{ "id": "1b7ad036-0c8f-458e-9e74-73395da8702e", "created_at": "2026-04-06T00:13:01.058696Z", "updated_at": "2026-04-10T13:11:48.63153Z", "deleted_at": null, "sha1_hash": "6f74220d165f0e7a2d99706d65bacfc14b6d3a41", "title": "DynamicRAT — A full-fledged Java Rat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3685045, "plain_text": "DynamicRAT — A full-fledged Java Rat\r\nBy Gi7w0rm\r\nPublished: 2023-06-09 · Archived: 2026-04-05 15:08:50 UTC\r\nHello everyone, welcome back to one of my sporadical blog posts. Due to some fortunate circumstances, I finally\r\nhave the honor to name my very first malware family. Here is how it happened:\r\nOn Tuesday, 06.06.2023, I was notified by one of my infosec colleagues, Fate, about a strange “.jar” file he had\r\nfound in his network. While execution had been prevented through the AV, the file did stick out, because when\r\nlooking at its strings, Fate had noticed several substrings that contained the word “attack” in it:\r\nPress enter or click to view image in full size\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 1 of 18\n\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 2 of 18\n\nFigure 1: String “ attack” all over the binary\r\nCurious as to what was going on, he submitted the binary to the online Sandbox Tria.ge: https://tria.ge/230605-\r\n21yt4sbb33\r\nPress enter or click to view image in full size\r\nFigure 2: Activity as seen in Triage\r\nOddly enough, despite receiving a rating of 7/10, there was not much activity going on. The binary did only spawn\r\none additional process (netsh.exe) and there was only a single request to the IP address: 178.18.255.246 on port\r\n24464. Compared to other malware we have observed in the last years, this is actually a pretty quiet execution.\r\nHowever, when Fate showed me this process tree, I immediately got intrigued. The command “netsh wlan show\r\nnetworks mode=bssid”, which this binary executed, is actually used to show all available Wifi Networks which\r\nare received by the Windows device where the command is executed. I could only think of a few reasons why a\r\nbinary should execute such a command and none of them involved a random Java file from the internet. I,\r\ntherefore, decided to have a look at the binary myself.\r\nThe good thing about Java binaries (.jar) is that Java is an interpreted language. Contrary to compiled languages,\r\nsuch as C or C++, most binaries in interpreted languages can be decompiled into their original source code. So I\r\ndecided to use an online Java decompiler and have a first look at the insides of the strange binary:\r\nPress enter or click to view image in full size\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 3 of 18\n\nFigure 3: Main folder structure\r\nAs you can see, I was greeted by 6 different folders, all having pretty standard names. Nothing indicative of evil\r\ngoing on. I started to go through the folders, 1 by 1 until I suddenly discovered a very interesting folder:\r\nPress enter or click to view image in full size\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 4 of 18\n\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 5 of 18\n\nFigure 4: RAT main\r\nThere is a lot to unpack here, but what caught my eye straight away is the folder “hvnc”. For those of you that\r\ndon’t know, HVNC is an abbreviation of Hidden Virtual Network Computing, a term well-known to the malware\r\ncommunity. In its essence, Hidden Virtual Network Computing is a way to implement the VNC protocol, a\r\nprotocol used for remotely accessing computer devices, in a way that it does not get noticed by the remote-controlled device. Basically, if you are infected, it allows the attacker who might be far away from your actual\r\ndevice to see everything on your Screen and fully control it as if sitting right in front of it themselves. To me, it\r\nwas evident from this point on, that I was dealing with some sort of malware. This theory was also backed up by\r\nanother finding that Fate shared with me around this time: The infection vector.\r\nThe malware had entered his network via a .html e-mail attachment called “Mary1099-businesstax.html” which\r\nupon opening downloaded a .zip file named “W2_and_1095A.zip”. Inside the .zip file, there was a single\r\nexecutable called “W2_and_1095A_PDF.jar”. This attachment, once executed, had then reached out to\r\nhttp[:]//giulianilex[.]com/178.jar and downloaded the jar file we were currently looking at. This is definitely not a\r\nbenign way of installing software.\r\nPress enter or click to view image in full size\r\nFigure 5: the download functionality inside the .html attachment\r\nA full graph representation of the attack can be seen below:\r\nPress enter or click to view image in full size\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 6 of 18\n\nGraph 1: Execution Graph of this DynmicRAT campaign\r\nFrom this point on, we started to find out more about the malware’s capabilities, its functionality, and if it was\r\nrelated to any publicly known malware. Luckily, the RAT came without any kind of obfuscation, while the Loader\r\nbinary had been obfuscated with Allatori Obfuscator v5.3 DEMO. It is unclear why the threat actor did decide\r\nagainst obfuscating his RAT too, but despite not being obfuscated, it only scored a detection of 5/61 AV solutions\r\nupon initial submission to VirusTotal.\r\nThrough further investigation of the different folders, class files, and Java files, I compiled a list of capabilities\r\nassociated with this malware (disclaimer, I might have missed something):\r\n## General Features:\r\n- Get OS details\r\n- detect if running in VM\r\n- get installed Java version\r\n- get system language, ping, processor info, totalMemory\r\n- HVNC\r\n- DDoS (with a Focus on Minecraft Servers)\r\n- use victim camera\r\n- use victim microfone\r\n- get victim geolocation\r\n- proxy capabilities (set proxie, get proxie list)\r\n- File Explorer (including upload, download, create, hide, destroy files)\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 7 of 18\n\n- screenrecorder\r\n- keylogger\r\n- remote shell\r\n- get clipboard data\r\n- play sound on victims device\r\n- create a custom message box on victims device\r\n- download additional plugins and dependencies\r\n- kill running processes\r\n- eject CD\r\n- disable input\r\n- disconnect, reconnect and uninstall the rat\r\n- browse any provide url using victims browser\r\n- tamper with Network Data using WinDivert\r\n## Windows specific features\r\n- Registry Manager\r\n- cause a Bluescreen of Death\r\n- shutdown, reboot, crash device\r\n- batch File Creator\r\n- steal account data (Chromium \u0026 Firefox based Browsers, FileZilla, WinSCP,\r\n4 different Discord Clients, several different minecraft clients)\r\n- Steal cookies\r\n- get Wifi data (local wifi networks in range)\r\n- ask for Admin Priviliges\r\n- minimize and close open application windows and get foreground window\r\n- disable TaskManager\r\n- disable Run window\r\n- disable Windows Defender (through registry)\r\n- bypass UAC on startup\r\n## Linux specific features\r\n- destroy machine command (via rm - rf /* )\r\n## OSX specific features\r\n- destroy machine command (via rm - rf /*\r\n )\r\nAs you can see, the malware has a thorough list of capabilities allowing for full control of the victim's device.\r\nHowever, there seems to be a heavy focus on functionalities targeting the Windows operating system, with some\r\nfunctionalities, such as the ones for stealing credentials having explicit statements in the code that they are only\r\nsupported on Windows devices. I will not be able to go into full detail on every observed feature. However, I want\r\nto point out some of the features that stuck out to me in the following sections.\r\nFirst of all, DymamicRAT has a windows specific configuration class, which can be seen in the image below:\r\nPress enter or click to view image in full size\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 8 of 18\n\nFigure 6: Windows config class\r\nAs can be seen, there are a lot of different configurations which can be set by the malware operator. However, it is\r\nalso important to note the “autostartName”, “autostartPath” and “startupFolderName” variables, as they show that\r\nthe malware will try to take the cover of the legitimate Notepad++ application on the victims' device. Those\r\nindicators can be used to hunt for this specific malware binary. While many of the other configs are self-explanatory, let's have a look at the “vmDetect” capabilities:\r\nPress enter or click to view image in full size\r\nFigure 7: VM detection\r\nThe VM detection is done via a wmi-command, querying for the computer system model. If the returned string\r\ncontains the words “VirtualBox”, “DELL” or “VMWare Virtual Platform”, the function returns true. Depending\r\non the chosen configuration this can later lead to the malware stopping execution with a custom error message\r\nseen in the below code snippet:\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 9 of 18\n\nPress enter or click to view image in full size\r\nFigure 8: Custom error when executing in VM and the right config is set\r\nAnother feature that stuck out to me was the network tamper functionality. While I did not fully understand what\r\nthe intent of this functionality is, it stuck out for me because for implementing it the malware actually includes\r\nseveral Windows drivers and DLLs inside its resources.\r\nPress enter or click to view image in full size\r\nFigure 9: Included libraries\r\nThe following screenshot gives an idea of how those libraries are used in the code:\r\nPress enter or click to view image in full size\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 10 of 18\n\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 11 of 18\n\nFigure 10: Network tamper class — booleans\r\nSidenote: I would be really happy if someone was to take up on this to explain what this capability is used for :)\r\nAnother interesting functionality of DynamicRAT is its capability to download and install dependencies. (I do\r\nthink there is a functionality to download new modules as well, but I could not fully prove it.) The following code\r\nis used to download and install dependencies:\r\nPress enter or click to view image in full size\r\nFigure 11: dynamically download and install dependencies\r\nThe ModuleUtils.class does also contain a downloading functionality, which is the main reason I think that\r\nadditional modules can be loaded by the malware:\r\nPress enter or click to view image in full size\r\nFigure 12: Download functionality with hardcoded UserAgent\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 12 of 18\n\nWhile further sifting the different capabilities of the malware, I also found this particular file in the malware’s core\r\ndirectory:\r\nFigure 13: DynamicRAT Core\r\nThis is also the reason why I name this threat DynamicRAT, as it seems to be the name given by the author(s)\r\nthemselves.\r\nBut let's get back to the many “attack” strings noticed by Fate. Indeed, those strings are related to the vast DDoS\r\ncapabilities presented by the malware. Interestingly there is a strong focus on game-related infrastructure here,\r\nwith Minecraft Servers seeming to be the main target. There is also a TeamSpeak3 DDoS attack included.\r\nPress enter or click to view image in full size\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 13 of 18\n\nFigure 14: DDoS capabilities\r\nInterestingly enough, this focus on Minecraft and Gaming related targeting can also be observed in\r\nDynamicRAT’s stealer capabilities, with the Stealer being able to target 7 different Minecraft clients and 4\r\ndifferent Discord Clients in addition to the more common stealing capabilities as described in the list of\r\ncapabilities at the beginning of this post. At this point, it is also important to note that there are references in the\r\nmalware in regards to further stealing capabilities which are not yet implemented. It is therefore very likely that\r\nthe creator of the malware is still working on adding new features. Stolen information is saved into a .zip file and\r\nthen sent to the C2 Server.\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 14 of 18\n\nWith this being said, there are only two more features I want to highlight right now. The first is the malware\r\nconfiguration file and how it is parsed in the malware.\r\nInside the resource section of the Java binary, there is a file called “assets.dat”. This file is “AES” encrypted with a\r\ndefault Java crypto implementation. Upon executing the malware, the Main class executes the following function:\r\nPress enter or click to view image in full size\r\nFigure 15: main load config\r\nThis function in turn calls the below code to decrypt and load the configuration:\r\nPress enter or click to view image in full size\r\nFigure 16: decrypt and load config\r\nSadly despite trying to reimplement this algorithm myself, I was not able to decrypt the assets file. I continuously\r\ngot errors with Input Length and as I am not sure how extracting the asset file might have changed the bytes in it, I\r\ndecided to give up for now. I will update this article with a working decryptor if I should be able to create one. (\r\nSee Update 09.06.2023 )\r\nGet Gi7w0rm’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 15 of 18\n\nLast but not least, there is only one further function of DynamicRAT I want to highlight. Remember the “netsh”\r\nexecution from Tria.ge which actually got me curious about this sample? Well, here it is:\r\nPress enter or click to view image in full size\r\nFigure 17: netsh wlan data extraction\r\nTurns out the malware indeed uses it to query for all Wifi networks around the target. Besides, the malware also\r\nseems to be able to do its own initiated Wifi Queries via the native Windows “wlanapi”.\r\nConclusion:\r\nTogether with Fate I discovered a new Java-based RAT called DynamicRAT. The malware is currently delivered\r\nvia E-Mail attachments using a tax-based scheme. Fate and I have observed at least one governmental agency as a\r\ntarget. With its vast array of functionalities, DynamicRAT allows for full control of infected devices. This includes\r\nFile and Credential Stealing, HVNC and Proxy access, a self-made Registry Editor, DDoS capabilities, and the\r\npossibility of listening and viewing the victim via their own Webcam and Microfone. C2 traffic is encrypted and\r\nfrom several source code snippets, it seems the malware is still being developed. A low detection rate of only 5/61\r\nAV engines despite not being obfuscated suggests the neat for detection improvements. Luckily in this case the\r\ndefender's deployed AV solution was able to prevent execution.\r\nIoC:\r\nHashes:\r\nMary1099-businesstax.html\r\n0b283193f0e2c3d9fe8e07ecb1716b869581d73fdf9b9fc18130fa15c244e48d\r\nW2_and_1095A.zip\r\nbf93e1ceb17206a742dd4f85700ef75f55ad76b04ca8a601c4d2a515151840aa\r\nW2_and_1095A_PDF.jar\r\n149599673311b49302568fcde7dc7ef95e0d37bba1316b88cafb5c68f56e7f1c\r\n178.jar\r\n41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 16 of 18\n\nassets.dat\r\n149599673311b49302568fcde7dc7ef95e0d37bba1316b88cafb5c68f56e7f1c\r\nWinDivert32.dll\r\n625ffdd95bfabff32d0e8a95beabcd303c01c8bba73b90402d4e84d6e15dd8e5\r\nWinDivert32.sys\r\n625ffdd95bfabff32d0e8a95beabcd303c01c8bba73b90402d4e84d6e15dd8e5\r\nWinDivert64.dll\r\n6110bfa44667405179c3e15e12af1b62037e447ed59b054b19042032995e6c7e\r\nWinDivert64.sys\r\n6110bfa44667405179c3e15e12af1b62037e447ed59b054b19042032995e6c7e\r\nNetwork Artifacts:\r\nInitial .zip download:\r\nhxxps[:]//smionsa.web[.]app/W2_and_1095A.zip\r\nSecond Stage (DynamicRAT)\r\nhttp[:]//giulianilex[.]com/178.jar\r\nC2 Server (DynamicRAT)\r\n178.18.255[.]246:24464\r\nArtifacts:\r\nautostartName = “Notepad++”;\r\nautostartPath = “Roaming\\\\Notepad++\\\\plugins\\\\npp-start-module.jar”;\r\nstartupFolderName = “jre-8-startup-manager.jar”;\r\n“User-Agent”, “Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.2.2) Gecko/20100316\r\nFirefox/3.6.2”\r\nAdditional IoC:\r\nPivoting on the different artifacts in this article has resulted in a list of further related IoCs. You can find them on\r\nmy Github:\r\nhttps://github.com/Gi7w0rm/MalwareConfigLists/blob/main/DynamicRAT/IoC.txt\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 17 of 18\n\nUpdate 09.06.2023:\r\nA working DynamicRAT configuration decryptor by my Twitter colleague RussianPanda can now be found here:\r\nhttps://github.com/RussianPanda95/Configuration_extractors/blob/main/DynamicRAT_config_decrypt.py\r\nThe reason I was unable to create this is that DynamicRATs config decryptor skips the first 4 bytes of the\r\nextracted assets.dat file, probably because they only contain the length of the file. I did not consider this at the\r\ntime of writing but it does explain the “wrong Input size” errors.\r\nThank you for reading my post! If you like what you just read, consider sending me a tip for future CTI Projects:\r\nhttps://ko-fi.com/gi7w0rm.\r\nUntil next time. Cheers ❤\r\nSource: https://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nhttps://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694" ], "report_names": [ "dynamicrat-a-full-fledged-java-rat-1a2dabb11694" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434381, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6f74220d165f0e7a2d99706d65bacfc14b6d3a41.pdf", "text": "https://archive.orkl.eu/6f74220d165f0e7a2d99706d65bacfc14b6d3a41.txt", "img": "https://archive.orkl.eu/6f74220d165f0e7a2d99706d65bacfc14b6d3a41.jpg" } }