{
	"id": "a639d484-b6fe-493c-a393-8a2d33706b67",
	"created_at": "2026-04-06T00:10:13.846713Z",
	"updated_at": "2026-04-10T03:20:30.546761Z",
	"deleted_at": null,
	"sha1_hash": "9e55f5a3b3867da3b9ee0e90f3acebf47cc5c842",
	"title": "MagicRAT (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 29540,
	"plain_text": "MagicRAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 17:32:21 UTC\r\nAccording to Talos, MagicRAT is programmed in C++ programming language and uses the Qt Framework by\r\nstatically linking it to the RAT on 32- and 64-bit versions. The Qt Framework is a programming library for\r\ndeveloping graphical user interfaces, of which this RAT has none. Talos thinks that the objective was to increase\r\nthe complexity of the code, thus making human analysis harder. On the other hand, since there are very few\r\nexamples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic\r\nanalysis detection less reliable. The RAT uses the Qt classes throughout its entire code. The configuration is\r\ndynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that\r\nclass.\r\nMagicRAT provides the operator with a remote shell on the victim's system for arbitrary command execution,\r\nalong with the ability to rename, move and delete files on the endpoint. The operator can determine the timing for\r\nthe implant to sleep, change the C2 URLs and delete the implant from the infected system.\r\n[TLP:WHITE] win_magic_rat_auto (20251219 | Detects win.magic_rat.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat"
	],
	"report_names": [
		"win.magic_rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434213,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e55f5a3b3867da3b9ee0e90f3acebf47cc5c842.pdf",
		"text": "https://archive.orkl.eu/9e55f5a3b3867da3b9ee0e90f3acebf47cc5c842.txt",
		"img": "https://archive.orkl.eu/9e55f5a3b3867da3b9ee0e90f3acebf47cc5c842.jpg"
	}
}