ReversingLabs discovered four related Discord-based remote access trojans (RATs) — UwUdisRAT, STD RAT, Minecraft RAT, and Propionanilide RAT — operated by “STD Group,” sharing a common C++ codebase, use of Discord bot tokens (sometimes ROT23-obfuscated), and development progression including a custom packer called Proplock/STD Crypter. The report includes file indicators (many SHA256 hashes), a Python ROT-23 decryptor, and two YARA rules for detecting the crypter and RAT payloads. #UwUdisRAT #STD_RAT #MinecraftRAT #PropionanilideRAT #Proplock
Keypoints
- ReversingLabs identified four Discord-based RATs linked to “STD Group”: UwUdisRAT, STD RAT, Minecraft RAT, and Propionanilide RAT, likely variants of the same codebase.
- Malware is written in C++ and uses Discord bot tokens for C2; earlier samples stored Guild IDs in plaintext while later samples use ROT23 or stack-string obfuscation and encryption for tokens.
- UwUdisRAT is the oldest observed family (samples from Nov 15, 2024 onward) and contains PDB path strings including username “Digital” and the string “AnyDesks,” which overlap with older .NET campaigns.
- STD RAT and Minecraft RAT share a distinctive mutex string (“std”) and various compilation timestamps show continual evolution and rebranding between February and May 2025.
- Propionanilide RAT demonstrates evolution to a packed distribution model using a custom packer (Proplock/STD Crypter) that leverages XZ/LZMA2 compression and an additional rolling XOR layer.
- ReversingLabs published extensive file indicators (numerous SHA256 hashes for packed samples, payloads, tests, and each RAT family), a Python ROT23 decoder, and two YARA rules to detect the crypter and payloads.
- Researchers noted dead-code decoy tokens and varied obfuscation methods (stack strings, regular expressions to identify tokens), indicating active development to evade detection.
MITRE Techniques
- [T1071] Application Layer Protocol – Discord used as command-and-control channel: ‘…utilize the Discord platform for command and control (C2).’
- [T1608] Stage Capabilities – Malware variants share and reuse codebase and functions across builds: ‘…RATs are so closely related they may be the same code base, just rebranded.’
- [T1112] Modify Registry / T1547.001?] (Note: no explicit registry persistence described) – Mutex creation used for single-instance and control flow: ‘…share a distinctive mutex string’ and example CreateMutexW calls.
- [T1027] Obfuscated Files or Information – ROT23 cipher and stack string obfuscation applied to Discord tokens: ‘…incorporates a ROT23 cipher to encode a Discord bot token’ and ‘…started using stack strings to obfuscate the location of the Discord token.’
- [T1041] Exfiltration Over C2 Channel – Use of Discord bot for C2 implies data/command exchange via Discord channels: ‘…Discord bot token that is used to connect to the C2.’”
- [T1204] User Execution – Droppers observed delivering Minecraft RAT payloads (dropper extracted by Spectra Analyze): ‘One example of a dropper for the Minecraft RAT campaign… Spectra Analyze extracted the payload from the dropper.’
- [T1023] Template Injection / T1140?] Compression and custom packer use to deliver payloads: ‘The packer uses XZ format and LZMA2 compression… an additional layer of rolling bitwise XOR encryption is used outside of the compressed XZ format.’”
Indicators of Compromise
- [File Hash – Packed samples] Propionanilide packed samples – examples: 1a1d3d897d0b6eb8836e15359fc600b3790a3c621a3cf0d0cbd23c88e9e8af69, 1ca659cfe2f40695a250ca3c6287ed3691a268d6f7fbffbf83a5b0bb0ed0a528 (and many more hashes listed).
- [File Hash – Payloads] Propionanilide payload samples – examples: 1a4382141f9d4910a172089048157052a053d3ae81fd2ae660632b849d606f2c, 202083aae976ab71a75d2d185e918430128bd845d125e55395617bddcc1d01e7 (and additional payload hashes).
- [File Hash – UwUdisRAT] UwUdisRAT family hashes – examples: 04589839ac2f6bd9ed2e958a6085c9070c6844e2c9abe15641f8befa70a65a98, 061799cfc23d3689870ea6abed1f8cb5f595f63bb810ef7c829376c9c5cea921.
- [File Hash – STD RAT] STD RAT family hashes – examples: 000eed382ebec21a1f27a860cc52613cdd98fc36dd12d37bad15caeb36846d7f, 12c9cca4b13fb5fa772ef2991afe06c25a3f7dca89dc2faf15b0bf6a22c15c92.
- [File Hash – Minecraft RAT] Minecraft RAT family hashes – examples: 09959d473a1b842bb3d953a71ed0e7230ae32f16036805b09806dd626fbef580, 0a54750e93f9e716b3ce206933b0c8d0d4b2771696ae0104478fe009879b0ea8.
- [Strings / Artifacts] Plaintext/obfuscated Discord credentials and mutex – contexts: hard-coded Guild ID in early samples, ROT23/stack-string-obfuscated Discord tokens, and mutex string “std” used by multiple samples.
Read more: https://www.reversinglabs.com/blog/tracking-discord-rat-family