What is a RAT?
30 Jul 2025
What is a RAT?
Remote Access Trojans
In the world of cybercrime, attackers don’t always smash through the digital front door. Sometimes, they simply walk in, disguised as legitimate software and quietly take over.
This is the danger of Remote Access Trojans (RATs), a class of malware that gives cybercriminals full control of a device without the user ever knowing.
At LoughTec, our Security Operations Centre (SOC) monitors and responds to these threats in real time. This article breaks down a recent case, explains how RATs operate, and shows why Managed Application Control (MAC) is critical to stopping these stealthy attacks before they escalate.
What Is a Remote Access Trojan (RAT)?
In simple terms, a RAT is like giving a stranger a remote control to your computer and they never ask permission.
A Remote Access Trojan is a type of malware that allows attackers to secretly access and control a victim’s computer over the internet. Once inside, they can:
- Steal data and credentials
- Move laterally across your network
- Install further malware or ransomware
- Hijack business operations
They’re designed to remain hidden while providing unrestricted access making them a favourite tool for initial access and long-term infiltration.
Case Study: RAT Deployed via NVIDIA Executable
Our SOC recently investigated an intrusion in a communications-sector client.
Here’s how the attack unfolded:
Step 1: Infection
- A legitimate NVIDIA file (NVIDIA Notification.exe) was used to sideload a malicious DLL (a technique called DLL sideloading).
- The malicious DLL (270707254.dll) was hidden in a roaming user folder and quietly executed in the background.
Translation for non-tech readers: The attacker tricked the system into running a harmful add-on by hiding it inside a trusted software file.
Step 2: Callback and Control
- Once active, the RAT called home to the attacker’s remote server.
- This turned the infected machine into a jump box a gateway for deeper access into the network.
Step 3: Internal Reconnaissance
-
The attacker gathered detailed information:
- Logged-in users
- System configuration
- Domain admins and trust relationships
- Local administrator rights
- They ran PowerShell scripts to:
- Identify systems with admin access
- Discover accounts vulnerable to Kerberoasting (a technique to crack passwords)
Step 4: Credential Dumping and Persistence
- Two more malicious files (111.exe and 0.exe) were dropped.
- The attacker used 0.exe to dump the SYSTEM hive — a part of the Windows registry storing encrypted password data.
- Chrome browser passwords were extracted.
- Eventually, the attacker gained Domain Admin access and remotely queried all logged-in users across domain controllers using WMIExec.
For security teams: This attack involved lateral movement, credential harvesting, and privilege escalation all from a single endpoint infection.
Common Remote Access Trojans (RATs)
Here are some of the most prevalent RATs used today:
|
RAT Name |
Description |
|---|---|
|
NanoCore |
Targets Windows systems, known for stealing credentials |
|
QuasarRAT |
Open-source RAT used for keylogging and screen capture |
|
Remcos |
Often distributed via phishing, used in corporate attacks |
|
AsyncRAT |
Focuses on stealth and remote file execution |
|
njRAT |
Popular in Middle East–based campaigns, enables full control |
These RATs are often bundled in phishing emails, cracked software or malicious browser pop-ups like fake CAPTCHA downloads.
Why Managed Application Control (MAC) Is Crucial
Without robust controls over what can and cannot run in your environment, attackers can exploit legitimate software to execute unauthorised payloads, just like in the NVIDIA example.
Managed Application Control (MAC) helps by:
- Blocking unapproved software from launching (even if signed)
- Whitelisting known-safe apps to prevent misuse
- Detecting and stopping sideloading attempts
- Providing full audit trails of executable activity
For non-technical readers: Think of MAC as a security bouncer, it only lets verified, approved apps run, and blocks anything suspicious.
The Real-World Consequences
If left unchecked, a single RAT infection can lead to:
- Full domain compromise within hours
- Loss of sensitive business data
- Ransomware deployment
- Operational shutdowns
- Regulatory fines under GDPR and other compliance laws
How LoughTec Protects Against RATs and Other Threats
Our SOC and cybersecurity solutions are designed to:
- Detect and contain RATs early
- Monitor behavioural anomalies
- Enforce application control policies
- Protect endpoints with 24/7 visibility
- Respond in real time to threats
Whether you’re a large enterprise or an SME, our Managed Detection & Response (MDR) and Application Control services ensure threats like RATs are caught before they do real damage.
Next Steps for Your Business
- Review your endpoint security posture
- Implement Managed Application Control
- Educate staff on RAT tactics and phishing techniques
- Conduct regular threat simulations and audits
RAT Threat Response Checklist
A quick-reference guide to help your organization detect, block and respond to Remote Access Trojan (RAT) threats.
1. Initial Prevention
- Use Managed Application Control (MAC) to block unapproved applications
- Whitelist only trusted, digitally signed software
- Regularly patch operating systems and applications
- Deploy endpoint protection with behavioral monitoring
2. Entry Point Monitoring
- Educate staff to recognize phishing and fake CAPTCHA traps
- Filter email attachments and URLs with advanced threat protection
- Monitor for sideloading of DLLs or abuse of signed binaries
3. Detection & Response
- Use an MDR service to detect unusual access or PowerShell activity
- Flag execution of tools like wmiexec, 0.exe, or unexpected scripts
- Set alerts for registry hive access and credential dumping attempts
- Identify RAT callbacks to external attacker infrastructure
4. Containment & Recovery
- Isolate compromised endpoints immediately
- Reset credentials for affected accounts and domain admins
- Review and clean persistence mechanisms (e.g., scheduled tasks)
- Conduct full forensic analysis of lateral movement paths
5. Strategic Improvements
- Implement MAC with central policy enforcement
- Schedule regular penetration testing and red team exercises
- Review service accounts for SPN exposure
- Align with NCSC and ISO/IEC 27001 best practices
Please be vigilant, prevention is easier than cure!
All breaches start from something small, like a single RAT but without controls, that small thing can take down your entire network.
Don’t let malware lurk unnoticed in your environment, proactive visibility and control are your best defences.
Need help implementing SOC, these controls or detecting RAT activity? Contact LoughTec for 24/7 threat protection and tailored SOC support.
LoughTec are cyber security experts, if you want to find out more on how LoughTec can help protect your business in many ways, see some further recommended information and options below.
Click to find out more about how much a cyber attack could potentially cost your business.
Click to find out more about Security Operations Centre SOC 24-7-365 protection.
Click to find out more about Staff Cyber Security Awareness Training.
Click to find out more about Ransomware Protection.
You can also see more about us in our case studies and testimonials sections.
Back Top
