{
	"id": "ee040cfa-356c-46ee-9e90-25c558f81296",
	"created_at": "2026-04-06T00:09:55.769149Z",
	"updated_at": "2026-04-10T03:22:03.461926Z",
	"deleted_at": null,
	"sha1_hash": "4f8b51c059cbccf57f1de35cba224ce24aab2ecd",
	"title": "Xeno RAT: A New Remote Access Trojan with Advance Capabilities - CYFIRMA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5936329,
	"plain_text": "Xeno RAT: A New Remote Access Trojan with Advance Capabilities -\r\nCYFIRMA\r\nArchived: 2026-04-05 14:17:10 UTC\r\nPublished On : 2024-02-23\r\nEXECUTIVE SUMMARY\r\nAt CYFIRMA, we are dedicated to providing current insights into prevalent threats and strategies utilized by malicious\r\nentities, targeting both organizations and individuals. This in-depth examination focuses on the proliferation of Xeno RAT;\r\nan intricately designed malware, crafted with advanced functionalities, conveniently accessible at no cost on GitHub. The\r\nresearch explores the array of evasion tactics employed by threat actors to evade detection, while also illuminating the\r\nprocedures involved in crafting resilient malware payloads. Significantly, the report underscores the adaptive characteristics\r\nof these threats, emphasizing the imperative for enhanced security protocols and user vigilance to effectively mitigate\r\nassociated risks.\r\nINTRODUCTION\r\nIn an era where cyber threats evolve at an unprecedented pace, understanding and combatting sophisticated malware like\r\nXeno RAT is paramount. This study provides a concise overview of Xeno RAT; a potent malware written in C#, boasting\r\nadvanced capabilities. Delving into its dissemination, evasion techniques, and resilient payload generation processes, this\r\npaper aims to shed light on the dynamic nature of contemporary cyber threats, emphasizing the urgent need for heightened\r\nsecurity measures and user awareness in safeguarding against such malicious entities.\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 1 of 18\n\nKEY FINDINGS\r\nXeno RAT possesses sophisticated functionalities and characteristics of advanced malware.\r\nThe malware’s developer opted to maintain it as an open-source project and made it accessible via GitHub.\r\nA threat actor customized its settings and disseminated it via the Discord CDN.\r\nThe primary vector in the form of a shortcut file, disguised as a WhatsApp screenshot, acts as downloader.\r\nThe downloader downloads the zip archive from Discord CDN, extracts and executes the next stage payload.\r\nA multi-step process is employed to generate the ultimate payload of the malware.\r\nIt looks for the debuggers, monitoring, and analysis tools before executing the final stage.\r\nUtilizes anti-debugging techniques and follows a stealth operation process.\r\nMalware adds itself as scheduled task for persistence.\r\nLeverages the DLL search order functionality in Windows to load the malicious DLL into a trusted executable\r\nprocess.\r\nInjects the malicious code (process injection) in the legit windows process.\r\nPerforms continuous monitoring of the compromised systems.\r\nEmployes extensive obfuscation techniques within files/code to evade detection effectively.\r\nUses obfuscated network traffic to receive instructions and updates.\r\nCommunicates with C2 with status updates and receives instructions at regular intervals.\r\nETLM ATTRIBUTION\r\nThe developer of the Xeno RAT opted to open-source the code and made it available for free on GitHub:\r\nThe developer also pledges to continuously provide updates over time, incorporating additional features into the malware.\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 2 of 18\n\nThe Xeno RAT Server includes a builder module that enables the creation of a customized version of the malware.\r\nA threat actor utilized this capability to develop and distribute their own version of the malware via the Discord CDN. They\r\nemployed a shortcut file acting as a downloader, responsible for fetching and executing subsequent payloads.\r\nThe analysis identified the domain internal-liveapps[.]online, which is linked to the threat actor and resolves to the IP\r\naddress 45[.]61[.]139[.]51. Both the domain and IP address have lower detection rates.:\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 3 of 18\n\nNo known threat actor association has been identified with this Domain/IP address.\r\nThreat Landscape: from an external threat landscape standpoint, the presence of freely available malware with advanced\r\ncapabilities, such as Xeno RAT, which undergoes active development to enhance its features, highlights a concerning trend.\r\nCyfirma’s research team highlights the evolving tactics of threat actors, who leverage open-source malware to craft\r\ncustomized creations to compromise their targets.\r\nThe developer of the original malware binaries showcases adaptability by employing diverse techniques to obfuscate the\r\nmalicious sample, with the goal of maintaining undetected for an extended period. This underscores the necessity for\r\nongoing vigilance and the implementation of advanced detection measures to effectively combat these dynamic threats.\r\nANALYSIS OF Xeno-RAT\r\nFile Analysis\r\nFile Name Screenshot_2024-01-30_w-69-06-18264122612_DCIM.png.lnk\r\nFile Size 3.21 KB (3,293 bytes)\r\nSigned Not signed\r\nMD5 13b1d354ac2649b309b0d9229def8091\r\nSHA-256 848020d2e8bacd35c71b78e1a81c669c9dc63c78dd3db5a97200fc87aeb44c3c\r\nDate Modified 17-10-2022\r\nThe primary malware sample is delivered as a shortcut file (.lnk) labeled with the description “WhatsApp_2023-12-12_12-\r\n59-06-18264122612_DCIM.png”:\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 4 of 18\n\nThe file functions as a downloader, utilizing the Windows command shell to retrieve, extract, and execute the payload from\r\na zip archive, located at the Discord CDN URL. The target field of the file contains obfuscated command line arguments:\r\nBEHAVIORAL \u0026 CODE ANALYSIS\r\n1st Stage Execution:\r\nThe de-obfuscated command reveals downloads from two shortened URLs, both pointing to Discord CDN URLs. The first\r\nURL in the command downloads a non-malicious image, while the payload is retrieved from the second URL.\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 5 of 18\n\nAs indicated in the de-obfuscated argument, the zip archive is downloaded and extracted in the directory\r\n“C:\\Users\\user\\AppData\\Roaming\\Adobe\\Drivers”.\r\nThe zip archive:\r\nFile Name Sys.zip\r\nFile Size 2.13 MB (2232447 bytes)\r\nSigned Not signed\r\nMD5 6f9e84087cabbb9aaa7d8aba43a84dcf\r\nSHA-256 4d0d8c2696588ff74fe7d9f8c2097fddd665308fccf16ffea23b9741a261b1c0\r\nDate Modified 17-02-2024\r\nThe zip archive contains three files, two portable executable (exe and DLL) files and one unknown file named as\r\n‘LICENSE’:\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 6 of 18\n\nThe Windows executable “ADExplorer64.exe” is the Active Directory Explorer provided by Windows Sysinternals, serving\r\nas an advanced Active Directory (AD) viewer and editor:\r\nFilename: ADExplorer64.exe\r\nMD5: 2661f8272ada236cf3aeb9ce9323626c\r\nSHA-256: e451287843b3927c6046eaabd3e22b929bc1f445eec23a73b1398b115d02e4fb\r\nSignature: Signed file (valid signature)\r\nFile version: 1.52\r\nThe DLL file “samcli.dll” is the malicious payload. It mimics the name of the genuine DLL file “Security Accounts Manager\r\nClient DLL,” which is typically located in the C:\\Windows\\System32 directory on Microsoft Windows systems:\r\nFile Name Samcli.dll\r\nFile Size 292.92 KB (299952 bytes)\r\nSigned Signed\r\nMD5 7704241dd8770b11b50b1448647197a5\r\nSHA-256 1762536a663879d5fb8a94c1d145331e1d001fb27f787d79691f9f8208fc68f2\r\nDate Modified 12-02-2024\r\nWhile the file is signed, the certificate within the signature cannot be verified:\r\nThe LICENSE file contains obfuscated text with read/write permission:\r\nFile Name LICENSE\r\nFile Size 2.26 MB (2370164 bytes)\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 7 of 18\n\nSigned No\r\nMD5 0aa5930aa736636fd95907328d47ea45\r\nSHA-256 96b091ce5d06afd11ee5ad911566645dbe32bfe1da2269a3d3ef8d3fa0014689\r\nDate Modified 12-02-2024\r\n2nd Stage Execution:\r\nDuring the second stage of execution, the command from the .lnk file initiated the Active Directory Explorer\r\n(ADExplorer64.exe) without any prompts (command: ADExplorer64.exe /accepteula /snapshot 127.0.0.1 faa -\r\nnoconnection).\r\nADExplorer64.exe relies on samcli.dll, typically found in the Windows\\System32 directory, for its functionality. In this\r\nscenario, the threat actor exploited the DLL search order functionality of the Windows operating system by positioning the\r\nmalicious DLL with the same name in the current working directory. Consequently, the malicious samcli.exe is loaded into\r\nthe process of ADExplorer64.exe.\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 8 of 18\n\nIn the subsequent operation, ADExplorer64.exe also reads the obfuscated file LICENSE:\r\nFurthermore, ADExplorer64 creates a suspended process named “hh.exe”, writes into its memory (process injection), and\r\nthen resumes the thread:\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 9 of 18\n\nADExplorer64.exe modifies (decoded for its own function) the content that is read from the LICENSE file and injects them\r\ninto the process memory of hh.exe:\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 10 of 18\n\nADExplorer64.exe also created two shortcut files in the current working directory:\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 11 of 18\n\nThe Support.url file points to the Giude.lnk file, which runs the command that executed the ADExplorer64.exe at initial\r\nstage, as shown in the above screenshot.\r\n3rd Stage Execution:\r\nDuring the third stage of execution, the hh.exe process generates a suspended colorcpl.exe process and subsequently writes\r\ninto its memory (process injection):\r\nThe hh.exe process terminates and colorcpl.exe process resumes under the explorer.exe (parent process):\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 12 of 18\n\nThe injected process hh.exe employs defensive measures to evade analysis:\r\nFinal Stage Execution:\r\nIn the final stage, the execution of colorcpl.exe commences. It performs a check to ascertain if there is any installation of the\r\nXeno RAT on the victim machine:\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 13 of 18\n\nAfter confirming the nonpresence of Xeno RAT (on an uninfected host), process starts communicating with the the domain\r\n“internal-liveapps[.]online” which resolves to the IP address :45[.]61[.]139[.]51:\r\nIt sends and receives obfuscated content over the network continuously, exhibiting a pattern resembling to Remote Access\r\nTrojan (RAT) activity:\r\nThe mapped memory of the colorcpl.exe process reveals its capabilities, including communication with a command-and-control (C2) server over a SOCKS proxy, receipt of commands, transmission of updates, addition and removal from the\r\nstartup, and the ability to uninstall itself:\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 14 of 18\n\nXeno RAT also adds itself to the scheduled task for persistance:\r\nThe examination of the Xeno RAT yields valuable insights and unveils its operational characteristics. Drawing from this\r\nanalysis and the data extracted, the subsequent points outline the capabilities of this remote access trojan:\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 15 of 18\n\nMonitors victim’s activity.\r\nOperates covertly.\r\nUse defensive measures to evade analysis.\r\nUses Hidden Virtual Network Computing to access the compromised systems.\r\nUses scoks5 proxy to connect with C2 server.\r\nPersistence using scheduled task.\r\nUtilizes process injection to target legit Windows process (hh.exe and colorcpl.exe)\r\nUses obfuscation in codes and network traffic.\r\nReceives and executes the commands from C2.\r\nEmploys measures against debugging and actively avoids detection mechanisms.\r\nSends status update to C2 at regular intervals.\r\nIt can add and remove from the systems startup.\r\nIt can uninstall itself from the compromised system.\r\nCONCLUSION\r\nIn summary, Xeno RAT is a dynamically evolving malware, boasting advanced capabilities coded in C#. It is freely\r\naccessible on GitHub, where threat actors leverage it to infiltrate targets through diverse tactics, such as distributing free\r\ncontent and phishing emails. Additionally, the developer pledges ongoing updates to enhance its functionality.\r\nTo reduce the risks associated with Xeno RAT malware, users should exercise caution when opening files from\r\nuntrustworthy sources or clicking on unfamiliar links, particularly those offering questionable software or content.\r\nFurthermore, deploying robust cybersecurity measures, including utilizing reputable antivirus software, ensuring software is\r\nregularly updated, and staying vigilant against social engineering tactics, can significantly bolster protection against such\r\nthreats.\r\nIt’s imperative for both platform providers and users to stay vigilant in detecting and reporting suspicious activities.\r\nCollaboration between cybersecurity professionals and platform administrators is crucial for promptly identifying and\r\naddressing such threats, leading to a safer online environment. Education and awareness campaigns are also vital in\r\nequipping individuals with the knowledge to recognize and evade such malware, ultimately fostering a more resilient and\r\nsecure online ecosystem.\r\nINDICATORS OF COMPROMISE\r\nS/N Indicators Type Context\r\n1 13b1d354ac2649b309b0d9229def8091 File\r\nScreenshot_2024-01-30_w-69-06-\r\n18264122612_DCIM.png.lnk\r\n2 848020d2e8bacd35c71b78e1a81c669c9dc63c78dd3db5a97200fc87aeb44c3c File\r\nScreenshot_2024-01-30_w-69-06-\r\n18264122612_DCIM.png.lnk\r\n3 6f9e84087cabbb9aaa7d8aba43a84dcf File Sys.zip\r\n4 4d0d8c2696588ff74fe7d9f8c2097fddd665308fccf16ffea23b9741a261b1c0 File Sys.zip\r\n5 7704241dd8770b11b50b1448647197a5 File Samcli.dll\r\n6 1762536a663879d5fb8a94c1d145331e1d001fb27f787d79691f9f8208fc68f2 File Samcli.dll\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 16 of 18\n\n7 0aa5930aa736636fd95907328d47ea45 File LICENSE\r\n8 96b091ce5d06afd11ee5ad911566645dbe32bfe1da2269a3d3ef8d3fa0014689 File LICENSE\r\n9 45[.]61[.]139[.]51\r\nIP\r\naddress\r\nC2\r\n10 internal-liveapps[.]online Domain C2\r\nMITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nNo. Tactic Technique\r\n1 Execution (TA0002) T1059.003: Windows Command Shell\r\n    T1053.005: Scheduled Task\r\n    T1204.001: Malicious Link\r\n    T1024.002: Malicious File\r\n2 Persistence (TA0003) T1053.005: Scheduled Task\r\n3 Defense Evasion (TA0005) T1622: Debugger Evasion\r\n    T1497:Virtualization/Sandbox Evasion\r\n    T1055: Process Injection\r\n4 Discovery (TA0007) T1622: Debugger Evasion\r\n    T1497:Virtualization/Sandbox Evasion\r\n5 Command and Control (TA0011) T1071.001: Web Protocols\r\n4 Discovery (TA0007) T1622: Debugger Evasion\r\n    T1497:Virtualization/Sandbox Evasion\r\nRecommendations\r\nImplement threat intelligence to proactively counter the threats associated with Xeno RAT malware.\r\nTo protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection, such as\r\nAntimalware security suit and host-based intrusion prevention system.\r\nContinuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to filter/block\r\nthe suspicious activity provides comprehensive protection from compromise, due to encrypted payloads.\r\nConfigure firewalls to block outbound communication to known malicious IP addresses and domains associated with\r\nXeno RAT command and control servers.\r\nImplement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to\r\nmake unauthorized network connections.\r\nEmploy application whitelisting to allow only approved applications to run on endpoints, preventing the execution of\r\nunauthorized or malicious executables.\r\nConducting vulnerability assessment and penetration testing on the environment periodically helps in hardening the\r\nsecurity by finding the security loopholes, followed by remediation process.\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 17 of 18\n\nUse of security benchmarks to create baseline security procedures and organizational security policies is also\r\nrecommended.\r\nDevelop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including\r\nisolating affected systems and notifying relevant stakeholders.\r\nSecurity awareness and training programs help to protect from security incidents, such as social engineering attacks.\r\nOrganizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by\r\nXeno-RAT malware.\r\nUpdate security patches which can reduce the risk for potential compromise.\r\nSource: https://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nhttps://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/"
	],
	"report_names": [
		"xeno-rat-a-new-remote-access-trojan-with-advance-capabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775434195,
	"ts_updated_at": 1775791323,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f8b51c059cbccf57f1de35cba224ce24aab2ecd.pdf",
		"text": "https://archive.orkl.eu/4f8b51c059cbccf57f1de35cba224ce24aab2ecd.txt",
		"img": "https://archive.orkl.eu/4f8b51c059cbccf57f1de35cba224ce24aab2ecd.jpg"
	}
}