{
	"id": "7cd4b203-df7e-48a5-a801-aa4cb3165642",
	"created_at": "2026-04-06T00:09:33.384461Z",
	"updated_at": "2026-04-10T03:31:50.188984Z",
	"deleted_at": null,
	"sha1_hash": "70a331b9aa736310ae58ec1f3949e07c25f59729",
	"title": "Analyst’s Brief: Moonrise RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 546710,
	"plain_text": "Analyst’s Brief: Moonrise RAT\r\nBy Scarlet Shark\r\nPublished: 2026-03-12 · Archived: 2026-04-05 22:50:04 UTC\r\n3 min read\r\nMar 12, 2026\r\nBy Alec Dhuse\r\nPress enter or click to view image in full size\r\nMoonrise RAT is a 64-bit Windows binary compiled in Golang designed for stealthy persistence, information\r\ntheft, and comprehensive remote control of infected Windows systems.\r\nKey Capabilities\r\n● Persistent Surveillance: Real-time keylogging, clipboard monitoring, webcam capture, and microphone access.\r\nhttps://blog.scarletshark.com/analysts-brief-moonrise-rat-bfbea85ae62a\r\nPage 1 of 5\n\n● Victim Profiling: Detection of the operating system, hostname, external IP address, and user ID.\r\n● Crypto-Theft: Dedicated code designed to identify and manipulate cryptocurrency addresses, likely enabling\r\nthe malware to replace a victim’s wallet address with the attacker’s during a transaction.\r\n● Interactive Control: The malware maintains a persistent WebSocket connection, allowing attackers to push\r\ncommands instantly.\r\n● System Sabotage: In addition to surveillance capabilities, the malware includes disruptive functions such as\r\ntriggering a Blue Screen of Death, shutting down the infected machine, and an unidentified voltage drop function.\r\nOverview\r\nMoonrise RAT is particularly interesting because it differs from many other malware families that rely on multiple\r\nlayers of packing to evade antivirus software. Instead, it leverages the inherent complexity of the Go runtime to\r\nserve as a barrier against reverse engineering and static antivirus analysis.\r\nThe use of WebSockets for real-time, bidirectional communication is also noteworthy.\r\nAlthough Moonrise RAT initially avoided static detection, its persistent WebSocket connection to a hard-coded C2\r\nendpoint creates opportunities for network-level detection, even when the file itself may not trigger traditional\r\nantivirus alerts.\r\nMoonrise RAT also attempts to establish a permanent foothold on infected machines. It copies itself to a hidden or\r\nless scrutinized directory, such as the user’s %APPDATA% folder, often using a deceptive filename, and then\r\ncreates a Run key entry in the Windows Registry to maintain persistence.\r\nPotential Impacts\r\nMoonrise RAT’s information-stealing functionality is likely to lead to account compromises for services with\r\nactive sessions or stored credentials on the infected device. Cryptocurrency theft, through manipulation of\r\ntransaction destination addresses, is also a likely outcome.\r\nOutlook\r\nMoonrise RAT was initially detected in mid-February and had a very low detection rate. Shortly after Any.Run\r\npublished its initial report on the malware, and security vendors updated their detection rules.\r\nGet Scarlet Shark’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe creators of Moonrise RAT will likely modify the malware to evade current detection methods and establish a\r\nnew command-and-control infrastructure to bypass network-based threat intelligence feeds.\r\nDetection Resources\r\nhttps://blog.scarletshark.com/analysts-brief-moonrise-rat-bfbea85ae62a\r\nPage 2 of 5\n\nMoonrise RAT Detection YARA Rule\r\nrule Moonrise_RAT_20260311 {\r\n meta:\r\n description = \"Detects Moonrise RAT malware based on unique functional and behavioral strings.\r\n author = \"Alec Dhuse\"\r\n date = \"2026-03-12\"\r\n hash = \"082fdd964976afa6f9c5d8239f74990b24df3dfa0c95329c6e9f75d33681b9f4\"\r\n malware = \"Moonrise RAT\"\r\n strings:\r\n \r\n $func1 = \"fun_bsod\"\r\n $func2 = \"fun_shutdown\"\r\n $func3 = \"voltage_drop\"\r\n $func4 = \"screenshot\"\r\n \r\n $ws1 = \"websocket\" ascii wide\r\n $ws2 = \"gorilla/websocket\" ascii\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n (\r\n (3 of ($func*)) or\r\n (all of ($ws*) and 2 of ($func*))\r\n )\r\n}\r\nVictim Locations Based on VirusTotal Telemetry:\r\nCanada\r\nFrance\r\nGermany\r\nIndia\r\nIreland\r\nJapan\r\nNetherlands\r\nPhilippines\r\nRussia\r\nSingapore\r\nUnited Arab Emirates\r\nUnited Kingdom\r\nUnited States\r\nhttps://blog.scarletshark.com/analysts-brief-moonrise-rat-bfbea85ae62a\r\nPage 3 of 5\n\nIndicators of Compromise (IoCs)\r\nCommand and Control Server IPs\r\n193.23.199[.]88\r\n108.165.164[.]57\r\nSHA-256 File Hashes\r\ned5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551\r\n0a3343645c8c8cc4d83200ff351bb5a5d03e4ae6cfef902ea62963f0cf8d1849\r\n37889bef6df21a8f4df770aaf461e99e27e695908bb2cd0f8987dc202be075ed\r\nTactics, Techniques, and Procedures (TTPs)\r\nDefense Evasion\r\nT1027 — Obfuscated Files or Information\r\nDiscovery\r\nT1016 — System Network Configuration Discovery\r\nT1033 — System Owner/User Discovery\r\nT1057 — Process Discovery\r\nT1082 — System Information Discovery\r\nCollection\r\nT1056 — Input Capture\r\nT1115 — Clipboard Data\r\nT1123 — Audio Capture\r\nT1125 — Video Capture\r\nCredential Access\r\nT1056 — Input Capture\r\nCommand and Control\r\nT1071 — Application Layer Protocol\r\nImpact\r\nT1657 — Financial Theft\r\nAdditional Reporting on Moonrise RAT\r\nhttps://blog.scarletshark.com/analysts-brief-moonrise-rat-bfbea85ae62a\r\nPage 4 of 5\n\nhttps://any.run/cybersecurity-blog/moonrise-rat-detected/\r\nhttps://evalian.co.uk/inside-a-new-malware-trojan-moonrise/\r\nSource: https://blog.scarletshark.com/analysts-brief-moonrise-rat-bfbea85ae62a\r\nhttps://blog.scarletshark.com/analysts-brief-moonrise-rat-bfbea85ae62a\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.scarletshark.com/analysts-brief-moonrise-rat-bfbea85ae62a"
	],
	"report_names": [
		"analysts-brief-moonrise-rat-bfbea85ae62a"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f87ef0bf-0574-492f-aebc-63e5953938e2",
			"created_at": "2024-11-23T02:00:04.116692Z",
			"updated_at": "2026-04-10T02:00:03.779803Z",
			"deleted_at": null,
			"main_name": "Gorilla",
			"aliases": [],
			"source_name": "MISPGALAXY:Gorilla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434173,
	"ts_updated_at": 1775791910,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70a331b9aa736310ae58ec1f3949e07c25f59729.pdf",
		"text": "https://archive.orkl.eu/70a331b9aa736310ae58ec1f3949e07c25f59729.txt",
		"img": "https://archive.orkl.eu/70a331b9aa736310ae58ec1f3949e07c25f59729.jpg"
	}
}