created with any\r\nof our services over the internet with the intent of harming/using machines of innocent people. You agree that if\r\nyou do by some sort of means connect to a computer without authorization, by means of accident or other ways,\r\nthat you will use the uninstall feature to completely remove the connection between the two of you and remove the\r\nsoftware from their computer.” [Sic]\r\nHowever, Shockwave™’s first-party comments online belie this claim:\r\n“The keylogger: The logs are hidden, and encrypted, fast transfer of the logs aswell, with progress indicating how\r\nmuch of the log is downloaded”…\r\n“The crypter: The crypter is really just a bonus feature, not always FUD but I try and do my best to keep it FUD.”\r\n[Sic]\r\nLegitimate remote access tools don’t need to hide and encrypt their logs. A crypter, allowing a “Fully\r\nUnDetectable” (FUD) client, only has one purpose: to attempt to evade antivirus detection.\r\nhttps://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nPage 3 of 11\n\nLater versions include “protection” to help avoid detection/removal, also not a feature expected of a legitimate,\r\npermissible remote access client (Figure 3).\r\nFigure 3. \"Protection\" features\r\nThe most recent sales page for Imminent Monitor continued to profess legitimacy (Figure 4).\r\nFigure 4. Imminent Monitor \"About\"\r\nHowever, features remain that lend utility rather to illegitimate use, hiding the client and maintaining persistence\r\n(Figure 5).\r\nhttps://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nPage 4 of 11\n\nFigure 5. \"Protection\" features\r\nShockwave™ promotes the RAT’s“protection” features:\r\nhttps://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nPage 5 of 11\n\n“File Integration\r\nThe File Integration feature will delete the Imminent Monitor Client from it’s execution directory and move it into\r\nit’s “Client Startup” directory.\r\nSet File Properties to “Hidden”\r\nDoes what it says, marks the Client as hidden.\r\nDisable Taskmanager\r\nDisables Windows Task Manager/\r\nProcess Security Flag \u0026 Critical Process Flag\r\nBoth of these functions are currently deprecated as the “Process Watcher” feature replaces them/\r\nProcess Watcher\r\nThe Process Watcher feature spawns a separate daemon to watch the main Imminent Monitor Client in case the\r\nclient ever crashes or gets closed.”\r\nMore recent versions offer what the author terms “HRDP” – Hidden Remote Desktop Protocol – offering a non-interactive remote desktop connection, hidden from the victim.\r\nFigure 6. Features\r\nVersion 3 of Imminent Monitor introduced the ability to run a cryptocurrency miner on the victim machine –\r\nhardly the feature of a legitimate remote access tool (Figure 7).\r\nhttps://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nPage 6 of 11\n\nFigure 7. Imminent Monitor Client Cryptocurrency Miner\r\nBut, in the end, it will be the courts who will determine legitimacy and intent of the malware author, and also their\r\ncustomers.\r\nImminent Monitor was originally licensed to each customer for a $25 fee. Six years later, the price has remained\r\nstatic, though new multi-license options are also offered (Figure 8).\r\nFigure 8. Purchase\r\nWho is Shockwave?\r\nIn order to identify actors behind such operations as Imminent Monitor, it’s important to be thorough with analysis\r\nand intelligence collection. The actor will typically attempt to hide or obfuscate their identity. The research will\r\nhttps://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nPage 7 of 11\n\nnot only aim to directly identify a specific individual but also help to build a corroborative identity picture,\r\nincreasing confidence in any analysis.\r\nInfrastructure research did not lead us to any identifying information, though we do notice a definite preference\r\nfor Australian hosting early on.\r\nForum profiles for Shockwave™ and Imminentmethods included a common profile photo, a panda-headed\r\nbusiness-suited avatar (Figure 9).\r\nFigure 9. Shockwave™/ ImminentMethods' avatar\r\nThe Twitter account “imminentmethods” includes a location of “Queensland, Australia”. A Google+ account for\r\nimminentmethods[at]gmail.com had the same Panda avatar, and the name (redacted here for publication)\r\n“J████”.\r\nA deviantart.com profile for user “ViridianX” had the same panda avatar, a link to imminentmethods[.]info,\r\nlocation Australia, and the same name “J████” again. This handle was corroborated in a forum post:\r\n“Also, I have noticed I have been getting imitated on various websites lately my only Accounts are:\r\nshockwave.hf\r\nhttp://www.twitch.tv/imminentmethods [twitch]\r\nViridianX [Justin.tv]”\r\nA Paypal purchase from imminentmethods[.]net gave a merchant name “DictumFox”(Figure 10).\r\nhttps://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nPage 8 of 11\n\nFigure 10. Paypal\r\nThis appears to be a unique handle. The site, dictumfox[.]com, previously had the site title “Imminent\r\nMethods”(Figure 11).\r\nFigure 11. DictumFox-Imminent Methods\r\nThe imminentmethods[.]net “Contact us” page has an Australian phone number and time zone, and a New South\r\nWales, Australia address which comes back to a small-business services address.\r\nA search of the Australian business registry finds a “DictumFox”, with a registered agent at the same address of\r\nconvenience, with a different, female first name J██████ K███. She was also previously linked to another\r\nAustralian business, “Imminent Methods”. That business record has a current agent with the same first name as\r\nseen in the profiles - J████ - and the same surname as the female associated with the other business registration:\r\nK███.\r\nFurther research with name and location corroboration seems to possibly explain the relationship with\r\nShockwave™-J████, and the “J██████” of the corporate registration, beyond the same surname K███\r\n(Figure 12).\r\nhttps://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nPage 9 of 11\n\nFigure 12. J█████ and J████\r\nProsecution\r\nUnit 42 referred the identity and activity of Shockwave™ to the Australian Federal Police (AFP) Cybercrime\r\nOperations teams. We have subsequently continued to assist the AFP’s “Operation Cepheus” (Figure 13), together\r\nwith the United States Federal Bureau of Investigation (FBI), and Canadian Radio-television and\r\nTelecommunications Commission, Electronic Commerce Enforcement / Conseil de la radiodiffusion et des\r\ntélécommunications canadiennes, Mise en application du commerce électronique (CRTC ECE). The Australian-led investigation, targeting not only those responsible for the development and management of this malware, but\r\nalso their customers using the malware illicitly, has yielded evidence suggesting in excess of 14,500 customers of\r\nthis RAT. We most often observe RATs employed illicitly by financially-motivated actors, or for data theft.\r\nInterestingly, the AFP’s investigation noted a significant number of Australian users of the software were also\r\nrespondents to Domestic Violence Orders. It’s unlikely a coincidence that such a tool might be employed against\r\nIntimate Partner Violence victims. AFP’s operation also disabled the licensing system of Imminent Monitor,\r\nremoving users’ access to victims of the software. Unit 42’s research into the infrastructure and customers of\r\nImminent Monitor and other RATs continues to assist law enforcement internationally in prosecuting the\r\nindividuals behind such illicit activity, demonstrating the effectiveness and potential of international public/private\r\ncooperation in combating cybercrime.\r\nhttps://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nPage 10 of 11\n\nFigure 12. AFP execute an Operation Cepheus search warrant (source: AFP)\r\nConclusion\r\nWe’ve collected more than 65,000 samples of Imminent Monitor, and seen more than 115,000 attacks against Palo\r\nAlto Networks’ customers alone. Not only did the availability of this commodity malware enable each of those\r\nattacks, the author profited from the sale of it, since 2013.\r\nThis Remote Access Tool, promoted first-party on hacking forums, includes features that have no purpose in a\r\nlegitimate tool but rather are designed to hide attacks using it.\r\nWith the successful execution of the AFP’s operation, licensed Imminent Monitor builders will no longer be able\r\nto produce new client malware nor can the controllers access their victims. Although cracked versions already\r\nexist and will continue to circulate, they can’t benefit from bug fixes, feature enhancements, support, or efforts to\r\nimprove their undetectability. Ironically, these versions often carry malicious payloads, acting as infection vectors\r\nto the criminals who would use them, themselves.\r\nOrganizations with decent spam filtering, proper system administration, and up-to-date Windows hosts have a\r\nmuch lower risk of infection. Palo Alto Networks customers are further protected from this threat. Our threat\r\nprevention platform detects Imminent Monitor malware with Wildfire and Traps. AutoFocus users can track this\r\nactivity using the ImminentMonitor tag.\r\nSource: https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nhttps://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/" ], "report_names": [ "imminent-monitor-a-rat-down-under" ], "threat_actors": [ { "id": "aa57c036-b3e5-4bc4-83b8-cac8498b6c24", "created_at": "2023-01-06T13:46:38.589041Z", "updated_at": "2026-04-10T02:00:03.03199Z", "deleted_at": null, "main_name": "SilverTerrier", "aliases": [], "source_name": "MISPGALAXY:SilverTerrier", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ecff5c60-4f8b-4d7c-9784-f279eb056518", "created_at": "2022-10-25T15:50:23.49538Z", "updated_at": "2026-04-10T02:00:05.40672Z", "deleted_at": null, "main_name": "SilverTerrier", "aliases": [ "SilverTerrier" ], "source_name": "MITRE:SilverTerrier", "tools": [ "NanoCore", "Agent Tesla", "NETWIRE", "DarkComet", "Lokibot" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434862, "ts_updated_at": 1775791778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f13d213b76574f359cc6f4e63f1360ff84958f9.pdf", "text": "https://archive.orkl.eu/4f13d213b76574f359cc6f4e63f1360ff84958f9.txt", "img": "https://archive.orkl.eu/4f13d213b76574f359cc6f4e63f1360ff84958f9.jpg" } }