{
	"id": "da86e21f-b78f-40d8-a193-0cbe70544f9a",
	"created_at": "2026-04-06T00:07:17.88326Z",
	"updated_at": "2026-04-10T13:11:55.181169Z",
	"deleted_at": null,
	"sha1_hash": "a87540f01590683eb969fc695b653c69b5b9fd79",
	"title": "T-RAT 2.0: Controlling Malware via Telegram",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37965,
	"plain_text": "T-RAT 2.0: Controlling Malware via Telegram\r\nBy Karsten Hahn\r\nPublished: 2021-04-22 · Archived: 2026-04-05 19:38:49 UTC\r\nT-RAT has 98 commands. Instead of describing every single command within the main article, I categorized them\r\ninto groups which are explained below. The full command listing is in Appendix B.\r\n1. Menu navigation\r\nThese are commands to enter or exit certain modules like the file manager. They help to make controls via\r\nsmartphone more convenient.\r\n2. File manager\r\nT-RAT can navigate on the file system, show information about the drives and available space, folder contents and\r\nmodify files and folders. It can also send files to the attacker. Interestingly it mixes in Unix command names. E.g.,\r\nthe file listing is done with ls.\r\n3. Stealer\r\nThis module allows to obtain passwords, cookies, autofill data from browsers, session or config data of Telegram,\r\nDiscord, Steam, Nord, Viber, Skype and Filezilla. Most of the data files are either saved besides the T-RAT\r\nexecutable in text files or to a ZIP archive in %TEMP%/winsys/ before being sent to Telegram.\r\n4. Clipper\r\nThe clipper checks the clipboard for coin addresses and replaces them, thus, any digital currency is sent to the\r\nattacker's wallet. It supports Qiwi, WMR, WMZ, WME, WMX, Yandex money, Payeer, CC, BTC, BTCG, Ripple,\r\nDoge and Tron. The attackers uses the clipper commands to save their addresses for the specified crypto currency\r\nand to start or stop execution of the clipper.\r\n5. Monitoring and spying\r\nEnables the attacker to run a keylogger, create screenshots, record audio via the microphone, take pictures via\r\nwebcam, send clipboard contents.\r\n6. Evasion\r\nT-RAT has various methods to bypass UAC, including Fodhelper, Cmstp, Cleanup, Computerdefaults. It can\r\ndisable Windows Defender and Smart Screen notifications. It can disable various security settings, e.g.,\r\nhttps://www.gdatasoftware.com/blog/trat-control-via-smartphone\r\nPage 1 of 2\n\nAssociation policies can be changed to set \".exe\" as a low-risk file extension, and ZoneIdentifiers can be turned\r\noff. It has a check for sandboxes and virtual machines.\r\n7. Disruption\r\nThese commands kill processes, block websites via the hosts file, block and redirect programs by setting a\r\ndebugger via Image File Execution Options (for blocking the debugger is one that doesn't exist), disable the\r\ntaskbar and the task manager.\r\n8. Remote control\r\nT-RAT provides a Powershell or CMD terminal via Telegram. Remote control can also be done via HRDP or\r\nVNC.\r\nT-RAT runs the HRDP client named service\\in.exe which resides in the executable's location. Then it will create a\r\nnew user account with a randomized password and name and send the credentials to the attacker. It adds the newly\r\ncreated user to the Remote Desktop Users group and enables remote access by setting fDenyTSConnections to\r\n\"0\".\r\nThe VNC server is service\\winserv1.exe on 32 bit systems and service\\winserv2.exe on 64 bit systems.\r\nSource: https://www.gdatasoftware.com/blog/trat-control-via-smartphone\r\nhttps://www.gdatasoftware.com/blog/trat-control-via-smartphone\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/trat-control-via-smartphone"
	],
	"report_names": [
		"trat-control-via-smartphone"
	],
	"threat_actors": [],
	"ts_created_at": 1775434037,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a87540f01590683eb969fc695b653c69b5b9fd79.pdf",
		"text": "https://archive.orkl.eu/a87540f01590683eb969fc695b653c69b5b9fd79.txt",
		"img": "https://archive.orkl.eu/a87540f01590683eb969fc695b653c69b5b9fd79.jpg"
	}
}