{
	"id": "f0dc6fd6-bad5-4cad-b82a-60c78c780c74",
	"created_at": "2026-04-06T00:14:30.550504Z",
	"updated_at": "2026-04-10T03:20:07.664601Z",
	"deleted_at": null,
	"sha1_hash": "76a34f6d5bf5af60d294ee1d0f367255943bd74c",
	"title": "Parallax: The New RAT on the Block",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1535473,
	"plain_text": "Parallax: The New RAT on the Block\r\nBy Arnold Osipov\r\nArchived: 2026-04-05 18:19:30 UTC\r\nFollowing the increase in Parallax RAT campaigns — the new RAT on the block, Morphisec Labs decided to\r\nrelease more technical details on some of the latest campaigns that the Morphisec Preemptive Cyber Defense\r\nPlatform intercepted and prevented on our customer’s sites.\r\nParallax is an advanced remote access trojan that supports all Windows OS versions. It is capable of bypassing\r\nadvanced detection solutions, stealing credentials, executing remote commands, and has also been linked to\r\nseveral coronavirus malware campaigns.\r\nParallax is mostly delivered through malicious spam campaigns with Microsoft Word documents as the delivery\r\nvehicle of choice as will also be described in the following blog post.\r\nTechnical Details\r\nBefore we dive into the details, we would like to cover the general flow of one of the attack chains we\r\ninvestigated.\r\nGeneral Flow:\r\nThe first stage in this campaign is a Microsoft Word document with embedded macros. When macros are enabled,\r\na DLL is dropped to the %Temp% directory. The export function of this dll is then invoked, which injects\r\nshellcode to the “Notepad.exe” process. This process is responsible for downloading the next stage from pastebin,\r\nwhich is the Parallax RAT loader.\r\nThe Parallax RAT loader does similar things in order to execute the final Parallax RAT payload. It injects a\r\nshellcode to the “mstsc.exe” process, which is responsible for downloading the next stage from “i.imgur.com” in\r\nthe form of a picture. It then decrypts the picture and injects it into the “cmd.exe” process. As part of its\r\npersistence mechanism, scheduled tasks will be created to launch the malware at various intervals.\r\nhttps://blog.morphisec.com/parallax-rat-active-status\r\nPage 1 of 8\n\nFigure 1 — The infection process tree\r\nFigure 2 — The Parallax working directory\r\nFigure 3 — A downloaded image from Imgur\r\nFirst Stage:\r\nDocument:\r\nBelow is one example of a Microsoft Word document that’s used to deliver Parallax RAT. Note the low detection\r\nrate according to VirusTotal. Morphisec Labs has seen these documents delivered via phishing emails to targeted\r\nmachines since January 2020.\r\nFigure 4 — The low detection rate in Virus Total\r\nThe content of the document is designed to lure the victim into enabling macros. Once that’s done, the RAT can\r\nrun and deliver its payload.\r\nhttps://blog.morphisec.com/parallax-rat-active-status\r\nPage 2 of 8\n\nFigure 5 — Document\r\ncontent seems unreadable.\r\nIf we look at the embedded macros, we can see that there are two interesting calls in between the garbage code.\r\n Figure 6 — Macro\r\ncall to dropper function.\r\nThese calls are responsible for parsing the words in the document itself and converting them back to DLL, 64-bit\r\nand 32-bit versions respectively. The words (numbers) in the document are actually the DLL split into decimal\r\nvalues. The first two arguments passed to the function mark the start and the end of the DLL, the third argument\r\nstands for the DLL name to be dropped in the %temp% folder, fourth and fifth are garbage and never used.\r\nWe found the same behavior in other documents with different names, as well as the same garbage code and the\r\nsame number of unused arguments.\r\nhttps://blog.morphisec.com/parallax-rat-active-status\r\nPage 3 of 8\n\nFigure 7 — The export function is invoked\r\nThe DLL export function is invoked after parsing completes.\r\nSecond Stage:\r\nDLL:\r\nThe invoked DLL export function is responsible for decoding a shellcode that injects the next stage shellcode into\r\na Notepad.exe process.\r\n Figure 8 — The\r\ninvoked DLL export function\r\nFirst Stage Shellcode\r\nIn order to hide the use of the low level (Nt* and Zw* functions) process hollowing injection, the shellcode uses\r\ndirect syscalls. Attackers use this technique to escape debugger breakpoints as well as evade userland hooks.\r\nParallax maps its own copy of ntdll into memory to utilize this technique.\r\nhttps://blog.morphisec.com/parallax-rat-active-status\r\nPage 4 of 8\n\nFigure 9 — Parallax maps its own ntdll copy to memory.\r\nAfter the new copy of ntdll is mapped, Parallax uses simple offset extraction from the opcode to extract the system\r\ncalls.\r\n Figure 10 — syscall\r\nextractions from suspicious functions.\r\nFigure 11 — Direct syscall invocation.\r\nInjected Shellcode\r\nThe injected shellcode (usually injected to Notepad.exe) is responsible for downloading and decoding Parallax\r\nRAT from pastebin.\r\nFigure 12 — Pastebin raw content\r\nThe pastebin content is decoded using base64 and XORed with a key that is generated using CRC32 checksum\r\nfunction on the pastebin URL.\r\nhttps://blog.morphisec.com/parallax-rat-active-status\r\nPage 5 of 8\n\nFigure 13 — The\r\nDecoding routine.\r\nThe decoded Parallax payload is then dumped and executed from the %temp% directory. Vitali K covered the\r\nloader and image decoder that makes up Parallax RAT, while the pastebin decoder is accessible via Github at\r\nhttps://gist.github.com/osipovar/a80e8b6b3caad209f17616761530302b\r\nConclusion\r\nThis new Parallax RAT campaign is indicative of the trend toward Malware-as-a-Service, or MaaS, one of the\r\nmost pernicious weapons in the arsenal of threat actors. It’s also the trend that has largely driven the level of\r\ninnovation in malware available to cybercriminals. Despite this, Morphisec customers can remain confident that\r\nthey are protected against Parallax RAT and other remote access trojans through the power of Automated Moving\r\nTarget Defense.\r\nAppendix\r\nIOCs:\r\nDoc (SHA1):\r\n2b2eaf94189d21b7a4418ff480fa332832aa0d98\r\ne793d2e0ac963357dc7895f62071c1036eba8284\r\ne440f67ca7d34be0f7346013d078072f64774e8c\r\n45df85b3fe8954099cd49fdc5d59863baf1e6b76\r\n40efa7e40846c5041e33ecd3396082a160f8d72c\r\nb4d8a4470ed1dc1dec7cf62c6d0bada7ca1fed21\r\nhttps://blog.morphisec.com/parallax-rat-active-status\r\nPage 6 of 8\n\n242c71fda9c05f89730204361ff6a21cdae025e7\r\n2ab5bae45055e0c18ac9f0ccc190f6f277dc806f\r\nff8c49fbfb3da3a8e84bc332e646e4df3f3f6760\r\n50c623fab59258300680f3dd0447cf3815498d89\r\nff8c49fbfb3da3a8e84bc332e646e4df3f3f6760\r\n161820606da9b7949dd45b93fe39b07b01bd973e\r\n2fb1a63a3505427e42323bafef10349cc48b2a8b\r\n420d9ffc0a760c40ca2e8ea480b8e268225a07f2\r\n1dc94d5d49cd4ab215f291d188544a4996c05654\r\n8642f6bb8b1db4c3adaad1c90167430f28536362\r\nPastebin:\r\nhxxps://pastebin[.]com/raw/2spx5VGG\r\nhxxps://pastebin[.]com/raw/5PiLyRjs\r\nhxxps://pastebin[.]com/raw/5UNceFha\r\nhxxps://pastebin[.]com/raw/aKj2aqwc\r\nhxxps://pastebin[.]com/raw/AvEEMK9J\r\nhxxps://pastebin[.]com/raw/BTiRSV6C\r\nhxxps://pastebin[.]com/raw/BXBbPstB\r\nhxxps://pastebin[.]com/raw/cpfstw2k\r\nhxxps://pastebin[.]com/raw/CuUTrPX0\r\nhxxps://pastebin[.]com/raw/drvV1FPJ\r\nhxxps://pastebin[.]com/raw/EnTPcdwc\r\nhxxps://pastebin[.]com/raw/exs0tSC7\r\nhxxps://pastebin[.]com/raw/FAUCzPvi\r\nhxxps://pastebin[.]com/raw/eYRSb32g\r\nPNG:\r\nhxxps://i.imgur[.]com/02OZh3h.png\r\nhxxps://i.imgur[.]com/KPolbR1.png\r\nhxxps://i.imgur[.]com/s9Nu51u.png\r\nhxxps://i.imgur[.]com/bnFTfnL.png\r\nhxxps://i.imgur[.]com/B4MGZog.png\r\nhxxps://i.imgur[.]com/swnDCdS.png\r\nhxxps://i.imgur[.]com/H0RNHhb.png\r\nhxxps://i.imgur[.]com/4lQl9FZ.png\r\nhxxps://i.imgur[.]com/8kZ4rhJ.png\r\nhxxps://i.imgur[.]com/FGfZfCf.png\r\nhxxps://i.imgur[.]com/82WDYmV.png\r\nhxxps://i.imgur[.]com/aNQrMu1.png\r\nAbout the author\r\nhttps://blog.morphisec.com/parallax-rat-active-status\r\nPage 7 of 8\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/parallax-rat-active-status\r\nhttps://blog.morphisec.com/parallax-rat-active-status\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.morphisec.com/parallax-rat-active-status"
	],
	"report_names": [
		"parallax-rat-active-status"
	],
	"threat_actors": [],
	"ts_created_at": 1775434470,
	"ts_updated_at": 1775791207,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76a34f6d5bf5af60d294ee1d0f367255943bd74c.pdf",
		"text": "https://archive.orkl.eu/76a34f6d5bf5af60d294ee1d0f367255943bd74c.txt",
		"img": "https://archive.orkl.eu/76a34f6d5bf5af60d294ee1d0f367255943bd74c.jpg"
	}
}