{
	"id": "cfe3570a-cc8a-4ef2-9cb0-0c765e8afd38",
	"created_at": "2026-04-06T00:10:10.970227Z",
	"updated_at": "2026-04-10T13:12:52.641011Z",
	"deleted_at": null,
	"sha1_hash": "6e6eea24dd718fe0424a74e59b42de5127663d37",
	"title": "The Rise of RatOn: From NFC heists to remote control and ATS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1859748,
	"plain_text": "The Rise of RatOn: From NFC heists to remote control and ATS\r\nPublished: 2024-10-01 · Archived: 2026-04-05 15:12:24 UTC\r\nRemote Access Trojans (RATs) are a popular commodity on the dark web, particularly when offering full remote\r\ncontrol of infected devices. Key features typically sought after include visual access to the device’s screen (in\r\nother words: screen casting), as well as a text-based interface that presents a pseudo-screen with textual\r\ndescriptions of on-screen elements. The latter method offers more responsive and efficient control, as transmitting\r\ntext consumes significantly fewer resources than streaming graphical data.\r\n While the concept of combining a RAT with an NFC relay attack isn’t entirely new, documented cases are rare.\r\nInstances where a trojan evolves from a basic NFC relay tool into a sophisticated RAT with Automated Transfer\r\nSystem (ATS) capabilities are virtually unheard of. That’s why the discovery of the new trojan RatOn by\r\nThreatFabric MTI analysts is particularly noteworthy. RatOn merges traditional overlay attacks with automatic\r\nmoney transfers and NFC relay functionality—making it a uniquely powerful threat.\r\nDiscovery\r\nWhile monitoring the NFSkate threat actor group activity, we came across a quite unique sample. What separated\r\nthis sample from previous ones was the fact that it was not just a standalone APK file, but it was a part of a\r\ncampaign involving more unique applications. \r\nOur analysis of the campaign revealed a new fully functional banking trojan with device/account takeover\r\ncapabilities, targeting cryptocurrency wallet applications. Besides that, the malware can perform automated\r\nmoney transfers abusing one specific bank application, as well as perform ransom using custom overlay pages and\r\ndevice locking.\r\nIn this report we will uncover the details about this previously unreported trojan which we dubbed as RatOn,\r\nbased on the name threat actors used for group chat where their discussed the malware. We guess that RAT in the\r\ngroup name refers to Remote Access Tool or Trojan.\r\nAccording to our telemetry the first related sample was assembled on 5th of July 2025 and the latest on 29th of\r\nAugust 2025. It means that threat actor group focusing on new malware developments for at least two months\r\nalready. Some of the related samples still have minor detections on VirusTotal.\r\nInitial access\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 1 of 18\n\nAttackers registered domains with adult themes to infect victims. Such a domains contained TikTok18+ inside\r\ntheir name and directly hosted the malicious dropper application. The is no certainty on how exactly the attackers\r\nlure victims to visit such web sites. So far, we know that those pages targeted Czech and Slovakian speaking\r\nauditory.\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 2 of 18\n\nTechnical details\r\nWe believe that the RatOn trojan was written from scratch, no code similarities were found with existing malware\r\nfamilies. The account takeover and automated transfer features have shown that threat actor know the internals of\r\nthe targeted applications quite well. \r\nRatOn was designed, like many modern Android bankers, as a multi-stage process. and distributed by infecting the\r\nvictim using a dropper. The dropper, which is designed as a third party software installer, will request the\r\npermission from the victim to install applications from third party sources. This step is needed to overcome\r\nAndroid restrictions for third party applications to abuse Accessibility services.\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 3 of 18\n\nIf the victim provides the permission to install other applications, the dropper will create a WebView with a\r\nhardcoded URL exporting the installApk function to that web page. The web page can call the installApk function\r\nif the victim presses corresponding button.\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 4 of 18\n\nThe JavaScript code with Install button which will call function exported by Dropper.\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 5 of 18\n\nLeft: The web page with which calls installApk function. Right: Result of the installApk call.  \r\nThe installApk function will create an install session which will open the second stage payload APK file from the\r\nassets of the dropper and install that application into the system.\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 6 of 18\n\nWhen the installation is finished the dropper will execute the payload using hardcoded package name and activity\r\nname:\r\nAfter the successful installation, the second stage payload will be executed, and it will immediately ask for two\r\nmain permissions that are crucial for performing fraud of the device: Accessibility service access and Device\r\nAdmin privilege. To ask for Accessibility another WebView will be opened with URL which ends up with the path\r\n“access”. The page on that URL consist of the code with the button that will trigger exported from the payload\r\nfunction ask Accessibility that will ask victim to provide Accessibility service access. \r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 7 of 18\n\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 8 of 18\n\nOn the final step, the trojan will ask for the permissions to read/write contacts and manage system settings. RatOn\r\nthen will automatically accept corresponding permissions abusing the previously obtained Accessibility access.\r\nSystem settings management permission is needed to ringtone changing.\r\nStarting from this moment, the trojan will start working in background, analyzing the current foreground state of\r\nthe device using Accessibility API to send the screen state to the control server.\r\nAt the same time, the second stage payload is not a final payload: there was another one which could be either\r\ndropped by the second stage payload or downloaded from the web. This third stage payload is NFSkate malware\r\nwhich is originally designed to perform NFC relay attack against victim’s banking card.\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 9 of 18\n\nOverlay attacks\r\nUpon reception of the corresponding command from the operator, the trojan can show overlay pages. Two types of\r\noverlays are supported.\r\nOverlay using specified URL which is hosting HTML page with JavaScript.\r\nOverlay using specified HTML chunk.\r\nBoth types of overlays are hosted on the control server as templates. We were able to obtain one of such templates\r\n(Czech and English language were supported) and it looked like a ransom note. We believe that such a note could\r\nbe used in two ways: force the victim to open the cryptocurrency apps so the unlocking PIN will be captured by\r\ntrojan (and will be used for further fraud steps) or force the victim to pay immediately.\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 10 of 18\n\nBoth types of overlays will be created by using WebView either by providing the URL or by providing\r\ncorresponding HTML code.\r\nAutomated money transfers\r\nRatOn is capable of automated money transfers (ATS) using Accessibility services API. We have identified only\r\none financial institution: a bank in Czech republic . Threat actors demonstrated deep understanding how financial\r\napplication was designed from the graphical point of view.  We will provide the description on how the attack\r\nplays out step by step.\r\nThe command “transfer” is received. This command should contain the Json object with the payment\r\nreceiver details: receiver address, banking account number, payment amount, receiver name.\r\nThe trojan will launch bank application and initiate payment by auto clicking on application interface\r\nelements one by one. In some cases, the trojan will search for the interface element by name, in some cases\r\nthe trojan will perform click using hardcoded coordinates. It will search for the interface elements which\r\nhave the following texts:\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 11 of 18\n\nElement text on Czech Translation to English\r\nNová platba New payment\r\nZadat platbu Enter payment\r\nNový příjemce New recipient\r\nDomácí číslo účtu Domestic account number\r\nDalší Next\r\nOdeslat Send\r\nAno, pokračovat Yes, continue\r\nZaplatit Pay\r\nHotovo Done\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 12 of 18\n\nIt’s important to note that on one of the last steps the trojan will automatically type in the digital PIN code to\r\nconfirm the transaction. Such a PIN code is supposed to be intercepted on earlier stages of the fraud.\r\nBefore the transfer, attacks could check the transaction limit, and adjust it if necessary, using two different\r\ncommands: “check_limit” and “limit”. This is done the same way: by starting the bank application and searching\r\nthe limits-related interface elements.\r\nWe assume that “Domestic account number” means that threat actor group have a mule network either residing in\r\nCzech republic or there could be a customer of this bank.\r\nCryptocurrency wallet attacks\r\nRatOn has functionality that can help attackers to perform account take over attacks against crypto currency\r\nwallets. The following applications are supported:\r\nMetaMask (io.metamask)\r\nTrust (com.wallet.crypto.trustapp)\r\ncom (piuk.blockchain.android)\r\nPhantom (app.phantom)\r\nUpon corresponding command RatOn can launch the targeted cryptocurrency wallet app, unlock it using stolen\r\nPIN code, click on interface elements which are related to security settings of the app and on the final step, reveal\r\nsecret phrases. The keylogger component will record revealed data and will send it to control server. Threat actor\r\nthen will be able to use the wallet on their own device.\r\nInteresting to note that for wallet applications four languages were supported: English, Russian, Czech, Slovakian.\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 13 of 18\n\nBot commands\r\nThe list supported by RatOn commands is extensive. Each command comes as JSON object and contains\r\ncommand ID and command properties.\r\nCommands Description\r\nsend_push Show fake push notification.\r\nscreen_live Start sending current screen state.\r\nfinish Stop the dropper and show clean URL (for example google.com).\r\nphantom Open Phantom crypto wallet app, auto type in PIN code and extract recovery phrases.\r\ntxt_screen Send one-time current screen state.\r\nscreen_lock Change screen-off timeout to specified value.\r\nsound_mode Set ringer mode to normal.\r\nkeypad\r\nTurn on Keypad mode, used for entering pin code, correction is also possible with “del”\r\nsubcommand.\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 14 of 18\n\nWhatsApp Launch WhatsApp.\r\ntint Increase/Decrease screen brightness.\r\napp_inject Change a list of targeted financial applications.\r\ninject Change overlays configuration.\r\nblockchain Launch Blockchain.com app, auto type in PIN code and extract recovery phrase.\r\ntrust\r\nLaunch Trust: Crypto \u0026 Bitcoin Wallet app, auto type in PIN code and extract recovery\r\nphrase.\r\nreplace_buffer Change current clipboard text to the specified value.\r\nupdate_device Send list of installed apps with device fingerprint   \r\nsend_sms Send SMS message using accessibility.\r\nFacebook Launch Facebook\r\nsound Download and play mp3 file\r\nset_sound Download mp3 file and set it as ringtone\r\nmetamask Launch Metamask app, unlock with provided password and and extract recovery phrase.\r\nnfs Drop/download, install and run NFSkate APK file.\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 15 of 18\n\nnfs_inject Launch NFSkate malware providing it corresponding overlay HTML page.\r\ntransfer Perform automated money transfer using George Česko.\r\nhome Simulated Home button click.\r\ncheck_limit Check money transfer limit inside George Česko.\r\nlimit Change transfer limit inside George Česko to specified value.\r\nblock_off Turn off active overlays\r\nblock Turn on WebView overlay with specified URL\r\noverlay Turn on overlay with specified text\r\naccess_tint Check if overlay permission was granted, if no launch that permission request window\r\nlock Lock the device using Device administrator access.\r\nexpire_password\r\nSet current device unlock pin/pattern/password to expired. Victim will have to\r\nimmediately change it. So, it would be intercepted by attacker.\r\ndisable_keyguard\r\nForce victim to unlock the device using PIN/Pattern or password instead of using\r\nbiometrical authentication.\r\nback Simulate clicking on Back button\r\nrecents Simulate clicking on Recent apps button\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 16 of 18\n\npower Wake up device\r\ntouch Perform tap using specified coordinates\r\nget_name Reveal victim's name associated with current active Google account\r\nadd_contact Create a contact using specified name and phone number.\r\nswipe Perform swipe using specified coordinates.\r\ndisplay Turn on/off screen casting\r\nrecord Launch Screen-casting permission window and start screen-casting.\r\nConclusion\r\nWe are confident that the RAT-ON threat actor group has made significant progress in extending the functionality\r\nof the NFSkate malware by adding remote access and automated transfer capabilities. The RatOn malware already\r\nprovides sufficient functionality to carry out various forms of mobile fraud as well as ransomware attacks.\r\nHowever, the addition of ransomware features seems somewhat redundant given the presence of automated\r\ntransfer capabilities.\r\nOur analysis suggests that the threat actor group initially targeted the Czech Republic, with Slovakia likely being\r\nthe next country of focus. The reason behind concentrating on a single banking application remains unclear.\r\nHowever, the fact that automated transfers require local banking account numbers suggests that the threat actors\r\nmay be collaborating with local money mules.\r\nAt the same time, attacks targeting cryptocurrency wallets further enhance the effectiveness of this Trojan on a\r\nglobal scale.\r\nIndicators of Compromise\r\nControl server domains:\r\nmarvelcore[.]top\r\nevillab[.]world\r\nwww-core[.]top\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 17 of 18\n\ntiktok18[.]world\r\nevillab[.]world\r\nSHA256 file hashes:\r\nbf82609c55304c468996244d3ecc16348d9bea0891482ca724ffefcfaded8b66\r\nbba15ecc8404698530761a122d3f03310b5e775f2e1552b645135fefd27e625c\r\n98c711801e9b89b4d0b4fb6c6fc5e8310ef3da226c7ac7261f04505384cd488a\r\n98e09a8f01980d11177549eea9598ffd573e1be355a05ef7d31b85c6be9a38ce\r\nbbc7f2b5c17f90e4c054bc525d85cb96a791a9fe8c8295894fac50a9722fc908\r\nec3b852ffbede9fa4a5402bb0242df4955660b8b67ae3d21a12cd25ad40b3bb2\r\n13f4b05abe78f7a5714f32ecddc9b5b463803c62cd8355f493b42af8cb4fa9db\r\n01f746d75be3e744f78ad6a9f908bf6fc42b951caf58feb62a0369ffbc5ad836\r\nce2b382ab6633a6bafee6f002c0ea94ab747cf4c98670fad437e5c5ca387a082\r\n6bce8f9c3ff27ba6348595898ef898262f853789cdbe96c5fa8a147c0f3b42b9\r\n979d0331041d33d4af469f7daf7c5c5d268d1de0c231bdf7994229f00ad7a6a0\r\n49c29e87ba849a6afc82eb8a494d94123ebd70d04c43aebbe9f79d2572c2fecc\r\n98cb893449ec52efe5b77286a66394f5627b070b7ec3bed715f14bc1b79c87db\r\nccb725738cded7e2380355a899475dcdd0fae29f77d8998b43cc1bb1bb600494\r\n7867e5c24f2ac72f3762c3acd31ffa0a931aac2377a4e6554a20963987dcedee\r\n9a52126de022ea4d2fa065fbf368a8a08296f524d172e02e24ccf61f49eb7ad9\r\n15734c54d25341317a2f58bbc3c9ed3f8efa73af50fb5feb1ef46b6c3e02cab9\r\nea23506d4e1dd97b01b52d41e4f474f2dffa096b279f4e982073cad3e90f0bae\r\n3578222693be106eac90343c12f06454b6de6e19a50d31ae5105218c36514bbd\r\n13f4b05abe78f7a5714f32ecddc9b5b463803c62cd8355f493b42af8cb4fa9db\r\nSource: https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nhttps://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats"
	],
	"report_names": [
		"the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats"
	],
	"threat_actors": [],
	"ts_created_at": 1775434210,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e6eea24dd718fe0424a74e59b42de5127663d37.pdf",
		"text": "https://archive.orkl.eu/6e6eea24dd718fe0424a74e59b42de5127663d37.txt",
		"img": "https://archive.orkl.eu/6e6eea24dd718fe0424a74e59b42de5127663d37.jpg"
	}
}