{ "id": "afc1111f-1db5-45fa-a28f-542653fcfd3e", "created_at": "2026-04-06T00:12:51.152852Z", "updated_at": "2026-04-10T03:20:05.336252Z", "deleted_at": null, "sha1_hash": "bb9bef2929e23a66ab6b1b871916064052c6efcb", "title": "Vxer is offering Cobian RAT in the underground, but it is backdoored", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 176873, "plain_text": "Vxer is offering Cobian RAT in the underground, but it is\r\nbackdoored\r\nBy Pierluigi Paganini\r\nPublished: 2017-09-01 · Archived: 2026-04-05 22:53:17 UTC\r\n Pierluigi Paganini September 01, 2017\r\nMalware writer is offering for free a malware dubbed Cobian RAT in the\r\nunderground, but the malicious code hides an ugly surprise.\r\nIn the dark web, it is quite easy to find alone vxers and hacking forums that offer malware and customize them\r\naccording to buyers’ needs.\r\nRecently researchers from Zscaler have spotted a remote access trojan dubbed Cobian remote RAT that was\r\noffered for free in the underground. It is fairly elemental malicious code based on an old RAT known as njRAT, it\r\nimplements common spying features such as keylogger, webcam hijacker, screen capturing and of course the\r\nability to execute attackers’ code on the victim’s system.\r\n“The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called\r\nCobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground\r\nforums where cybercriminals often buy and sell exploit and malware kits.” reads the analysis from Zscaler. “This\r\nRAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm\r\nfamily, which we analyzed in this report.”\r\nUnfortunately, the  Cobain RAT hides a malicious feature in an encrypted library, the code allows the author of the\r\nmalware to take full control of machines infected with the RAT.\r\nhttps://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html\r\nPage 1 of 2\n\nThe code could be used by the author also to completely cut off the crooks who initially infected the machine with\r\nthe Cobain RAT.\r\nThe malware researchers noticed that the backdoor module hidden in the Cobian builder kit communicates with a\r\npreset page on Pastebin that was managed by the original author. In this way, the malware gets the current address\r\nof the command and control servers run by the original writer, but it first checks for the presence of the second\r\nlevel operator online to avoid being detected.\r\nThe experts speculate the original author’s purpose is to build a massive botnet exploiting the effort of second\r\noperators in spreading the Cobian RAT.\r\n“It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end\r\nuser, are getting duped themselves by the original author. The original author is essentially using a crowdsourced\r\nmodel for building a mega Botnet that leverages the second level operators Botnet.” concluded. “The original\r\nauthor is essentially using a crowdsourced model for building a mega Botnet that leverages the second level\r\noperators’ Botnet.”\r\n[adrotate banner=”9″]\r\nPierluigi Paganini\r\n(Security Affairs – Cobian RAT, malware)\r\n[adrotate banner=”12″]\r\nSource: https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html\r\nhttps://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html" ], "report_names": [ "cobian-rat-backdoor.html" ], "threat_actors": [], "ts_created_at": 1775434371, "ts_updated_at": 1775791205, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb9bef2929e23a66ab6b1b871916064052c6efcb.pdf", "text": "https://archive.orkl.eu/bb9bef2929e23a66ab6b1b871916064052c6efcb.txt", "img": "https://archive.orkl.eu/bb9bef2929e23a66ab6b1b871916064052c6efcb.jpg" } }