{
	"id": "57e5b386-3219-422e-965e-e6af88597eb4",
	"created_at": "2026-04-06T00:17:38.721278Z",
	"updated_at": "2026-04-10T13:12:33.923886Z",
	"deleted_at": null,
	"sha1_hash": "8dec98ec2e98fb5f01211dd50686b86682625463",
	"title": "Cobian RAT – A backdoored RAT | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1541082,
	"plain_text": "Cobian RAT – A backdoored RAT | Zscaler\r\nBy Abhay Kant Yadav, Atinderpal Singh, Deepen Desai\r\nPublished: 2017-08-31 · Archived: 2026-04-05 17:03:34 UTC\r\nIntroduction\r\nThe Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT\r\nsince February 2017. The RAT builder for this family was first advertised on multiple underground forums where\r\ncybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for\r\nfree and had lot of similarities to the njRAT/H-Worm family, which we analyzed in this report.\r\n   \r\n   Figure 1: Cobian RAT command-and-control server application\r\nAs shown in Figure 1, the Cobian RAT control panel and features are similar to that of njRAT and H-Worm. It is noteworthy\r\nthat the author identified njRAT as the “theme.”\r\nCrowdsourcing botnet model?\r\nAs we analyzed the builder, we noticed a particularly interesting function: the builder kit is injected with a backdoor\r\nmodule which retrieves C\u0026C information from a predetermined URL (pastebin) that is controlled by the original author.\r\nThis allows the original author to control the systems infected by the malware payloads that were generated using this\r\nbackdoored builder kit.\r\nhttps://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat\r\nPage 1 of 7\n\nFigure 2 (click to enlarge): Crowdsourced botnet model – Cobian RAT\r\nAs shown in Figure 2, the original author of the RAT builder kit is relying on second-level operators to build the RAT\r\npayload and spread infections. Then, thanks to the backdoor module, the original author can take full control of infected\r\nsystems across all the Cobian RAT botnets in which the operators used the backdoored builder kit. The original author can\r\nalso change the C\u0026C server information configured by the second-level operators.\r\nEvading detection by malware operator\r\nDuring our analysis, we observed that when the machine name and username of the systems running the Cobian RAT\r\npayload (bot client) and the control server (bot C\u0026C server) are the same, the backdoor module will not be activated and no\r\ncommunication will be sent to the backdoor C\u0026C server.\r\nThe original author of the RAT builder is assuming that there will be some testing performed by the second-level operators\r\nand that they will mostly likely use the same system for both bot client and server applications (C\u0026C server of 127.0.0.1).\r\nTo hide the presence of the backdoor module, there will be no traffic generated from the bot client to the backdoor C\u0026C\r\nserver in this case.\r\nRecent in-the-wild Cobian RAT payload analysis\r\nWe saw a unique Cobian RAT payload hit our Cloud Sandbox from a Pakistan-based defense and telecommunication\r\nsolution website (potentially compromised). The executable payload was served inside a ZIP archive and was masquerading\r\nas a Microsoft Excel spreadsheet using an embedded icon, as shown in Figure 3.\r\n  \r\nFigure 3: Cobian RAT payload masquerading as Microsoft Excel spreadsheet file\r\nThe executable payload is signed with an invalid digital certificate pretending to be from VideoLAN (Figure 4), creator of\r\nthe well-known VLC media player.\r\nhttps://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat\r\nPage 2 of 7\n\nFigure 4: Invalid digital certificate pretending to be from VideoLAN\r\nThe executable file is packed using a .NET packer with the encrypted Cobian RAT payload embedded in the resource\r\nsection. There is a series of anti-debugging checks performed by this dropper payload before decrypting the RAT and\r\ninstalling it on the victim’s system. The decompiled version of the RAT payload can be seen in Figure 5 below:\r\n   \r\nFigure 5: Cobian RAT — unpacked and decompiled\r\nThe bot’s configuration details are present in Class B’s constructor as shown below:\r\n   \r\nFigure 6: Bot configuration details\r\nhttps://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat\r\nPage 3 of 7\n\nThe bot attempts to create a MUTEX using the value of variable “VL” to ensure that only one instance of the bot is running.\r\nThe bot will proceed to create a copy of itself as %TEMP%/svchost.exe, execute that file, and terminate itself. The newly\r\nexecuted copy will create an autostart registry key to ensure persistence upon system reboot.\r\nThe bot contains many features that are also present in the njRAT, such as:\r\nKeylogger\r\nScreen capture\r\nWebcam\r\nVoice recorder\r\nFile browser\r\nRemote command shell\r\nDynamic plugins\r\nInstall/Uninstall\r\nNetwork C\u0026C activity\r\nThe bot will spawn two threads in the background, one of which will be responsible for ensuring persistence and taking\r\nscreenshots. The second thread will perform a regular check-in with the remote C\u0026C server. The function “Data” is\r\nresponsible for parsing the C\u0026C server’s response and executing bot commands on the infected system, which can be seen\r\nbelow:\r\n   \r\nFigure 7: Bot “Data” function for parsing C\u0026C response\r\nThe C\u0026C server address is stored in the configuration function (Figure 6) as a base64 encoded string. The C\u0026C server for\r\nthe payload that we analyzed pointed to a dynamic DNS domain, swez111.ddns[.]net:20000. Upon successful connection,\r\nthe bot sends the following request to the C\u0026C server to register the infected system and get further instructions.\r\nEncrypted Data Sent\r\nhttps://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat\r\nPage 4 of 7\n\nLOGIN|-|SGFja184MDUwMTY=|-|ODc4NDEyQHVzZXI=|-\r\n|TWljcm9zb2Z0IFdpbmRvd3MgWFAgUHJvZmVzc2lvbmFs|-|No|-|1.0.40.7|-|Tm90ZXBhZA==|-\r\n|U0dGamExODRNRFV3TVRZPSxzd2V6MTExLmRkbnMubmV0LDIwMDAwLHN2Y2hvc3QuZXhlLHtKRjJOTVJBTC00NjcxMzgtUU0yVVRZLVF\r\n|2017-07-13\r\nDecrypted data:\r\nLOGIN|-|Hack_805016|-|878412@user|-|Microsoft Windows XP Professional|-|No|-|1.0.40.7|-|Notepad|-\r\n|SGFja184MDUwMTY=,swez111.ddns.net,20000,svchost.exe,{JF2NMRAL-467138-QM2UTY-QM2UTYHS87},TEMP,True,True,|-|2017-07-13\r\nPacket Format\r\nLOGIN|-|BotID|-|Machinename@Username|-|OS|-|CAM|-|RAT Version|-|Installation Data|-|Infection Date\r\nThe check-in packet includes information about the infected system such as machine name, username, operating system,\r\nBotID and configuration data of the payload installed, and the infection date.\r\nBelow is a complete list of commands that the Cobian RAT supported in the payload we analyzed.\r\nCommand  Purpose\r\nLg Keylogger\r\nSvr|-|@ Rename Bot/Campaign ID\r\nSvr|-|! Terminate bot process\r\nSvr|-|# Uninstall Bot\r\nSvr|-|~ Restart Bot\r\nSvr|-|$ Update C\u0026C list\r\nFLD Stress Tester (Flood using UDP or TCP Traffic)\r\nExecute Used to run executable or script from local disk or remote URL\r\nAc Send Active Window Title\r\nSc Send Screen shot\r\nmore|-|FM File Manager\r\nmore|-|SM System Manager\r\nmore|-|CP Remote Desktop\r\nmore|-|CM Remote Webcam\r\nmore|-|MC Microphone\r\nhttps://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat\r\nPage 5 of 7\n\nmore|-|NF Information\r\nmore|-|CH Chat\r\nmore|-|PS Password Stealer\r\nmore|-|PT PassTime (Send message box to infected machine)\r\nC\u0026C’s packet format\r\nCommand|-|subcommand|-|subcommand arguments (optional based on command) |-|command data\r\nConclusion\r\nCobian RAT appears to be yet another RAT that is spawned from the leaked njRAT code. It is ironic to see that the second\r\nlevel operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the\r\noriginal author. The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the\r\nsecond level operators Botnet.\r\nZscaler ThreatLabZ is actively monitoring this threat and will continue to ensure coverage for Zscaler customers.\r\nIndicators of Compromise\r\nMD5: 94911666a61beb59d2988c4fc7003e5a\r\nZip File MD5: 7eede7047d3d785db248df0870783637\r\nSource URL: belkomsolutions[.]com/t/guangzhou%20sonicstar%20electronics%20co%20ltd.zip\r\nC\u0026C: swez111.ddns[.]net:20000(173.254.223.81)\r\nFileName: GUANGZHOU SONICSTAR ELECTRONICS CO. LTD.exe\r\nCompilation timestamp: 2017-07-11 03:53:14\r\nDigitaly Signed: Vendor /C=FR/L=Paris/O=VideoLAN/CN=VideoLAN\r\nSigning Date:  11:24 AM 7/14/2017\r\nZscaler Cloud Sandbox IOCs\r\nhttps://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat\r\nPage 6 of 7\n\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat\r\nhttps://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat"
	],
	"report_names": [
		"cobian-rat-backdoored-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434658,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8dec98ec2e98fb5f01211dd50686b86682625463.pdf",
		"text": "https://archive.orkl.eu/8dec98ec2e98fb5f01211dd50686b86682625463.txt",
		"img": "https://archive.orkl.eu/8dec98ec2e98fb5f01211dd50686b86682625463.jpg"
	}
}