{ "id": "8442a6b4-bbf4-458c-910e-b9e73305dd52", "created_at": "2026-04-06T00:10:56.42457Z", "updated_at": "2026-04-10T13:11:56.959967Z", "deleted_at": null, "sha1_hash": "f3b49059769525a0d7cdd1b276981a1e4493d0c9", "title": "ObliqueRAT returns with new campaign using hijacked websites", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1393592, "plain_text": "ObliqueRAT returns with new campaign using hijacked websites\r\nBy Asheer Malhotra\r\nPublished: 2021-03-02 · Archived: 2026-04-05 14:36:43 UTC\r\nBy Asheer Malhotra.\r\nCisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents\r\n(maldocs) to spread the remote access trojan (RAT) ObliqueRAT.\r\nThis campaign targets organizations in South Asia.\r\nObliqueRAT has been linked to the Transparent Tribe APT group in the past.\r\nThis campaign hides the ObliqueRAT payload in seemingly benign image files hosted on compromised\r\nwebsites.\r\nWhat’s new?\r\nCisco Talos recently discovered another new campaign distributing the malicious remote access trojan (RAT)\r\nObliqueRAT. In the past, Talos connected ObliqueRAT and another campaign from December 2019 distributing\r\nCrimsonRAT. These two malware families share similar maldocs and macros. This new campaign, however,\r\nutilizes completely different macro code to download and deploy the ObliqueRAT payload. The attackers have\r\nalso updated the infection chain to deliver ObliqueRAT via adversary-controlled websites.\r\nHow did it work?\r\nHistorically, this RAT is dropped to a victim’s endpoint using malicious Microsoft Office documents (maldocs).\r\nThese new maldocs, however, do not contain the ObliqueRAT payload directly embedded in the maldoc, as\r\nobserved in previous campaigns. Instead, the attackers utilize a technique novel to their infection chain to infect\r\ntargeted endpoints by pointing users instead to malicious URLs. New core technical capabilities of ObliqueRAT\r\ninclude:\r\nThe maldocs-based infection chain.\r\nChanges/updates to its payload.\r\nAdditional links to previously observed malware attacks in the wild.\r\nSo what?\r\nThis new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection\r\nchains to evade detections. Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation\r\ntechniques that can be used to evade traditional signature-based detection mechanisms. While file-signature and\r\nnetwork-based detection is important, it can be complemented with system behavior analysis and endpoint\r\nprotections for additional layers of security.\r\nAnalysis of maldocs\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 1 of 16\n\nThe maldocs utilized in previous ObliqueRAT attacks used mechanisms identical to the CrimsonRAT delivery\r\nmaldocs. The latest campaign distributing ObliqueRAT now utilizes completely different macro code in their\r\nmaldocs.\r\nThe attack has also evolved to include the following functionalities:\r\nPayloads are now hosted on compromised websites.\r\nThe payloads hosted on these websites consist of seemingly benign BMP image files.\r\nThe malicious macros download the images and the ObliqueRAT payload is extracted to disk.\r\nThe ObliqueRAT payload is renamed with the .pif file extension.\r\nObliqueRAT payload extracted, written to file on disk and renamed.\r\nAnother instance of a maldoc uses a similar technique with the difference being that the payload hosted on the\r\ncompromised website is a BMP image containing a ZIP file that contains ObliqueRAT payload. The malicious\r\nmacros are responsible for extracting the ZIP and subsequently the ObliqueRAT payload on the endpoint.\r\nPersistence\r\nThe macros are also responsible for achieving reboot persistence for the ObliqueRAT payloads. This is done by\r\ncreating a shortcut (.url file extension) in the infected user’s Startup directory.\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 2 of 16\n\nMalicious shortcut in the infected user’s startup directory to execute ObliqueRAT on startup.\r\nImage files\r\nThe image files used are BMP files hosted on adversary-controlled websites. The image files contain legitimate\r\nimage data and malicious executable bytes concealed in the image data bytes.\r\nImage file containing executable data in the BITMAPLINES (RGB data).\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 3 of 16\n\nObliqueRAT infection chain.\r\nObliqueRAT payload\r\nTalos discovered three new versions of ObliqueRAT as part of this investigation. This section covers changes and\r\nupdates introduced in these versions. For a complete technical analysis of ObliqueRAT, refer to our previous blog\r\npost.\r\nAfter the discovery of the previous ObliqueRAT payload (version 5.2) we observed four new versions:\r\n6.1, developed April 2020\r\n6.3.2, developed September 2020\r\n6.3.4, developed October 2020\r\n6.3.5 developed November 2020\r\nVersion 6.1\r\nThe attackers made a few key updates with version 6.1:\r\nAdded a new command code “hb” to the RAT. Although this command code doesn’t really do anything, it\r\nis highly likely that the attackers are preparing to introduce a new RAT capability.\r\nThe attackers introduced anti-infection checks in version 6.1. The implant does two sets of checks:\r\nCheck for blocklisted usernames and computernames: The implant concatenates the username and\r\ncomputer it acquires from the infected endpoint’s environment variables. This string is then checked\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 4 of 16\n\nagainst a list of blocklisted values to determine if the implant should continue execution or exit out. See a\r\nfull list of these keywords under the IOC section.\r\nCheck for blocklisted process names: The following process names are blocklisted and if found running on\r\nthe system, the RAT implant will simply exit. The blocklist consists of processes belonging to Virtual\r\nMachine software (such as VMWare) and analysis tools (such as ProcessHacker etc.)\r\nIf any of the blocklisted strings match the artifacts on the endpoint, the implant stops execution (without cleaning\r\nup its persistence mechanisms).\r\nVersion 6.3.2\r\nThis version adds new RAT capabilities to the implant. One of these consists of extracting files of interest from\r\nhot-pluggable or removable drives connected to the endpoint. Specifically, the implant looks for files with the\r\nfollowing extensions in the removable drives:\r\ndoc, docx\r\npdf\r\nppt, pptx\r\ntxt\r\nxls, xlsx\r\nThe implant will look for files with these extensions in the removable drive and the “Recycled” folder. Any files\r\nfound will be copied to its own file repository at locations C:\\ProgramData\\System\\Recycled (from\r\n\u003cDrive_letter\u003e:\\Recycled) and C:\\ProgramData\\System\\Dump (from \u003cDrive_Letter\u003e:\\*).\r\nAnother new ObliqueRAT capability involves recursively enumerating files in the drives present on the endpoint.\r\nThe file paths are all recorded to C:\\ProgramData\\DirecTree.txt (for the implant to later exfiltrate). The implant\r\ncontains a hard-coded list of drives to enumerate:\r\nC:\\, D:\\, F:\\, G:\\, H:\\, I:\\, J:\\, K:\\, L:\\, M:\\, N:\\, O:\\, P:\\, Q:\\, R:\\, S:\\, T:\\, U:\\, V:\\, W:\\, X:\\, Y:\\, Z:\\\r\nThere are also new capabilities triggered by specific command codes from the command and control (C2) that\r\nwere introduced in version 6.3.2:\r\nCommand code = “wes” ; Webcam screenshot\r\nCapture current view of the webcam to a DIB file located at “C:\\ProgramData\\wsc”.\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 5 of 16\n\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 6 of 16\n\nCode to grab webcam frames and save to a DIB file.\r\nCommand code = “sss” ; Desktop Screenshot\r\nCapture current screen (screenshot) and save screenshot as a JPEG to “C:\\ProgramData\\tsc”.\r\nThe contents of the file are subsequently read and sent to the C2.\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 7 of 16\n\nCode to capture a screenshot as bitmap and save to file.\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 8 of 16\n\nCommand code = “pizz” Command Data=\u003cfilename\u003e \u0026 \u003cZIP_file_name\u003e\r\nSimilar to command code “4”. Here, the implant accepts the names of the target file and an archive file. The target\r\nfile is added to the archive file created at “C:\\ProgramData\\\u003carchive_name\u003e.zip”. However, in this case, the\r\narchive file is not exfiltrated to the C2 and is only created on the endpoint).\r\nCommand code = “plit” Command Data=\u003ctarget filepath\u003e\r\nReceive a file path from the C2 for a file to read. The target file is read and then split into smaller files named\r\n“\u003ctarget_filename\u003e.part_\u003cpart_number\u003e” and stored on disk. This capability can be used to break large files of\r\ninterest into smaller chunks to prepare them for exfiltration.\r\nVersion 6.3.4\r\nThis version contains minor changes to the ObliqueRAT implant including:\r\nRemoval of the “backed” command from the implant. This command was used to back up the contents of\r\none log file to another.\r\nAddition of more anti-infection keywords to check on the endpoint (specifically for Oracle VirtualBox VM\r\ndetection).\r\nAddition of the “.csv” file extension to targeted file types list copied over from removable drives.\r\nVersion 6.3.5\r\nThe only update seen in this minor version update of ObliqueRAT is a change in the naming convention of the\r\nMutex created by the RAT.\r\nThe initial version of ObliqueRAT discovered in the wild by Talos created a mutex named “Oblique” on the\r\nsystem. The attackers then changed their naming convention and subsequent versions of ObliqueRAT discovered\r\n(and detailed in this post) follow a different naming convention:\r\nv6.1 :”t802” - Naming convention changed for mutex\r\nv6.3.2  :”t803”\r\nv6.3.4 :”t804”\r\nv6.3.5 :”gaia5” - Another change in Mutex naming convention (possible randomization).\r\nEvolution of implants\r\nThe following is a timeline of the evolution of capabilities of the ObliqueRAT implants discovered so far:\r\n1. November 2019\r\nVersion 5.2 of ObliqueRAT created, eventually disclosed in February 2020 by Talos.\r\nDistributed via maldocs containing embedded ObliqueRAT payloads.\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 9 of 16\n\n2. April 2020\r\nVersion 6.1 of ObliqueRAT created.\r\nIntroduction of anti-infection techniques.\r\nAdded an empty command code “hb”.\r\n3. September 2020\r\nVersion 6.3.2 of ObliqueRAT created.\r\nAdditional file enumeration and stealing capabilities.\r\nWebcam and desktop screenshot and recording RAT capabilities and commands introduced.\r\nDistribution via maldocs employing BMPs containing ObliqueRAT payloads.\r\n4. October 2020\r\nVersion 6.3.4 of ObliqueRAT created — minor update.\r\nMore keywords added to anti-infection checks.\r\nHousekeeping ability to backup log files removed.\r\nContinued distribution via maldocs employing BMPs containing ObliqueRAT payloads.\r\n5. November 2020\r\nVersion 6.3.5 of ObliqueRAT created - minor update.\r\nSame functionalities as v6.3.4. Only mutex name changed.\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 10 of 16\n\nOur previous post on ObliqueRAT detailed its connections to CrimsonRAT and, subsequently, the links to the\r\nTransparent Tribe APT group targeting organizations in South Asia. We have also observed overlaps in the C2\r\ninfrastructure used between ObliqueRAT and a RevengeRAT campaign. Talos assesses with low confidence that\r\nthere is a possible link between certain RevengeRAT campaigns and ObliqueRAT and its operators.\r\nRevengeRAT is a .NET-based RAT whose source code was leaked publicly a few years ago. It has increasingly\r\nbecome a common practice for crimeware and state-sponsored groups to utilize leaked malware. This practice\r\ntakes away the need to develop implants and C2 servers from scratch and increases the chances of misattribution.\r\nConclusion\r\nThis campaign shows a threat actor evolving their infection techniques so that they no longer resemble those used\r\npreviously. It is highly likely that these changes are in response to previous disclosures to achieve evasion for\r\nthese new campaigns. The usage of compromised websites is another attempt at detection evasion. The adversaries\r\nhave also introduced steganography as a way to hide the ObliqueRAT payloads in image files. This technique is\r\nnovel to ObliqueRAT’s distribution chain (not observed in the past). This new campaign distributing ObliqueRAT\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 11 of 16\n\nstarted in April 2020 and is still ongoing. This campaign also highlights that while network-based detection is\r\nimportant, it must be complemented with system behavior analysis and endpoint protections.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 12 of 16\n\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nThreat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected\r\nwith this specific threat. For specific OSqueries on this threat, click here.\r\nIOCs\r\nMaldocs\r\n2ad362e25989b0b1911310345da90473df9053190737c456494b0c26613c8d1f\r\n0196bc9ac3db6f02cfa97323c8fce6cc7318b8f8fadb3e73bdf7971b3c541964\r\nb85536589c79648a10868b58075d7896ec09bbde43f9c4bad95ed82a200652bc\r\nImage files\r\n553502bfe265a7e75a1d2202776fd816cabccfcdb200cc180dc507f4d45668d2\r\nec85e270c5cb159255a3178117197d275a6a90295fd31248b397dc03bcc4f3e4\r\n84aa777badab889d066e3a57c6a3d2096bc978c01499ea3dd8dd65fe44a3c98f\r\nObliqueRAT payloads\r\n5a425372fac8e62d4b5d5be8054967eabe1e41894bcb8c10e431dd2e06203ca0\r\nbdb184f4c8416c271ad2490c1165ee4d6e2efcf82a1834ba828393c74e190705\r\n926d3f258fe2278bd1d220fafb33f246f9db9014204337f05a25d072bb644b6d\r\n0ade4e834f34ed7693ebbe0354c668a6cb9821de581beaf1f3faae08150bd60d\r\nMalicious domains\r\nlarsentobro[.]com\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 13 of 16\n\nURLs\r\nhxxp://iiaonline[.]in/DefenceLogo/theta.bmp\r\nhxxp://iiaonline[.]in/timon.jpeg\r\nhxxp://iiaonline[.]in/9999.jpg\r\nhxxp://iiaonline[.]in/merj.bmp\r\nhxxp://iiaonline[.]in/111.jpg\r\nhxxp://iiaonline[.]in/sasha.jpg\r\nhxxp://iiaonline[.]in/111.png\r\nhxxp://iiaonline[.]in/camela.bmp\r\nhxxp://larsentobro[.]com/mbda/goliath1.bmp\r\nhxxp://larsentobro[.]com/mbda/mundkol\r\nhxxp://drivestransfer[.]com/myfiles/Dinner%20Invitation.doc/win10/Dinner%20Invitation.doc\r\nObliqueRAT CnCs\r\nmicrsoft[.]ddns.net\r\n185[.]183.98.182:4701\r\n47bed59051a727911b050c2922874ae817e05860e4eee83b323f9feab710bf5c\r\n23577ceb59f606ae17d9bdabaccefcb53dc2bac19619ce8a2d3d18ecb84bcacd\r\na9d9d7f6dd297af2bb3165ad0bfe3bbb88969393a3534bd33ef9aad062aefd05\r\nRevengeRAT CnC\r\nmicrsoft[.]ddns.net:4313\r\nyepp[.]ddns.net:4315\r\nBlocklisted Usernames and Computer names\r\nBlocklisted keywords for username and computername:\r\n15pb\r\n7man2\r\nstella\r\nf4kh9od\r\nwillcarter\r\nbiluta\r\nehwalker\r\nhong lee\r\njoe cage\r\njonathan\r\nkindsight\r\nmalware\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 14 of 16\n\npeter miller\r\npetermiller\r\nphil\r\nrapit\r\nr0b0t\r\ncuckoo\r\nvm-pc\r\nanalyze\r\nroslyn\r\nvince\r\ntest\r\nsample\r\nmcafee\r\nvmscan\r\nmallab\r\nabby\r\nelvis\r\nwilbert\r\njoe smith\r\nhanspeter\r\njohnson\r\nplacehole\r\ntequila\r\npaggy sue\r\nklone\r\noliver\r\nstevens\r\nieuser\r\nvirlab\r\nbeginer\r\nbeginner\r\nmarkos\r\nsemims\r\ngregory\r\ntom-pc\r\nwill carter\r\nangelica\r\neric johns\r\njohn ca\r\nlebron james\r\nrats-pc\r\nrobot\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 15 of 16\n\nserena\r\nsofynia\r\nstraz\r\nbea-ch\r\nBlocklisted process names\r\npython\r\nvmacthlp\r\nVGAuthService\r\nvmtoolsd\r\nTPAutoConnSvc\r\nftnlsv\r\nftscanmgrhv\r\nvmwsprrdpwks\r\nusbarbitrator\r\nhorizon_client_service\r\nProcessHacker\r\nprocexp\r\nAutoruns\r\npestudio\r\nWireshark\r\ndumpcap\r\nTSVNCache\r\ndnSpy\r\nConEmu\r\n010Editor\r\nida64\r\nProcmon\r\nollydbg\r\nLordPE\r\nFiddler\r\nCFF Explorer\r\nsample\r\nvboxservice\r\nvboxtray\r\nSource: https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nhttps://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html" ], "report_names": [ "obliquerat-new-campaign.html" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434256, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f3b49059769525a0d7cdd1b276981a1e4493d0c9.pdf", "text": "https://archive.orkl.eu/f3b49059769525a0d7cdd1b276981a1e4493d0c9.txt", "img": "https://archive.orkl.eu/f3b49059769525a0d7cdd1b276981a1e4493d0c9.jpg" } }