{
	"id": "e0937dae-7c66-49bd-99c0-4fbb98b5e1df",
	"created_at": "2026-04-06T00:17:35.648507Z",
	"updated_at": "2026-04-10T03:20:18.087634Z",
	"deleted_at": null,
	"sha1_hash": "ef74b9df42f926b8af7f7fcdfc2ba0e01e56f418",
	"title": "Who’s Behind the RevCode WebMonitor RAT?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 243856,
	"plain_text": "Who’s Behind the RevCode WebMonitor RAT?\r\nPublished: 2019-04-22 · Archived: 2026-04-05 20:06:41 UTC\r\nThe owner of a Swedish company behind a popular remote administration tool (RAT) implicated in thousands of\r\nmalware attacks shares the same name as a Swedish man who pleaded guilty in 2015 to co-creating\r\nthe Blackshades RAT, a similar product that was used to infect more than half a million computers with malware,\r\nKrebsOnSecurity has learned.\r\nAn advertisement for RevCode WebMonitor.\r\nAt issue is a program called “WebMonitor,” which was designed to allow users to remotely control a computer\r\n(or multiple machines) via a Web browser. The makers of WebMonitor, a company in Sweden called “RevCode,”\r\nsay their product is legal and legitimate software “that helps firms and personal users handle the security of owned\r\ndevices.”\r\nBut critics say WebMonitor is far more likely to be deployed on “pwned” devices, or those that are surreptitiously\r\nhacked. The software is broadly classified as malware by most antivirus companies, likely thanks to an advertised\r\nfeature list that includes dumping the remote computer’s temporary memory; retrieving passwords from dozens of\r\nemail programs; snarfing the target’s Wi-Fi credentials; and viewing the target’s Webcam.\r\nhttps://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/\r\nPage 1 of 3\n\nIn a writeup on WebMonitor published in April 2018, researchers from security firm Palo Alto Networks noted\r\nthat the product has been primarily advertised on underground hacking forums, and that its developers promoted\r\nseveral qualities of the software likely to appeal to cybercriminals looking to secretly compromise PCs.\r\nFor example, RevCode’s website touted the software’s compatibility with all “crypters,” software that can encrypt,\r\nobfuscate and manipulate malware to make it harder to detect by antivirus programs. Palo Alto also noted\r\nWebMonitor includes the option to suppress any notification boxes that may pop up when the RAT is being\r\ninstalled on a computer.\r\nA screenshot of the WebMonitor builder panel.\r\nRevCode maintains it is a legitimate company officially registered in Sweden that obeys all applicable Swedish\r\nlaws. A few hours of searching online turned up an interesting record at Ratsit AB, a credit information service\r\nbased in Sweden. That record indicates RevCode is owned by 28-year-old Swedish resident Alex Yücel.\r\nIn February 2015, a then 24-year-old Alex Yücel pleaded guilty in a U.S. court to computer hacking and to\r\ncreating, marketing and selling Blackshades, a RAT that was used to compromise and spy on hundreds of\r\nthousands of computers. Arrested in Moldova in 2013 as part of a large-scale, international takedown against\r\nBlackshades and hundreds of customers, Yücel became the first person ever to be extradited from Moldova to the\r\nUnited States.\r\nYücel was sentenced to 57 months in prison, but according to a record for Yücel at the U.S. Federal Bureau of\r\nPrisons, he was released on Nov. 1, 2016. The first advertisements in hacker forums for the sale of WebMonitor\r\nbegan in mid-2017. RevCode was registered as an official Swedish company in 2018, according to Ratsit.\r\nUntil recently, RevCode published on its Web site a value added tax (VAT) number, an identifier used in many\r\nEuropean countries for value added tax purposes. That VAT number — first noted by the blog\r\nKrabsonsecurity.com (which borrows heavily from this site’s design and banner but otherwise bears no relation to\r\nKrebsOnSecurity.com) — has since been removed from the RevCode Web site and from historic records at The\r\nInternet Archive. The VAT number cited in that report is registered to Alex Yücel, and matches the number listed\r\nfor RevCode by Ratsit AB.\r\nhttps://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/\r\nPage 2 of 3\n\nYücel could not be immediately reached for comment. But an unnamed person responded to an email sent to the\r\ncustomer support address listed at RevCode’s site. Presented with the information and links referenced above, the\r\nperson responding wrote, “nobody working for/with RevCode is in any way related to BlackShades. Anything else\r\nsuggesting otherwise is nothing but rumors and attempts to degrade our company by means of defamation.”\r\nThe person responding from the RevCode support email address contended that the Alex Yücel listed as owner of\r\nthe company was not the same Alex Yücel convicted of co-authoring Blackshades. However, unless the Ratsit\r\nrecord is completely wrong, this seems unlikely to be true.\r\nAccording to the Ratsit listing, the Alex Yücel who heads RevCode currently lives in a suburb of Stockholm,\r\nSweden with his parents Can and Rita Yücel. Both Can and Rita Yücel co-signed a letter (PDF) in June 2015\r\ntestifying to a New York federal court regarding their son’s upstanding moral character prior to Yücel the\r\nyounger’s sentencing for the Blackshades conviction, according to court records.\r\nA letter from Alex Yücel’s parents to the court in June 2016.\r\nSource: https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/\r\nhttps://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/"
	],
	"report_names": [
		"whos-behind-the-revcode-webmonitor-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434655,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef74b9df42f926b8af7f7fcdfc2ba0e01e56f418.pdf",
		"text": "https://archive.orkl.eu/ef74b9df42f926b8af7f7fcdfc2ba0e01e56f418.txt",
		"img": "https://archive.orkl.eu/ef74b9df42f926b8af7f7fcdfc2ba0e01e56f418.jpg"
	}
}