Atroposia is a modular remote access trojan (RAT) that provides hidden RDP, encrypted C2 channels, credential and cryptocurrency wallet theft, DNS hijacking, local vulnerability scanning, and multiple persistence/evasion mechanisms. It is marketed on underground forums alongside turnkey criminal toolkits like SpamGPT and MatrixPDF, lowering the skill required to run complex attacks. #Atroposia #SpamGPT #MatrixPDF
Keypoints
- Atroposia is a modular RAT offering hidden remote desktop (HRDP), file system control, data exfiltration, clipboard monitoring, credential and crypto wallet theft, DNS hijacking, and local vulnerability scanning.
- The RAT uses encrypted command-and-control (C2) communications and UAC bypass to escalate privileges and install multiple persistence mechanisms to survive reboots.
- Its plugin-based design and user-friendly control panel make it accessible and affordable on underground forums (pricing ~ $200/month to $900/6 months), enabling low- and no-skill operators.
- HRDP Connect creates an invisible remote desktop session that lets attackers interact with the system without visible indication to the victim, undermining session integrity and remote access monitoring.
- Data theft capabilities include a Grabber module that hunts files by extension/keyword and creates password-protected archives, fileless exfiltration techniques, and a stealer for saved logins and wallet data.
- Network manipulation features include a DNS hijack module that redirects host DNS queries to attacker-controlled IPs, enabling phishing, MITM, and malicious update delivery while bypassing external DNS protections.
- Varonis emphasizes detection via behavioral analytics—monitoring abnormal user/device behavior, rogue DNS changes, unusual data access, and lateral movement—to catch activity Atroposia may hide from antivirus.
MITRE Techniques
- [T1021] Remote Services – Atroposia establishes hidden remote desktop sessions (“HRDP Connect” creates an invisible shadow login allowing attackers to interact with the system) – ‘…spawns a covert desktop session in the background…’
- [T1105] Ingress Tool Transfer – Fileless and bulk exfiltration and use of legitimate tools to package/extract data in memory minimizes on-disk footprint and transfers stolen data – ‘…package and extract data in memory (and leverage legitimate tools on the host)…’
- [T1555] Credentials from Password Stores – Stealer module targets saved logins, password managers, and crypto wallets to harvest credentials and session tokens – ‘…targets specific sensitive data like saved logins, cryptocurrency wallets…’
- [T1115] Clipboard Data – Clipboard manager monitors and captures clipboard contents in real time to harvest copied credentials, API keys, or other sensitive text – ‘…monitors the target’s clipboard in real time, capturing anything the user copies or cuts…’
- [T1046] Network Service Discovery (host-level DNS manipulation) – DNS hijack module redirects DNS queries at the host to attacker IPs to facilitate phishing and MITM – ‘…add a rule, any attempt by the victim’s machine to reach that domain will be silently rerouted…’
- [T1068] Exploitation for Privilege Escalation / [T1064] UAC Bypass – Automatic privilege escalation via UAC bypass to gain admin rights and install persistence mechanisms – ‘…automatically escalate privileges via UAC bypass to gain admin rights…’
- [T1016] System Network Configuration Discovery / [T1040] Network Sniffing – Local vulnerability scanner enumerates missing patches and vulnerable software to map exploitable weaknesses on the host – ‘…perform a local audit of the system’s security posture, enumerating missing patches, unsafe settings, or vulnerable software versions…’
Indicators of Compromise
- [Tool/Product Names] context – Atroposia (modular RAT with HRDP, Grabber, stealer, DNS hijack), SpamGPT (AI-driven spam-as-a-service), MatrixPDF (malicious PDF builder)
- [Module/Feature Names] context – HRDP Connect (hidden RDP), Grabber (file hunting and archive creation), Clipboard manager (clipboard snooping)
- [Pricing/Marketplace] context – Underground forum listings and pricing examples – ~$200/month, $500/3 months, $900/6 months
- [Detection/Behavioral Indicators] context – anomalous file access, unusual data exfiltration, rogue DNS changes – examples: host-level DNS rules redirecting enterprise domains, automated bulk ZIP archives of PDFs/CSV and stolen browser data
Read more: https://www.varonis.com/blog/atroposia-rat