{
	"id": "8984e1b6-ae6f-4172-9e91-8ae1fc6bb218",
	"created_at": "2026-04-06T00:22:10.948823Z",
	"updated_at": "2026-04-10T03:21:06.420659Z",
	"deleted_at": null,
	"sha1_hash": "91bce8338de804b13fef7c6936b7ad14ea787acb",
	"title": "CinaRAT Resurfaces With New Evasive Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1079461,
	"plain_text": "CinaRAT Resurfaces With New Evasive Techniques\r\nBy Nadav Lorber\r\nArchived: 2026-04-05 18:56:32 UTC\r\nIn this post, we cover the CinaRAT loader’s evasive tactics, techniques, and procedures (TTPs), as identified and prevented\r\nby Morphisec’s zero-trust endpoint security solution powered by Moving Target Defense technology.\r\nWe review different versions of multi-staged loaders that attempt to inject and execute CinaRAT within a victim’s host\r\nmemory. CinaRAT code is available on GitHub for download; generally it’s just a rebranded QuasarRAT.\r\nWe focus on the evasive components that allowed attackers to sustain zero detection for such a long period of time\r\n(VirusTotal).\r\nTechnical Analysis\r\nFirst stage: ISO/VBS script\r\nOur investigation begins with a Visual Basic script identified in a customer environment. We observed its delivery through\r\nan ISO archive file.\r\nThe script implements reflective loading, persistence, and evasion functionality.\r\nThe first step is a reflective loading of a remote .NET DLL executable, usually from a GitHub user account represented by\r\nan image download.\r\nFigure 1:The image download\r\nAs soon as the image is downloaded and loaded into memory, it’s written into a startup folder using an advanced method:\r\nIn order to copy itself into the autoruns, the script calls “NameSpace(7).Self.Path” which retrieves the autoruns path. This is\r\na unique technique which isn’t often used for malware delivery.\r\nFigure 2: NameSpace(7) usage\r\nThe obfuscation method for each version is different. Within each version the attacker changes the comment line in each\r\ncode line so they can avoid hash detection.\r\nFigure 3: Comment as a dynamic artifact\r\nAn interesting note is that the string technique utilized in the “GMR” variable evades VirusTotal when it is parsed.\r\nhttps://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques\r\nPage 1 of 8\n\nFigure 4: VirusTotal content parsing\r\nThese are the main changes between Visual Basic script versions:\r\nObfuscation, mainly splitting strings:\r\nFigure 5: Part of a split string\r\n“If” condition within the Powershell in order to validate the payload was successfully downloaded\r\nDifferent payloads with different URLs\r\nThe following table lists a few examples that correlate between the URL download domain to the file path saved within the\r\nvictim host along with our internal version numbering.\r\nInternal\r\nversion\r\nDownload URL Local file path\r\nV1 hxxps://raw.githubusercontent[.]com/githubaccountz/z/main/a.png C:UsersPublicMusica.jpg\r\nV1.1 hxxps://raw.githubusercontent[.]com/githubuser2x/x/master/New.jpg\r\nC:UsersPublicMusicxt.jpg V1.1 +\r\nV2\r\nhxxps://raw.githubusercontent[.]com/githubuser2x/aws/main/Img.jpg\r\nV3 https://raw.githubusercontent[.]com/githubuser2x/x/blob/master/One.html C:UsersPublicDocumentsOne.htm\r\nSecond stage: .NET loader\r\nAs described in a previous stage, the Visual Basic script delivers a second .NET file.\r\nThe purpose of this .NET file is to decode the final stage .NET CinaRAT payload and inject it into a legitimate Windows\r\nprocess using process hollowing. This is done with several evasion techniques in order to avoid detection and AI.\r\nThe RAT payload resides in a base64 encoded string that, during the execution, is decoded and XORed with string as the\r\nkey. Once the .NET DLL decodes the RAT, it hollows legitimate images in memory and injects it.\r\nbyte[] array = bxx.fhghjhhfgddg(Convert.FromBase64String(bxx.xxxz), “!@#$%^\u0026*\r\n(gfgghgj)_)*gjgj^$#GJgjgjgjNHGH%^*(\u0026^$#$$%\u0026”);\r\nhttps://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques\r\nPage 2 of 8\n\nFigure 6: The XOR decoding routine in V2\r\nWe observed four different versions along with four subversions between December 8, 2020, and February 2, 2021. The\r\nattacker updated the evasion techniques from version to version in order to avoid detection.\r\nThe following table lists the different internal versions along the with first seen date either from the attacker’s GitHub or\r\nVirusTotal submission.\r\nLoader Internal version Github date VirusTotal date\r\nV1   December 8, 2020\r\nV1.1 December 18, 2020 December 20, 2020\r\nV2   December 24, 2020\r\nV2.1 December 24, 2020 December 31, 2020\r\nV2.2 January 16, 2021 Was not submitted\r\nV3 January 23, 2021 January 27, 2021\r\nV4 January 22, 2021 January 25, 2021\r\nV4.1 February 1, 2021 February 3, 2021\r\nCode Pattern\r\nIn each version the code pattern is different but eventually, the execution flow stays the same except for minor changes.\r\nHere are a few examples:\r\nThe called method convention is the same in all of the versions (axx.bxx.cxx()) except V4 ([WorkArea.Work]::Exe()).\r\nIn V1 and V2, the encoded base64 string is loaded from a variable, while in V3 and V4 it’s loaded from a bunch of\r\nfunctions joined together to form the string.\r\nThe XOR key is the same in all of the versions except in V4.\r\nVersion Key\r\nV1 – V3 !@#$%^\u0026*(gfgghgj)_)*gjgj^$#GJgjgjgjNHGH%^*(\u0026^$#$$%\u0026\r\nV4 !@#$%%\u0026*(*))_D!@#DasHF\r\nhttps://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques\r\nPage 3 of 8\n\nFigure 7: Encoded payload chunk from V4.1\r\nCode Obfuscator\r\nThe attacker obfuscated the code using an unregistered version of Eziriz .NET Reactor, although in V2 and V3 it seems they\r\neither switched to a registered version or discarded the remnant code as the following script was not there anymore. In V4\r\nthe attacker did not implement any obfuscator, but in V4.1 the obfuscation was implemented again with the “unregistered”\r\nremnant code.\r\nFigure 8: Fingerprint string\r\nCode Masquerading\r\nFrom V1.1, the attacker added legitimate namespaces from popular .NET libraries to the loader. This evasion technique tries\r\nto disguise the loader as a legitimate .DLL in order to avoid analysis. It’s also possible this technique can bypass AV\r\nsolutions that implement whitelist rules on chunks from those .NET libraries. The following table lists a few examples of\r\nlibraries that were used.\r\nVersion Libraries\r\nV1 None\r\nV1.1 Newtonsoft json.NET\r\nV2.1 RestSharp + DiscUtils\r\nhttps://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques\r\nPage 4 of 8\n\nFigure 9: Some of the namespaces in V2\r\nAnalyzing the submission dates and the first detection dates on all of the loaders in VirusTotal suggests the code\r\nmasquerading technique succeeds in bypassing AV solutions.\r\nThird stage: RAT Payload\r\nWe have observed four different versions of RAT payloads. The first one used was QuasarRAT 1.4, while later on CinaRAT\r\n1.0.1.1 was used instead with some modifications. For the C2 domain, the attacker mostly used a dynamic DNS service from\r\nmyq-see[.]com\r\nThe following table correlates the observed RAT version with the C2 domain and Loader version.\r\nRAT Version Loader internal version C2 Domain\r\nQuasarRAT 1.4 V1\r\nserver.homesbill[.]com\r\nCinaRAT 1.0.1.1 variant A\r\nV1.1\r\nV1.1 + V2 aptzebi.myq-see[.]com\r\nV2.1 aptzebi0.myq-see[.]com\r\nV2.1 + V2.2\r\nmahost.myq-see[.]com\r\nCinaRAT 1.0.1.1 variant B\r\nV3\r\nV4 aptzebi3.myq-see[.]com\r\nCinaRAT 1.0.1.1 variant C V4.1 zebi4.myq-see[.]com\r\nhttps://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques\r\nPage 5 of 8\n\nFigure\r\n10: RAT configuration example from V4.1\r\nConclusion\r\nMorphisec prevents CinaRAT attacks with a zero-trust default-deny approach to endpoint security, powered by Automated\r\nMoving Target Defense. Morphisec customers are thus protected from CinaRAT, regardless of the evasive techniques an\r\nattacker deploys to bypass EDR and NGAV solutions.\r\nIOCs\r\nVB Scripts (Stage 1)\r\nSHA256 Internal version\r\n6dd24a396feba685ed77ee73e20388a571ffee2a857e5269406043aa5a03fb50\r\nV1\r\n8c07a453e85d6ce766a5cb60dd5d2311f3570f2b818b6050c70bb91cfcecefe4\r\nc1112384f112be4ca371297019f4ca8d93d7b76e105014d1b9d54b18aced9124 V1.1\r\nd14a38bf604ba56945f3e16732103dbb47067977e14de567cacf1c09ba20b7f7\r\nV1.2\r\nf1afcbbd219edc56641787aee26420e55a8ab7f088dc900a146361733698c6da\r\n44a69db5be76bfd200aaa79510e2f8a240f07f9d0840df95e55a0fec0944afdb V2\r\nhttps://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques\r\nPage 6 of 8\n\naddd44ee803082c4667bae68284e316f1a799b72ecbdaae38097ba2c4ccb9d16 V3\r\n.NET Loader (Stage 2)\r\nSHA256 Internal version\r\nf5fd82f7f599b1ed477a6f66388cbe0f2beec9fc28e83d35105cd3222a85d5ab\r\nV1\r\nc6e20052ab38341af626b0a07654c763af77fe830d5e216f03ed3b99d944de65\r\ncc18946e23d3fd289375912cb1d997be0ae3e71d2b4bcf1a14583f9f3ab4f919\r\nV1.1\r\nceb9cf440fc521f09a503e90889acb7f51b4c39ce8a8c4d37dd8304fca2db4ce\r\n714cdcd6e144b482d1c98661e894900244862c7135a895f2edfcd7fdac6d84fc\r\nV2\r\n47684fe237efc9dd608bac491db984f7b67b91b9fbf890da788123af8cadbe30\r\ne1594447ff87f29d61735f5ce39a8150fae79349b389c8e5dab2c2de30e62966\r\nV2.1\r\nd4235a670e2f7c5232cc9961b843db239e43d0cf3f619c6104b162944b3ee39d\r\n32a9caba473f6f19103526c605e65c421adc50421cab6e0a7de9d745b8829778 V2.2\r\n96fe6bfe32a8cc77adff891b39c45c638c456b48915798e69012ea1e4333560f V3\r\n4ba57a45bfd29555d3e269abdb6efa391befc164e90813fb0ff2d486b52792ca V4\r\n230a74b0f306464dcb6e16b9d3c62d364e13c2d69e3c654dce303e1efd3fc6b2 V4.1\r\nAbout the author\r\nhttps://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques\r\nPage 7 of 8\n\nNadav Lorber\r\nSecurity Research Tech Lead\r\nNadav Lorber is a leader on Morphisec’s cutting-edge threat research team. He began his career in threat intelligence in\r\n2013, where he was a SOC Specialist for the Israeli government’s military intelligence department. Since joining Morphisec,\r\nNadav has helped uncover key insights on topics like Jupyter Infostealer, Log4j, and the Snip3 crypter.\r\nSource: https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques\r\nhttps://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques\r\nPage 8 of 8\n\nCinaRAT 1.0.1.1 variant B V4  aptzebi3.myq-see[.]com\nCinaRAT 1.0.1.1 variant C V4.1  zebi4.myq-see[.]com\n   Page 5 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques"
	],
	"report_names": [
		"cinarat-resurfaces-with-new-evasive-tactics-and-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775434930,
	"ts_updated_at": 1775791266,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/91bce8338de804b13fef7c6936b7ad14ea787acb.pdf",
		"text": "https://archive.orkl.eu/91bce8338de804b13fef7c6936b7ad14ea787acb.txt",
		"img": "https://archive.orkl.eu/91bce8338de804b13fef7c6936b7ad14ea787acb.jpg"
	}
}