{ "id": "57ff2e36-a493-492c-a7aa-178685aa4455", "created_at": "2026-04-06T00:19:43.581966Z", "updated_at": "2026-04-10T03:29:58.97679Z", "deleted_at": null, "sha1_hash": "50b49ed23fc287249ca2ef31ae22723bb678e6c0", "title": "Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 106102, "plain_text": "Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia\r\nBy Catalin Cimpanu\r\nPublished: 2016-01-12 ยท Archived: 2026-04-05 14:31:23 UTC\r\nA new type of RAT (Remote Access Trojan) has been discovered in use against governments and civil\r\nsociety organizations in South-East Asia, the Arbor Security Engineering \u0026 Response Team (ASERT) at\r\nArbor Networks reports.\r\nThis particular RAT has been linked to a previous campaign against the Myanmar government that was unmasked\r\nby both Arbor Networks' and Cisco's security teams at the end of August 2015.\r\nDuring that campaign, the threat actor identified as Group 27 used watering hole attacks on official Myanmar\r\ngovernment websites to infect unsuspecting users with the PlugX malware (an RAT) when accessing information\r\non the upcoming Myanmar elections.\r\nMyanmar cyber-espionage campaign continued, even after it was made public\r\nArbor's ASERT team is now reporting that, after looking deeper at that particular campaign, and by exposing a\r\nnew trail in the group's activities, they managed to identify a new RAT that was undetectable at that time by most\r\nantivirus vendors.\r\nNamed Trochilus, this new RAT was part of Group 27's malware portfolio that included six other malware strains,\r\nall served together or in different combinations, based on the data that needed to be stolen from each victim.\r\nThis collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX\r\nversions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab\r\nRAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.\r\nAccording to the security experts, this collection of malware was discovered after their first initial report was\r\npublished, meaning that Group 27 ignored the fact they were unmasked and continued to infect their targets\r\nregardless, through the same entry point, the Myanmar Union Election Commission (UEC) website. Trochilus\r\nRAT activity was discovered during both months of October and November 2015.\r\nTrochilus RAT source code available on GitHub\r\nAs for Trochilus itself, Arbor's team says that the RAT has mainly reverse shell features and executes in memory\r\nonly, making it very hard to detect by classic antivirus solutions. Nevertheless, some clues as to the intrusion are\r\nleft behind and can be picked up by antivirus engines later on.\r\nFurthermore, the researchers were even able to get a hold of the malware's source code, and later linked it to a\r\nGitHub profile for a user named 5loyd.\r\nhttps://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml\r\nPage 1 of 2\n\nFrom Trochilus' GitHub project page, we see that this is \"a fast\u0026free Windows remote administration tool,\" coded\r\nin C++, which features support for various communications protocols, single-threaded operation, a file manager\r\nmodule, a remote shell, a non-UAC mode, the capability to uninstall itself, get system info from remote\r\ncomputers, and to download, upload, and execute files.\r\nWe doubt that 5loyd is actually part of Group 27. It may be possible that the group just hijacked his source code\r\nand used it for their malicious purposes.\r\nSeven Pointed Dagger campaign\r\nSource: https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml\r\nhttps://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml" ], "report_names": [ "trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml" ], "threat_actors": [ { "id": "699b7efc-322d-489d-818d-823fac028124", "created_at": "2023-01-06T13:46:39.404825Z", "updated_at": "2026-04-10T02:00:03.315524Z", "deleted_at": null, "main_name": "APT9", "aliases": [ "NIGHTSHADE PANDA", "Red Pegasus", "Group 27" ], "source_name": "MISPGALAXY:APT9", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e79324a2-bdae-4dc5-9421-578a59045288", "created_at": "2022-10-25T16:07:23.906087Z", "updated_at": "2026-04-10T02:00:04.784657Z", "deleted_at": null, "main_name": "Nightshade Panda", "aliases": [ "APT 9", "FlowerLady", "FlowerShow", "Group 27", "Nightshade Panda", "Operation Seven Pointed Dagger" ], "source_name": "ETDA:Nightshade Panda", "tools": [ "3102 RAT", "9002 RAT", "Agent.dhwf", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "EvilGrab", "EvilGrab RAT", "Gen:Trojan.Heur.PT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "MoonWind", "MoonWind RAT", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Vidgrab", "Wmonder", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434783, "ts_updated_at": 1775791798, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/50b49ed23fc287249ca2ef31ae22723bb678e6c0.pdf", "text": "https://archive.orkl.eu/50b49ed23fc287249ca2ef31ae22723bb678e6c0.txt", "img": "https://archive.orkl.eu/50b49ed23fc287249ca2ef31ae22723bb678e6c0.jpg" } }