{ "id": "08d9f335-578a-4679-a5ad-8a25605bbd44", "created_at": "2026-04-06T00:09:15.327327Z", "updated_at": "2026-04-10T03:36:48.482205Z", "deleted_at": null, "sha1_hash": "633156ede6fe32efb7a0ddf3fd7b47af02ba3785", "title": "New Borat remote access malware is no laughing matter", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1141221, "plain_text": "New Borat remote access malware is no laughing matter\r\nBy Bill Toulas\r\nPublished: 2022-04-03 · Archived: 2026-04-05 23:15:48 UTC\r\nA new remote access trojan (RAT) named Borat has appeared on darknet markets, offering easy-to-use features to conduct\r\nDDoS attacks, UAC bypass, and ransomware deployment.\r\nAs a RAT, Borat enables remote threat actors to take complete control of their victim’s mouse and keyboard, access files,\r\nnetwork points, and hide any signs of their presence.\r\nThe malware lets its operators choose their compilation options to create small payloads that feature precisely what they\r\nneed for highly tailored attacks.\r\nhttps://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nBorat was analyzed by researchers at Cyble, who spotted it in the wild and sampled the malware for a technical study that\r\nrevealed its functionality.\r\nSome of Borat's features (Cyble)\r\nExtensive features\r\nIt is unclear if the Borat RAT is sold or freely shared among cybercriminals, but Cycle says it comes in the form of a\r\npackage that includes a builder, the malware’s modules, and a server certificate.\r\nFiles in the Borat RAT archive (Cyble)\r\nThe features of the trojan, each having its own dedicated module, include the following:\r\nKeylogging – monitor and log key presses and store them in a txt file\r\nRansomware – deploy ransomware payloads onto the victim’s machine and automatically generate a ransom note\r\nthrough Borat\r\nDDoS – direct garbage traffic to a target server by using the compromised machine’s resources\r\nAudio recording – record audio via the microphone, if available, and store it in a wav file\r\nWebcam recording – record video from the webcam, if available\r\nRemote desktop – start a hidden remote desktop to perform file operations, use input devices, execute code, launch\r\napps, etc.\r\nReverse proxy – set up a reverse proxy to protect the remote operator from having their identity exposed\r\nDevice info – gather basic system information\r\nProcess hollowing – inject malware code into legitimate processes to evade detection\r\nCredential stealing – steal account credentials stored in Chromium-based web browsers\r\nDiscord token stealing – steal Discord tokens from the victim\r\nOther functions – disrupt and confuse the victim by playing audio, swapping the mouse buttons, hiding the desktop,\r\nhiding the taskbar, holding the mouse, turning off the monitor, showing a blank screen, or hanging the system\r\nhttps://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/\r\nPage 3 of 5\n\nMore of Borat's advertised features (Cyble)\r\nAs noted in Cyble’s analysis, the above features make Borat essentially a RAT, spyware, and ransomware, so it’s a potent\r\nthreat that could conduct a variety of malicious activity on a device.\r\nAll in all, even though the RAT's developer decided to name it after the main character of the comedy movie Borat,\r\nincarnated by Sacha Baron Cohen, the malware is no joke at all.\r\nBy digging deeper trying to find the origin of this malware, Bleeping Computer found that the payload executable was\r\nrecently identified as AsyncRAT, so it's likely that its author based his work on it.\r\nTypically, threat actors distribute these tools via laced executables or files that masquerade as cracks for games and\r\napplications, so be careful not to download anything from untrustworthy sources such as torrents or shady sites.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/\r\nhttps://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/" ], "report_names": [ "new-borat-remote-access-malware-is-no-laughing-matter" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434155, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/633156ede6fe32efb7a0ddf3fd7b47af02ba3785.pdf", "text": "https://archive.orkl.eu/633156ede6fe32efb7a0ddf3fd7b47af02ba3785.txt", "img": "https://archive.orkl.eu/633156ede6fe32efb7a0ddf3fd7b47af02ba3785.jpg" } }