{ "id": "801c7813-92d4-403f-955d-0197d592fc48", "created_at": "2026-04-06T00:16:45.614292Z", "updated_at": "2026-04-10T13:12:06.930919Z", "deleted_at": null, "sha1_hash": "c059c983e83db20b6a344a47c874331f564e2aa9", "title": "JhoneRAT: Cloud based python RAT targeting Middle Eastern countries", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2683149, "plain_text": "JhoneRAT: Cloud based python RAT targeting Middle Eastern\r\ncountries\r\nBy Warren Mercer\r\nPublished: 2020-01-16 · Archived: 2026-04-05 16:01:03 UTC\r\nThursday, January 16, 2020 14:18\r\nBy Warren Mercer, Paul Rascagneres and Vitor Ventura with contributions from Eric Kuhla.\r\nUpdated Jan. 17, 2020: the documents do not exploit the CVE-2017-0199 vulnerability.\r\nExecutive Summary Today, Cisco Talos is unveiling the details of a new RAT we\r\nhave identified we're calling \"JhoneRAT.\" This new RAT is dropped to the victims\r\nvia malicious Microsoft Office documents. The dropper, along with the Python\r\nRAT, attempts to gather information on the victim's machine and then uses\r\nmultiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. The\r\nRAT attempts to download additional payloads and upload the information\r\ngathered during the reconnaissance phase. This particular RAT attempts to target\r\na very specific set of Arabic-speaking countries. The filtering is performed by\r\nchecking the keyboard layout of the infected systems. Based on the analysed\r\nsample, JhoneRAT targets Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco,\r\nTunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.\r\nWhat's new? The campaign shows an actor that developed a homemade RAT that\r\nworks in multiple layers hosted on cloud providers. JhoneRAT is developed in\r\nPython but not based on public source code, as it is often the case for this type of\r\nmalware. The attackers put great effort to carefully select the targets located in\r\nspecific countries based on the victim's keyboard layout.\r\nHow did it work? Everything starts with a malicious document using a well-known vulnerability to download a\r\nmalicious document hosted on the internet. For this campaign, the attacker chose to use a cloud provider (Google)\r\nwith a good reputation to avoid URL blocklisting. The malware is divided into a couple of layers — each layer\r\ndownloads a new payload on a cloud provider to get the final RAT developed in Python and that uses additional\r\nproviders such as Twitter and ImgBB.\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 1 of 14\n\nSo what? This RAT is a good example of how a highly focused attack that tries to blend its network traffic into\r\nthe crowd can be highly effective. In this campaign, focusing detection of the network is not the best approach.\r\nInstead, the detection must be based on the behaviour on the operating system. Attackers can abuse well-known\r\ncloud providers and abuse their reputations in order to avoid detection.\r\nOpsec and targeted countries\r\nThe fact that this attacker decided to leverage cloud services and four different\r\nservices — and not their own infrastructure — is smart from an opsec point of\r\nview. It is hard for the targets to identify legitimate and malicious traffic to cloud\r\nprovider infrastructure. Moreover, this kind of infrastructure uses HTTPS and the\r\nflow is encrypted that makes man-in-the-middle interception more complicated for\r\nthe defender. It is not the first time an attacker used only cloud providers.\r\nUser-agent #1\r\nUser-agent #2\r\nUser-agent #3\r\nEven while using these services, the authors of this JhoneRAT went further and used different user-agent strings\r\ndepending on the request, and even on the downloaders the authors used other user-agent strings.\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 2 of 14\n\nWe already published a couple of articles about ROKRAT (here, here, here and here) where another unrelated\r\nactor, Group123, made the same choice but with different providers.\r\nThe attacker implemented filtering based on the keyboard's layout.\r\nKeyboard layout check\r\nThe malware is executed only for the following layout, the country is based on the Microsoft website:\r\n'0401' -\u003e Saudi Arabia\r\n'0801' -\u003e Iraq\r\n'0c01' -\u003e Egypt\r\n'1001' -\u003e Libya\r\n'1401' -\u003e Algeria\r\n'1801' -\u003e Morocco\r\n'1c01' -\u003e Tunisia\r\n'2001' -\u003e Oman\r\n'2401' -\u003e Yemen\r\n'2801' -\u003e Syria\r\n'3801' -\u003e UAE\r\n'3401' -\u003e Kuwait\r\n'3c01' -\u003e Bahrain\r\n'3001' -\u003e Lebanon\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 3 of 14\n\nMalicious documents\r\nDecoy document\r\nWe identified three malicious Microsoft Office documents that download and load an additional\r\nOffice document with a Macro. The oldest one from November 2019, named \"Urgent.docx,\" is\r\nshown below:\r\nInitial decoy document\r\nThe author of the document asks to enable editing in English and in Arabic.\r\nThe second document from the beginning of January is named \"fb.docx\" and contains usernames and passwords\r\nfrom an alleged \"Facebook\" leak:\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 4 of 14\n\nSecond decoy document\r\nThe more recent document is from mid-January and alleged to be from a United Arab Emirate organization. The\r\nauthor blurred the content and asks the user to enable editing to see the content:\r\nThird decoy document\r\nMacro loading\r\nIn the three documents, an additional Office document containing a Macro is downloaded and\r\nexecuted.  The documents are located on Google Drive.\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 5 of 14\n\nMalicious documents on Google Drive\r\nInfection workflow\r\nStage No. 1: Malicious template on Google Drive\r\nThe template located on Google Drive contains a macro. The macro contains a virtual machine\r\ndetection technique based on the serial number of the disks available in the victim environment.\r\nIndeed, some VMs do not have serial numbers and the macro is executed only if a serial number\r\nexists. A WMIC command is executed to get this information on the targeted system.\r\nMacro WMI check\r\nIf a serial number exists, the rest of the code is executed. The purpose is to download an image from a new Google\r\nDrive link:\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 6 of 14\n\nImage download\r\nIt is interesting to note that the filename of the downloaded image is randomly generated based on a dictionary:\r\nArray (\"cartoon,\" \"img,\" \"photo\"). The filename will be cartoon.jpg or img.jpg or photo.jpg and the image usually\r\ndepicts a cartoon.\r\nStage No. 2: Image file on Google Drive\r\nThe image file is a real image with a base64-encoded binary appended at the end.\r\nImage No. 1\r\nThe malware author has a curious sense of humor.\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 7 of 14\n\nImage No. 2\r\nThe base64 data and image are separated by the \"****\" string:\r\nImage and payload separation\r\nThe decoded binary filename is also randomly generated based on a dictionary: Array (\"proc\", \"chrome\",\r\n\"winrar\"). It can be proc.exe or chrome.exe or winrar.exe.\r\nStage No. 3: Autoit file\r\nThe decoded base64 data is an AutoIT binary. This binary downloads a new file on Google Drive.\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 8 of 14\n\nAutoIT downloader\r\nThe filename is also randomly generated based on a dictionary $ARRAY[5]=\r\n[\"prc\",\"winrar\",\"chrome\",\"sync\",\"COM surr\"].\r\nStage No. 4: Python RAT using cloud providers\r\nThe final payload is a remote access tool (RAT) written in Python. We named this RAT\r\n\"JhoneRAT.\" The Python code is wrapped into an executable using pyinstaller. It uses minimal\r\nobfuscation applied only on variables and function naming.\r\nRAT startup\r\nThe RAT starts by launching three threads. The first is responsible for checking if the system has the targeted\r\nkeyboard layout — this is exclusively in Arabic-speaking countries. The second will create the persistence and,\r\nfinally, the last one to be started is the main cycle for the RAT. As we explained before, the RAT targets specific\r\ncountries by checking the keyboard's layout. In fact, this is one of the first checks it performs when it is executed.\r\nThe persistence is achieved by adding an entry with the name \"ChromeUpdater\" to the\r\n'Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run' .\r\nCommand and control communications\r\nThis RAT uses three different cloud services to perform all its command and control (C2) activities. It\r\nchecks for new commands in the tweets from the handle @jhone87438316 (suspended by Twitter) every 10\r\nseconds using the BeautifulSoup HTML parser to identify new tweets. These commands can be issued to a\r\nspecific victim based on the UID generated on each target (by using the disk serial and contextual\r\ninformation such as the hostname, the antivirus and the OS) or to all of them:\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 9 of 14\n\nCommand fetching\r\nCommand parsing\r\nThe exfiltration, however, is done via other cloud providers. The screenshots are exfiltrated via the ImgBB\r\nwebsite:\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 10 of 14\n\nThe remaining commands send feedback by posting data into Google Forms:\r\nFinally, the RAT is able to download files encoded in base64 on Google Drive:\r\nFeature-wise, the RAT has three commands:\r\nTake a screenshot and upload it to ImgBB.\r\nDownload binary disguised has a picture from Google Drive and execute it.\r\nExecute a command and send the output to Google Forms.\r\nAnti-VM, anti-decompiler and no header\r\nThe attacker put a couple of tricks in place to avoid execution on virtual machines\r\n(sandbox). The first trick is the check of the serial number of the disk. The actor\r\nused the same technique in the macro and in the JhoneRAT. By default, most of\r\nthe virtual machines do not have a serial number on the disk.\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 11 of 14\n\nThe attacker used a second trick to avoid analysis of the Python code. The actor used the same trick that FireEye\r\nin the Flare-On 6: Challenge 7: They removed the header of the Python bytecode. It can be perfectly executed\r\nwithout the header, but tools such as uncompyle6 need this header:\r\n$ uncompyle6 final2\r\nImportError: Unknown magic number 227 in final2\r\nAdditionally, the generated code by uncompyle6 varies depending on the version and the impact is important.\r\nHere is a condition generated with uncompyle6 version 3.3.5:\r\nThe same code generated with uncompyle6 version 3.6.2:\r\nBased on our analysis and the behaviour of the executed malware, the correct interpretation is the first one based\r\non the oldest version of uncompyle6.\r\nFor this specific condition, it is important because it's filtering on the keyboard layout to identify the targets.\r\nConclusion\r\nThis campaign shows a threat actor interested in specific Middle Eastern and\r\nArabic-speaking countries. It also shows us an actor that puts effort in opsec by\r\nonly using cloud providers. The malicious documents, the droppers and the RAT\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 12 of 14\n\nitself are developed around cloud providers. Additionally the attackers\r\nimplemented anti-VM (and sandbox) and anti-analysis tricks to hide the malicious\r\nactivities to the analyst. For example, the VM or the sandbox must have the\r\nkeyboard layout of the targeted countries and a disk serial number. This campaign\r\nstarted in November 2019 and it is still ongoing. At this time, the API key is\r\nrevoked and the Twitter account is suspended. However, the attacker can easily\r\ncreate new accounts and update the malicious files in order to still work. This\r\ncampaign shows us that network-based detection is important but must be\r\ncompleted by system behaviour analysis.\r\nIOCs\r\nDocx: 273aa20c4857d98cfa51ae52a1c21bf871c0f9cd0bf55d5e58caba5d1829846f\r\n29886dbbe81ead9e9999281e62ecf95d07acb24b9b0906b28beb65a84e894091\r\nd5f10a0b5c103100a3e74aa9014032c47aa8973b564b3ab03ae817744e74d079\r\nTemplate: 6cc0c11c754e1e82bca8572785c27a364a18b0822c07ad9aa2dc26b3817b8aa4\r\nImage:7e1121fca3ac7c2a447b61cda997f3a8202a36bf9bb08cca3402df95debafa69\r\nPE Autoit: b4a43b108989d1dde87e58f1fd6f81252ef6ae19d2a5e8cd76440135e0fd6366\r\nPE Python: 4228a5719a75be2d6658758fc063bd07c1774b44c10b00b958434421616f1548\r\nURL:\r\nhxxps://drive[.]google[.]com/uc?\r\nexport=download\u0026amp;id=1vED0wN0arm9yu7C7XrbCdspLjpoPKfrQ\r\nhxxps://drive[.]google[.]com/uc?export=download\u0026amp;id=1LVdv4bjcQegPdKrc5WLb4W7ad6Zt80zl\r\nhxxps://drive[.]google[.]com/uc?export=download\u0026amp;id=1OlQssMvjb7gI175qDx8SqTgRJIEp5Ypd\r\nhxxps://drive[.]google[.]com/uc?export=download\u0026id=1d-toE89QnN5ZhuNZIc2iF4-cbKWtk0FD\r\nhxxps://drive[.]google[.]com/uc?export=download\u0026id=1kbHVkvPIjX49qJ62TBz6drW2YPiiaX2a\r\nhxxps://twitter[.]com/jhone87438316\r\nCoverage Additional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 13 of 14\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nSource: https://blog.talosintelligence.com/2020/01/jhonerat.html\r\nhttps://blog.talosintelligence.com/2020/01/jhonerat.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2020/01/jhonerat.html" ], "report_names": [ "jhonerat.html" ], "threat_actors": [ { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434605, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c059c983e83db20b6a344a47c874331f564e2aa9.pdf", "text": "https://archive.orkl.eu/c059c983e83db20b6a344a47c874331f564e2aa9.txt", "img": "https://archive.orkl.eu/c059c983e83db20b6a344a47c874331f564e2aa9.jpg" } }