{
	"id": "0a1af271-718a-49d2-92fc-047d6b93ae19",
	"created_at": "2026-04-06T00:08:19.829526Z",
	"updated_at": "2026-04-10T03:22:49.652578Z",
	"deleted_at": null,
	"sha1_hash": "bf8391bfd7e1b9fc308b757b01658afbea4daea2",
	"title": "Parallax RAT: Common Malware Payload After Hacker Forums Promotion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1620781,
	"plain_text": "Parallax RAT: Common Malware Payload After Hacker Forums\r\nPromotion\r\nBy Lawrence Abrams\r\nPublished: 2020-02-13 · Archived: 2026-04-02 10:45:27 UTC\r\nA remote access Trojan named Parallax is being widely distributed through malicious spam campaigns that when installed\r\nallow attackers to gain full control over an infected system.\r\nSince December 2019, security researcher MalwareHunterTeam has been tracking the samples of the Parallax RAT as they\r\nhave been submitted through VirusTotal and other malware submissions services.\r\nBeing offered for as low as $65 a month, attackers have started to heavily use this malware to gain access to a victim's\r\ncomputer to steal their saved login credentials and files or to execute commands on the computer.\r\nhttps://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/\r\nPage 1 of 7\n\nhttps://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nThe attackers can then use this stolen data to perform identity theft, gain access to online bank accounts, or further spread\r\nthe RAT to other victims.\r\nParallax sold on hacker forums\r\nSince early December 2019, the Parallax RAT has been sold on hacker forums where the developers are promoting the\r\nsoftware and offering support.\r\nIn their pitch to would-be buyers, the \"Parallax Team\" is promoting their product as having 99% reliability and being\r\nsuitable for both professionals and beginners.\r\n\"Parallax RAT had been developed by a professional team and its fully coded in MASM.\r\nIts created to be best in remote administration. Parallax RAT will provide you all you need.\r\nSuitable for professionals and as well for beginners.\r\nFirst and most important we offer 99% reliability when it comes to stability.\r\nParallax was designed to give the user a real multithreaded performance, blazing fast speed and lightweight deployment to\r\nyour computers with very little resource consumption.\r\nWe are a group of developers and we are here to offer quality service.\r\n-Parallax Team, join now!\"\r\nAttackers can purchase a one month license to the RAT for as little as $65 or $175 for a three-month license, which provides\r\nthe following advertised features:\r\nLogin credential theft\r\nRemote Desktop capabilities\r\nUpload and download files\r\nExecute remote commands on the infected computer\r\nEncrypted connections\r\nSupports Windows XP through Windows 10.\r\nStandard support\r\nBelow you can see an image of the Parallax RAT and the commands that can be executed remotely on victims.\r\nParallax RAT\r\nThe developers also claim that their software can bypass Windows Defender, Avast, AVG, Avira, Eset, and BitDefender,\r\nwhich is not true based on these detections.\r\nSpread via malicious email attachments \r\nWhile each buyer of the Parallax RAT determines how they will distribute the malware, researchers are commonly seeing it\r\nbeing distributed through spam with malicious attachments.\r\nhttps://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/\r\nPage 3 of 7\n\nSecurity research James has told BleepingComputer that it has become very common to find new spam campaigns with\r\nmalicious attachments that install Parallax.\r\nFor example, the below email pretends to be a company looking to purchase products listed on an attached 'Quote List'. \r\nParallax Spam Campaign\r\nWhen the attachment is opened, an attempt to exploit the Microsoft Office Equation Editor vulnerability (CVE-2017-\r\n11882) will be launched and if the content is enabled, malicious macros will execute to install the RAT.\r\nMalicious Parallax attachment\r\nWhen installing the RAT, attackers are utilizing a variety of methods ranging from intermediary loaders or to directly\r\ninstalling the RAT onto the computer.\r\nhttps://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/\r\nPage 4 of 7\n\nFor example, both James and Head of SentinelLabs Vitali Kremez have seen a loader downloading an image from the\r\nImgur image sharing site that contains an embedded Parallax executable.  This executable is then extracted from the image\r\nand launched on the computer.\r\nWhen executed, the RAT will either be copied to another location and executed or injected into another process.\r\nIn a sample analyzed by BleepingComputer, Parallax was injected into the svchost.exe process and in another sample,\r\nKremez saw it injected into cmd.exe.\r\nInjected into svchost.exe\r\nOnce Parallax is installed, a shortcut to the launcher will be added to the Windows Startup folder so that it is launched\r\nautomatically when a user logs into the system. In some cases, scheduled tasks will also be created to launch the malware at\r\nhttps://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/\r\nPage 5 of 7\n\nvarious intervals.\r\nStartup Folder\r\nThis allows the attackers to gain persistence on the infected computer and access it whenever they wish.\r\nNow that the attackers have installed the RAT software on the computer, they can use their command and control host to\r\nsteal the victim's saved passwords, steal files, execute commands, and have full control over the computer.\r\nFor many of the Parallax samples, the command \u0026 control servers are being hosted on the free dynamic DNS server\r\nduckdns.org.\r\nAs always, the best defense against this malware is to be wary of any unsolicited emails that you receive that contain\r\nattachments. Before opening them, it is best to call the sender to confirm that they sent you the email.\r\nhttps://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/\r\nhttps://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/"
	],
	"report_names": [
		"parallax-rat-common-malware-payload-after-hacker-forums-promotion"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434099,
	"ts_updated_at": 1775791369,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf8391bfd7e1b9fc308b757b01658afbea4daea2.pdf",
		"text": "https://archive.orkl.eu/bf8391bfd7e1b9fc308b757b01658afbea4daea2.txt",
		"img": "https://archive.orkl.eu/bf8391bfd7e1b9fc308b757b01658afbea4daea2.jpg"
	}
}