{
	"id": "8967292b-8a3e-4175-971d-d5cba8741442",
	"created_at": "2026-04-06T00:16:36.761049Z",
	"updated_at": "2026-04-10T03:30:57.142377Z",
	"deleted_at": null,
	"sha1_hash": "eeed032dbdd98727b304a9f1b3f3ae5b4f70198b",
	"title": "NonEuclid RAT - CYFIRMA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3421035,
	"plain_text": "NonEuclid RAT - CYFIRMA\r\nArchived: 2026-04-05 21:21:46 UTC\r\nPublished On : 2025-01-02\r\nEXECUTIVE SUMMARY\r\nAt CYFIRMA, we provide cutting-edge intelligence on emerging cyber threats targeting organisations and\r\nindividuals. The NonEuclid Remote Access Trojan (RAT) is a type of malicious software that enables\r\nunauthorised remote access and control of a victim’s computer, often without their awareness. This RAT,\r\ndeveloped using C# and built for the .NET Framework 4.8, is designed to operate with minimal security checks,\r\nmaking it more difficult for security systems to detect and block its activities.\r\nINTRODUCTION\r\nThe NonEuclid Remote Access Trojan (RAT), developed in C#, is a highly sophisticated malware offering\r\nunauthorised remote access with advanced evasion techniques. It employs various mechanisms, including\r\nantivirus bypass, privilege escalation, anti-detection, and ransomware encryption targeting critical files. Promoted\r\nin underground forums and social media platforms, it has gained traction due to features like stealth, dynamic\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 1 of 16\n\nDLL loading, anti-VM checks, and AES encryption capabilities. Observations highlight its growing popularity\r\nwithin cybercriminal communities, with tutorials and discussions on platforms like Discord and YouTube,\r\nindicating a coordinated effort to distribute and enhance its use in malicious operations.\r\nANALYSIS\r\nMain Function:\r\nThe below code initializes a client application with various security, anti-detection, and installation mechanisms. It\r\nfirst configures settings, delays startup, and ensures administrative privileges for certain features. If the application\r\npasses mutex and anti-detection checks, it sets up a client socket for communication and continuously reconnects\r\nif the connection is lost. Logging and anti-process blocking are also implemented based on configuration settings.\r\nInitialization and Delay: The program starts by introducing a delay based on a configured value\r\n(Settings.Delay) and initializes application settings. If settings fail to load, the application exits.\r\nPrivilege and Security Checks: It enables critical process handling (BSOD), performs anti-defender\r\nscans, and validates administrative privileges for advanced features.\r\nInstallation and Mutex Handling: If enabled, the application installs itself and ensures no duplicate\r\ninstances are running using mutex control.\r\nAnti-Detection and Logging: Anti-process blocking and sleep prevention mechanisms are activated, and a\r\nlogger starts asynchronously for monitoring.\r\nSocket Communication: A client socket is initialized for server communication, with reconnection logic\r\nin place to maintain connectivity continuously.\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 2 of 16\n\nInitial Connection:\r\nThis method initializes a TCP socket, sets buffer sizes, and attempts to connect to a specified IP and port. If\r\nsuccessful, it wraps the socket in a NetworkStream, configures timers for keep-alive and pong packets, and starts\r\nasynchronous reading for server data. Connection-related properties like headers, offsets, and intervals are\r\ninitialized. If the connection fails, it sets the connection status to false.\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 3 of 16\n\nAntiScan\r\nThe below AntiScan method attempts to bypass Windows Defender’s scans by adding exclusions to the Defender\r\nregistry settings. It modifies the registry paths dynamically (by removing obfuscation placeholders like\r\n“button” and “UIUSS”). It includes paths such as the malware’s server file location, a watchdog folder, and the\r\ncurrent process’s executable file. This is done to prevent these files or folders from being scanned or flagged by\r\nWindows Defender.\r\nAnti Process:\r\nThe below Block method continuously monitors running processes to detect and terminate specific target\r\nprocesses like “Taskmgr.exe”, “ProcessHacker.exe”, and “procexp.exe”, which are commonly used for analyzing\r\nor managing processes. It uses Windows API calls (CreateToolhelp32Snapshot, Process32First, Process32Next) to\r\nenumerate processes and check if their executable names match the specified targets. If a match is found,\r\ndepending on the AntiProcessMode setting, it either kills the process or triggers an exit for the client application.\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 4 of 16\n\nThis code defines a method Set that registers an event handler for session ending and marks the current process as\r\ncritical using the RtlSetProcessIsCritical function, preventing the process from being terminated under certain\r\nconditions. The Exit method resets this critical state, allowing normal termination of the process. If an exception\r\noccurs during this operation, it enters an infinite loop, effectively stalling the program.\r\nAnti VM:\r\nThe RunAntiAnalysis method checks if the program is running in a virtual machine (VM) using the\r\nisVM_by_wim_temper method. This method queries system information (Win32_CacheMemory) to detect the\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 5 of 16\n\npresence of memory objects indicative of a physical machine. If no objects are found (indicating a VM or sandbox\r\nenvironment), the program terminates with exit code 240, acting as an anti-analysis mechanism.\r\nASMI (Antimalware Scan Interface) Bypass:\r\nThe code below searches for the “amsi.dll” module within the current process’s loaded modules. If found, it\r\ntriggers the PatchMem function to modify specific memory regions related to “AmsiScanBuffer” – for bypassing\r\nWindows Defender’s AMSI (Antimalware Scan Interface) scanning. This would allow the execution of\r\npotentially malicious code without being flagged by AMSI, a security feature designed to detect and block\r\nharmful scripts.\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 6 of 16\n\nCamera access\r\nThe following code enumerates multimedia devices (e.g., cameras) using DirectShow. It initializes a device\r\nenumerator and retrieves devices in the specified category using IEnumMoniker. Each device is queried for its\r\nproperties via IPropertyBag, and a custom function is executed for each device. Finally, all resources are properly\r\nreleased to ensure no memory leaks occur.\r\nDynamically loading DLL:\r\nThis code defines a method to dynamically invoke Windows API functions using their DLL names and function\r\nnames. The DynamicAPIInvoke method retrieves the function’s address and calls it with specified parameters\r\nusing DynamicFunctionInvoke, which converts the address into a delegate for invocation. The\r\nNtProtectVirtualMemory function is specifically designed to change the memory protection of a specified region\r\nin a process, utilizing the dynamic invocation approach to maintain flexibility and stealth, which is commonly\r\nemployed in scenarios involving low-level system manipulation.\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 7 of 16\n\nPersistence – Schedule Task\r\nThe Schtasks method creates a scheduled task using the Windows command line. It constructs a command to\r\nschedule a task that runs at specified minute intervals, hiding the command window and suppressing output. The\r\nmethod checks if the application has administrative privileges and sets the appropriate verb for executing the\r\ncommand. The task’s name and execution path are passed as arguments to the schtasks command.\r\nPrivilege escalation- UAC Bypass\r\nThe Bypass method attempts to manipulate the Windows registry and execute a command to bypass certain\r\nrestrictions. It first checks if the application is running with administrative privileges. If not, it creates a registry\r\nkey under CurrentUser to potentially modify system settings related to execution paths. It then sets the current\r\nprocess’s executable path in the registry and attempts to execute a secondary executable related to the “start”\r\ncommand. After a brief wait, it cleans up by deleting the previously created registry keys and exits the application.\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 8 of 16\n\nPersistence – Registry Value changes\r\nThe HKCU method updates a specific registry key under HKEY_CURRENT_USER to store a given Name. It\r\nchecks if the existing value is null or different from the provided Name, and if so, it sets the value accordingly,\r\nhandling exceptions by returning false in case of any errors during the process.\r\nRansomware\r\nThe developer behind the ransomware is utilizing AES encryption to lock various file types, including those with\r\nextensions such as “.csv”, “.txt”, and “.php”. After encryption, each affected file is renamed with the extension\r\n“.NonEuclid”.\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 9 of 16\n\nDynamic Analysis\r\nDropped Files:\r\nWhen executed, the malware drops two executable files in different folders. These files are configured to run\r\nautomatically via the Task Scheduler, ensuring they remain persistent by executing without manual intervention.\r\nThis technique is used to maintain persistence, allowing the malware to continue running even if the system is\r\nrebooted or attempts are made to stop it.\r\n1. File name \u0026 path – Discord Update -C\\Users\\\u003cusername\u003e\\AppData\\Roaming\\obs-studio\\updates.exe\r\n2. File name \u0026 path – update-5-2-12-24-16662380877-282556156-167069681-1011 – C\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Templates Intel\\Games\\Common\\Commonuadate.exe\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 10 of 16\n\nCapabilities outlined in the following mind map:\r\nEXTERNAL THREAT LANDSCAPE MANAGEMENT\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 11 of 16\n\nWe discovered a NONEUCLID RAT being advertised on an underground forum by a user who joined the forum\r\non October 14th.\r\nOn November 30th, the same user published details about the RAT they had developed, promoting its advanced\r\ncapabilities. The advertisement emphasizes features such as antivirus bypass, compatibility with cryptors for\r\nobfuscation, and other sophisticated functionalities.\r\nWe observed a user “NAZZED” who created a YouTube account on Oct 15th and has 110 subscribers. He has also\r\nuploaded multiple videos on How to build a RAT like Xworm, Silver RAT, Sheerat, Wiz worm RAT, and DC RAT\r\nincluding how to set up a new Ratnik NONEUCLID RAT.\r\nRatnik” means “warrior” in Slavic languages, but in hacking, it’s used as a term for a RAT.\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 12 of 16\n\nWe have observed a Discord account of the RAT developer who joined Discord on June 21, 2021, and\r\nsubsequently created a server on October 15th. Within this server, discussions have been taking place regarding\r\nvarious RATs, including the NONEUCLID RAT.\r\nIn 2021, numerous users across various Russian forums and Discord channels were actively advertising, selling,\r\nand discussing the NonEuclid RAT.\r\nCONCLUSION\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 13 of 16\n\nThe NonEuclid RAT exemplifies the increasing sophistication of modern malware, combining advanced stealth\r\nmechanisms, anti-detection features, and ransomware capabilities. Its widespread promotion across underground\r\nforums, Discord servers, and tutorial platforms demonstrates its appeal to cyber-criminals and highlights the\r\nchallenges in combating such threats. The integration of features like privilege escalation, ASMI bypass, and\r\nprocess blocking showcases the malware’s adaptability in evading security measures. Addressing threats like\r\nNonEuclid requires proactive defense strategies, continuous monitoring, and awareness of evolving cybercriminal\r\ntactics to mitigate their impact effectively.\r\nMITRE ATTACK FRAMEWORK\r\nSr. No. Tactic Technique ID Technique\r\n1 Execution\r\nT1059 Command and Scripting Interpreter\r\nT1106 Native API\r\n2 Persistence\r\nT1547 Boot or Logon Autostart Execution\r\nT1547.001 Registry Run Keys / Startup Folder\r\nT1505 Server Software Component\r\n3 Privilege Escalation\r\nT1548.002 Bypass UAC\r\nT1548.001 Bypass Elevation Control\r\n4 Defense Evasion\r\nT1027 Obfuscated Files or Information\r\nT1027.004 Compile After Delivery\r\nT1070 Indicator Removal\r\nT1070.006 Timestomp\r\nT1112 Modify Registry\r\nT1140 Deobfuscate/Decode Files\r\nT1222 File and Directory Permissions\r\nT1497 Virtualization/Sandbox Evasion\r\nT1497.001 System Checks\r\nT1562 Impair Defenses\r\nT1562.001 Disable or Modify Tools\r\nT1620 Reflective Code Loading\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 14 of 16\n\n5 Discovery\r\nT1012 Query Registry\r\nT1033 System Owner/User Discovery\r\nT1057 Process Discovery\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nT1087 Account Discovery\r\nT1497 Virtualization/Sandbox Evasion\r\nT1497.001 System Checks (Anti-VM)\r\nT1518 Software Discovery\r\nT1518.001 Security Software Discovery\r\nT1614 System Location Discovery\r\n6 Command and Control\r\nT1071 Application Layer Protocol\r\nT1071.001 Web Protocols\r\n7 Exfiltration  T1041 Exfiltration Over Command-and-Control Channel\r\n8 Impact T1486 Data Encrypted for Impact (Ransomware)\r\nRECOMMENDATIONS\r\nStrategic Recommendations:\r\nEnhance Threat Intelligence Sharing:\r\nEstablish partnerships with external threat intelligence platforms and agencies to stay informed about emerging\r\nthreats like the NonEuclid RAT. Sharing intelligence within the cybersecurity community helps in early detection\r\nand mitigation.\r\nInvest in Advanced Security Technologies:\r\nAllocate resources to integrate AI-driven security tools capable of detecting sophisticated evasion techniques,\r\nincluding behavioral analysis, anomaly detection, and memory-based scanning.\r\nTactical Recommendations:\r\nDeploy Endpoint Detection and Response (EDR) Solutions:\r\nImplement EDR solutions to monitor endpoints for suspicious activities like unauthorized registry changes,\r\nprocess injections, and dynamic DLL loading, ensuring rapid containment.\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 15 of 16\n\nStrengthen User Awareness Training:\r\nConduct regular training programs to educate users about phishing attempts, RAT deployment tactics, and the\r\nimportance of secure practices, such as not running suspicious executables or sharing credentials.\r\nOperational Recommendations:\r\nImplement Strict Privilege Management:\r\nEnforce least-privilege access policies and ensure administrative actions are logged and monitored to prevent\r\nprivilege escalation attempts by malware.\r\nPerform Regular Patch Management and Audits:\r\nEnsure all systems, software, and frameworks are up to date with the latest security patches. Conduct periodic\r\naudits to identify and mitigate vulnerabilities that malware could exploit.\r\nINDICATORS OF COMPROMISES\r\nSr.\r\nNo.\r\nIndicator Type Remarks\r\n1 d32585b207fd3e2ce87dc2ea33890a445d68a4001ea923daa750d32b5de52bf0\r\nSha\r\n256\r\nNonEuclid.exe\r\n2 e1f19a2bc3ce5153e8dfe2f630cc43d6695fac73f5aaa59cd96dc214ca81c2b0\r\nSha\r\n256\r\nClient.exe\r\nSource: https://www.cyfirma.com/research/noneuclid-rat/\r\nhttps://www.cyfirma.com/research/noneuclid-rat/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cyfirma.com/research/noneuclid-rat/"
	],
	"report_names": [
		"noneuclid-rat"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434596,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eeed032dbdd98727b304a9f1b3f3ae5b4f70198b.pdf",
		"text": "https://archive.orkl.eu/eeed032dbdd98727b304a9f1b3f3ae5b4f70198b.txt",
		"img": "https://archive.orkl.eu/eeed032dbdd98727b304a9f1b3f3ae5b4f70198b.jpg"
	}
}