{ "id": "2a69e072-bf23-4b02-a051-3ddefa0160f7", "created_at": "2026-04-06T03:35:36.193583Z", "updated_at": "2026-04-10T03:35:20.33442Z", "deleted_at": null, "sha1_hash": "d60acf19e38329cf37d2be49e4e9f65fc0ab6cc4", "title": "LimeRAT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 32938, "plain_text": "LimeRAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 02:51:56 UTC\r\nLimeRAT\r\nActor(s): APT-C-36\r\nURLhaus    \r\n## Description\r\nSimple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give\r\nyou a general knowledge about dotNET malwares and how it behaves.\r\n---\r\n## Main Features\r\n- **.NET**\r\n- Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0\r\n- **Connection**\r\n- Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports\r\n- **Plugin**\r\n- Using plugin system to decrease stub's size and lower the AV detection\r\n- **Encryption**\r\n- The communication between server \u0026 client is encrypted with AES\r\n- **Spreading**\r\n- Infecting all files and folders on USB drivers\r\n- **Bypass**\r\n- Low AV detection and undetected startup method\r\n- **Lightweight**\r\n- Payload size is about 25 KB\r\n- **Anti Virtual Machines**\r\n- Uninstall itself if the machine is virtual to avoid scanning or analyzing\r\n- **Ransomware**\r\n- Encrypting files on all HHD and USB with .Lime extension\r\n- **XMR Miner**\r\n- High performance Monero CPU miner with user idle\\active optimizations\r\n- **DDoS**\r\n- Creating a powerful DDOS attack to make an online service unavailable\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.limerat\r\nPage 1 of 2\n\n- **Crypto Stealer**\r\n- Stealing Cryptocurrency sensitive data\r\n- **Screen-Locker**\r\n- Prevents user from accessing their Windows GUI\r\n- **And more**\r\n- On Connect Auto Task\r\n- Force enable Windows RDP\r\n- Persistence\r\n- File manager\r\n- Passowrds stealer\r\n- Remote desktop\r\n- Bitcoin grabber\r\n- Downloader\r\n- Keylogger\r\nReferences\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.limerat\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat" ], "report_names": [ "win.limerat" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775446536, "ts_updated_at": 1775792120, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d60acf19e38329cf37d2be49e4e9f65fc0ab6cc4.pdf", "text": "https://archive.orkl.eu/d60acf19e38329cf37d2be49e4e9f65fc0ab6cc4.txt", "img": "https://archive.orkl.eu/d60acf19e38329cf37d2be49e4e9f65fc0ab6cc4.jpg" } }