{
	"id": "76a7be1e-e590-44f8-b994-4dd450f6f315",
	"created_at": "2026-04-06T00:09:41.319475Z",
	"updated_at": "2026-04-10T03:21:19.322939Z",
	"deleted_at": null,
	"sha1_hash": "e60d730398db61bdb801de01ab0d7c57594ee666",
	"title": "Parallax RAT: Cryptocurrency Entities Affected by Threat Actor Exploit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2806422,
	"plain_text": "Parallax RAT: Cryptocurrency Entities Affected by Threat Actor\r\nExploit\r\nBy Uptycs Threat Research\r\nPublished: 2023-02-28 · Archived: 2026-04-05 21:16:36 UTC\r\nParallax RAT (aka, ParallaxRAT) has been distributed through spam campaigns or phishing emails (with\r\nattachments) since December 2019. The malware performs malicious activities such as reading login credentials,\r\naccessing files, keylogging, remote desktop control, and remote control of compromised machines.\r\nThe Uptycs Threat Research team has recently detected active samples of the Parallax remote access Trojan (RAT)\r\ntargeting cryptocurrency organizations. It uses injection techniques to hide within legitimate processes, making it\r\ndifficult to detect. Once it has been successfully injected, attackers can interact with their victim via Windows\r\nNotepad that likely serves as a communication channel.\r\nMalware Operation\r\nFigure 1 shows the ParallaxRAT workflow.\r\nFigure 1 - ParallaxRAT workflow\r\nhttps://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration\r\nPage 1 of 9\n\nPayload1\r\nCompiled using Visual C++, payload1 is a binary file in the form of a 32-bit executable. It seems to have been\r\nintentionally obfuscated by threat actors (TA) wanting to hide something. Its fifth section (figure 2, highlighted)\r\nseems to have been altered and is unusually large compared to the remainder.\r\nMoreover, this section has been marked with the \"Code and Executable\" flag, indicating it contains executable\r\ncode. The TA was able to decrypt its content and use it to create a new binary, which we refer to as payload2 (i.e.,\r\nParallax RAT). Payload1 uses a technique known as process-hollowing to inject payload2 into a legitimate\r\nMicrosoft pipanel.exe process that then gets launched by an attacker.\r\nTo maintain persistence, payload1 creates a copy of itself in the Windows Startup folder.\r\nFigure 2 - Payload1 binary\r\nPayload2\r\nParallaxRAT is a 32-bit binary executable that gathers sensitive information from victimized machines, e.g.,\r\nsystem information, keylogging, and remote control functionality.\r\nIt has null import directories and encrypted data is stored in the .data section. The attacker uses the RC4 algorithm\r\nto decrypt this data, revealing the DLLs required for further action.\r\nhttps://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration\r\nPage 2 of 9\n\nFigure 3 - RC4 decryption algorithm\r\nSystem Information\r\nAn attacker can extract sensitive information from a victim's machine, including computer name and operating\r\nsystem (OS) version. And the attacker is able to read data stored in the clipboard.\r\nhttps://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration\r\nPage 3 of 9\n\nFigure 4 - Read victim machine\r\nUptycs has detected and recorded the same event.\r\nFigure 5 - Uptycs event detection\r\nKeystrokes\r\nThe attacker has the ability to read and record their victim's keystrokes, which are then encrypted and stored in the\r\n%appdata%\\Roaming\\Data\\Keylog_\u003cData\u003e directory.\r\nhttps://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration\r\nPage 4 of 9\n\nFigure 6 - Keylogger data\r\nCommand \u0026 Control\r\nAfter successfully infecting a victim's machine, the malware sends a notification to the attacker. They then interact\r\nwith the victim by posing questions via Notepad and instructing them to connect to a Telegram channel.\r\nFigure 7 - Attacker shared Telegram ID via Notepad\r\nShutdown\r\nThe attacker is able to remotely shut down or restart the victim's machine. Here, they remotely restarted our test\r\nmachine (figure 8).\r\nhttps://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration\r\nPage 5 of 9\n\nFigure 8 - Attacker restarted victim machine\r\nScript File\r\nThe ParallaxRAT binary was extracted from memory and independently executed, wherein it drops a UN.vbs file\r\nand runs that using the wscript.exe tool. The script deletes the payload and erases any traces of its existence.\r\nFigure 9 - Visual Basic script\r\nThreat Actor Objective\r\nThe threat actor uses a commercially available remote access Trojan (RAT) tool. It grabs private email addresses\r\nof cryptocurrency companies from the website, dnsdumpster.com. ParallaxRAT subsequently disseminated\r\nmalicious files via phishing emails and obtained sensitive data.\r\nThe Uptycs Threat Intel research team conducted a thorough analysis to gain a better understanding of the\r\noperations and goals of the actor modules, we have engaged with the threat actor. The following picture illustrates\r\nhow the actor is utilizing Parallax RAT in his campaign targeting crypto companies.\r\nhttps://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration\r\nPage 6 of 9\n\nFigure 10 - Telegram chat and attacker’s mindmap\r\nFigure 11 - ParallaxRAT grabs target company info from public source\r\nUptycs EDR Detects \u0026 Blocks ParallaxRAT Attacks\r\nIt’s important for organizations to be aware of this malware’s existence and take necessary precautions to protect\r\nsystems and data. With YARA built-in and armed with other advanced detection capabilities, Uptycs endpoint\r\ndetection and response customers can easily scan for ParallaxRAT. EDR contextual detection provides important\r\ndetails about identified malware. Users can navigate to the toolkit data section in a detection alert, then click the\r\nname of a detected item to reveal its profile (figure 12).\r\nhttps://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration\r\nPage 7 of 9\n\nFigure 12 - Uptycs EDR detection showing ParallaxRAT—YARA rule match\r\nIOCs\r\nFile name Md5 hash\r\nPayload1 40256ea622aa1d0678f5bde48b9aa0fb\r\nPayload2 698463fffdf10c619ce6aebcb790e46a\r\npipanel.exe(Legitimate) 3c98cee428375b531a5c98f101b1e063\r\nmilk.exe 40256ea622aa1d0678f5bde48b9aa0fb\r\nPersistence\r\nC:\\users\\\u003cusername\u003e\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\milk.exe\r\nDomain/URL\r\nBy analyzing the VirusTotal graph, we were able to identify a higher number of Parallax RAT samples spreading\r\nin recent days. All the files are communicating with the USA regions (144.202.9.245:80) as per vt report.\r\nhttps://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration\r\nPage 8 of 9\n\nFigure 13 - VirusTotal graph for ParallaxRAT \r\nSource: https://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration\r\nhttps://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration"
	],
	"report_names": [
		"cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration"
	],
	"threat_actors": [],
	"ts_created_at": 1775434181,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e60d730398db61bdb801de01ab0d7c57594ee666.pdf",
		"text": "https://archive.orkl.eu/e60d730398db61bdb801de01ab0d7c57594ee666.txt",
		"img": "https://archive.orkl.eu/e60d730398db61bdb801de01ab0d7c57594ee666.jpg"
	}
}