{ "id": "ffed99de-8267-4571-8e81-350bfb834760", "created_at": "2026-04-06T00:12:58.119662Z", "updated_at": "2026-04-10T03:31:44.450036Z", "deleted_at": null, "sha1_hash": "7d3c80bf625ae71775ae48aa351b761d82e4c3d3", "title": "Woody RAT: A new feature-rich malware spotted in the wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1748467, "plain_text": "Woody RAT: A new feature-rich malware spotted in the wild\r\nBy Mark Stockley\r\nPublished: 2022-08-02 · Archived: 2026-04-05 14:19:42 UTC\r\nThis blog post was authored by Ankur Saini and Hossein Jazi\r\nThe Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat\r\nthat has been in the wild for at least one year.\r\nThis advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in\r\narchive file format and more recently Office documents leveraging the Follina vulnerability.\r\nBased on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and\r\ndefense entity known as OAK.\r\nIn this blog post, we will analyze Woody Rat’s distribution methods, capabilities as well as communication\r\nprotocol.\r\nArticle continues below this ad.\r\nDistribution methods\r\nBased on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office\r\ndocuments using the Follina vulnerability.\r\nThe earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a\r\nRussian group. When the Follina vulnerability became known to the world, the threat actor switched to it to\r\ndistribute the payload, as identified by @MalwareHunterTeam.\r\nThe following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 1 of 12\n\nArchive files\r\nIn this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files\r\nhave been distributed using spear phishing emails. Here are some examples of these archive files:\r\nanketa_brozhik.doc.zip: It contains Woody Rat with the same name: Anketa_Brozhik.doc.exe.\r\nzayavka.zip: It contains Woody Rat pretending to be an application (application for participation in the\r\nselection.doc.exe).\r\nFollina vulnerability\r\nThe threat actor is using a Microsoft Office document (Памятка.docx) that has weaponized with the Follina\r\n(CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called “Information security\r\nmemo” which provide security practices for passwords, confidential information, etc.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 2 of 12\n\nWoody Rat Analysis\r\nThe threat actor has left some debugging information including a pdb path from which we derived and picked a\r\nname for this new Rat:\r\nA lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering\r\nanalysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with\r\n0x8007 as parameter.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 3 of 12\n\nAs we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it\r\nto make sure no two clashing operations can take place at the same time. This object enforces that only one thread\r\nis reaching out to the C2 at a given time and that there are no pending requests before making another request.\r\nDeriving the Cookie\r\nThe malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the\r\nmalware derives a cookie from machine specific values. The values are taken from the adapter information,\r\ncomputer name and volume information, and 8 random bytes are appended to this value to avoid any possible\r\ncookie collisions by the malware.\r\nA combination of GetAdaptersInfo, GetComputerNameA and GetVolumeInformationW functions are used to\r\nretrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the\r\nC2.\r\nData encryption with HTTP requests\r\nTo evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the\r\ndata sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates\r\nthe RSA public key blob at runtime using the embedded data and imports it using the BCryptImportKeyPair\r\nfunction.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 4 of 12\n\nThe malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then\r\nencrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate\r\nthe AES-CBC key using BCryptGenerateSymmetricKey which is used in subsequent HTTP requests to encrypt\r\nand decrypt the data. For encryption and decryption the malware uses BCryptEncrypt and BCryptDecrypt\r\nrespectively.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 5 of 12\n\nC2 HTTP endpoint request\r\nknock – This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as\r\npart of the headers here. This is a POST request and the data of this request contains 32 random bytes which are\r\nused to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.\r\nThe data received as response for this request is decrypted and it contains the url path to submit (/submit) the\r\nadditional machine information which the malware generates after this operation.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 6 of 12\n\nsubmit – This endpoint request is used to submit information about the infected machine. The data sent to the C2\r\nis AES-CBC encrypted. Data sent via submit API includes:\r\nOS\r\nArchitecture\r\nAntivirus installed\r\nComputer Name\r\nOS Build Version\r\n.NET information\r\nPowerShell information\r\nPython information (Install path, version etc.)\r\nStorage drives – includes Drive path, Internal name etc.\r\nEnvironment Variables\r\nNetwork Interfaces\r\nAdministrator privileges\r\nList of running processes\r\nProxy information\r\nUsername\r\nList of all the User accounts\r\nThe malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web,\r\nKaspersky, AVG, ESET and Sophos.\r\nping – The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with\r\n“_CRY” then the malware proceeds to send the knock request again but if the C2 responds with “_ACK” the\r\nresponse contains additional information about which command should be executed by the malware.\r\nThe malware supports a wide variety of commands which are classified into _SET and _REQ requests as seen\r\nwhile analyzing the malware. We will dive into all these commands below in the blog.\r\nC2 Commands\r\nThe malware uses a specific thread to communicate with the C2 and a different one to execute the commands\r\nreceived from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch\r\na command it modifies the state of the event linked to that object. We should note all the communications\r\ninvolved in these commands are AES encrypted.\r\n_SET Commands\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 7 of 12\n\nPING – This command is used to set the sleep interval between every ping request to the C2.\r\nPURG – Unknown command\r\nEXIT – Exit the command execution thread.\r\n_REQ Commands\r\nEXEC (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the\r\nmalware creates two named pipes and redirects the input and output to these pipes. The output of the\r\ncommand is read using ReadFile from the named pipe and then “_DAT” is appended to this data before it\r\nis AES encrypted and sent to the C2.\r\nUPLD (Upload) – The Upload command is used to remotely upload a file to the infected machine. The\r\nmalware makes a GET request to the C2 and receives data to be written as file.\r\nINFO (Submit Information) – The INFO command is similar to the “submit” request above; this command\r\nsends the exact information to the C2 as sent by the “submit” request.\r\nUPEX (Upload and Execute) – This is a combination of UPLD and EXEC command. The commands first\r\nwrites a file received from the C2 and then executes that file.\r\nDNLD (Download) – The DNLD command allows the C2 to retrieve any file from the infected machine.\r\nThe malware encrypts the requested file and sends the data via a POST request to the C2.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 8 of 12\n\nPROC (Execute Process) – The PROC command is similar to the EXEC command with slight differences,\r\nhere the process is directly executed instead of executing it with cmd.exe as in EXEC command. The\r\ncommand uses the named pipes in similar fashion as used by the EXEC command.\r\nUPPR (Upload and Execute Process) – This is a combination of UPLD and PROC command. The\r\ncommand receives the remote file using the upload command then executes the file using PROC command.\r\nSDEL (Delete File) – This is used to delete any file on the infected system. It also seems to overwrite the\r\nfirst few bytes of the file to be deleted with random data.\r\n_DIR (List directory) – This can list all the files and their attributes in a directory supplied as argument. If\r\nno directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this\r\ncommand are:\r\nFilename\r\nType (Directory, Unknown, File)\r\nOwner\r\nCreation time\r\nLast access time\r\nLast write time\r\nSize\r\nPermissions\r\nSTCK (Command Stack) – This allows the attacker to execute multiple commands with one request. The\r\nmalware can receive a STCK command which can have multiple children commands which are executed in\r\nthe same order they are received by the malware.\r\nSCRN (Screenshot) – This command leverages Windows GDI+ to take the screenshot of the desktop. The\r\nimage is then encrypted using AES-CBC and sent to the C2.\r\nINJC (Process Injection) – The malware seems to generate a new AES key for this command. The code to\r\nbe injected is received from the C2 and decrypted. To inject the code into the target process it writes it to\r\nthe remote memory using WriteProcessMemory and then creates a remote thread using\r\nCreateRemoteThread.\r\nPSLS (Process List) – Calls NtQuerySystemInformation with SystemProcessInformation to retrieve an\r\narray containing all the running processes. Information sent about each process to the C2:\r\nPID\r\nParentPID\r\nImage Name\r\nOwner\r\nDMON (Creates Process) – The command seems similar to PROC with the only difference being the\r\noutput of the process execution is not sent back to the C2. It receives the process name from the C2 and\r\nexecutes it using CreateProcess.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 9 of 12\n\nUPDM (Upload and Create Process) – Allows the C2 and upload a file and then execute it using DMON\r\ncommand.\r\nSharpExecutor and PowerSession Commands\r\nInterestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named WoodySharpExecutor and\r\nWoodyPowerSession respectively. WoodySharpExecutor provides the malware ability to run .NET code received\r\nfrom the C2. WoodyPowerSession on the other hand allows the malware to execute PowerShell commands and\r\nscripts received from the C2.\r\nWoodyPowerSession makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the\r\nmalware and commands are executed via the methods present in these DLLs:\r\nWe will look at the commands utilising these DLLs below:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 10 of 12\n\nDN_B (DotNet Binary) – This command makes use of the RunBinaryStdout method to execute Assembly\r\ncode with arguments received from the C2. The code is received as an array of Base64 strings separated by\r\n0x20 character.\r\nDN_D (DotNet DLL) – This method provides the attacker a lot more control over the execution. An\r\nattacker can choose whether to send the console output back to the C2 or not. The method receives an array\r\nof Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code\r\nand finds and executes the method based on other arguments received from the C2.\r\nPSSC (PowerSession Shell Command) – Allows the malware to receive a Base64 encoded PowerShell\r\ncommand and execute it.\r\nPSSS (PowerSession Shell Script) – This command allows the malware to load and execute a Base64\r\nencoded PowerShell script received from the C2.\r\nPSSM (PowerSession Shell Module) – This command receives an array of Base64 encoded strings, one of\r\nwhich contains the module contents and the other one contains the module name. These strings are decoded\r\nand this module is imported to the command pipeline and then invoked.\r\nMalware Cleanup\r\nAfter creating the command threads, the malware deletes itself from disk. It uses the more commonly known\r\nProcessHollowing technique to do so. It creates a suspended notepad process and then writes shellcode to delete a\r\nfile into the suspended process using NtWriteVirtualMemory. The entry point of the thread is set by using the\r\nNtSetContextThread method and then the thread is resumed. This leads to the deletion of the malware from disk.\r\nUnknown threat actor\r\nThis very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such\r\nas Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to\r\ncollect, there weren’t any solid indicators to attribute this campaign to a specific threat actor.\r\nMalwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also\r\nalready detected the binary payloads via our heuristic malware engines.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 11 of 12\n\nIOCs\r\nWoodyRat:\r\n982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0\r\n66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b\r\nb65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a\r\n43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce\r\n408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e\r\n0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834\r\n5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80\r\n3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3\r\n9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d\r\nC2s:\r\nkurmakata.duckdns[.]org\r\nmicrosoft-ru-data[.]ru\r\n194.36.189.179\r\nmicrosoft-telemetry[.]ru\r\noakrussia[.]ru\r\nFollina Doc:\r\nПамятка.docx\r\nffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb\r\nFollina html file:\r\ngarmandesar.duckdns[.]org:444/uoqiuwef.html\r\nWoody Rat url:\r\nfcloud.nciinform[.]ru/main.css (edited) \r\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" ], "report_names": [ "woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" ], "threat_actors": [ { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434378, "ts_updated_at": 1775791904, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7d3c80bf625ae71775ae48aa351b761d82e4c3d3.pdf", "text": "https://archive.orkl.eu/7d3c80bf625ae71775ae48aa351b761d82e4c3d3.txt", "img": "https://archive.orkl.eu/7d3c80bf625ae71775ae48aa351b761d82e4c3d3.jpg" } }