The goal of this research is to discover trends, similarities and other hidden aspects among RATs observed during the last 30 years. This project was born in early 2017.
Timeline of RATs
The goal of the first stage is to create a timeline of RATs with all the existing families in the last 30 years. For this purpose, I am following an iterative methodology:
For every RAT collect all meaningful blogs and reports about it.
Document the resources found.
Find the first mention of the RAT and determine a possible year of appearance.
Check the resources for other possible RAT names.
Repeat.
Because there is a huge lack of formal research on this area, I decided to create small iterations of my timeline and make it public in order to receive early feedback from peers. In this way, I could get assistance, suggestions and corrections in the early stage of my research that will ensure bigger chances of success for next stages of the research.
Timeline 1.1 [Blog] [Low Res] [High Res] [PDF]
Timeline 1.2 [Blog] [Low Res] [High Res] [PDF]
Timeline 1.3 [Blog] [Low Res] [High Res] [PDF]
Growth and Commoditization of RATs
The second stage of this research, done under the supervision of Sebastian Garcia, was about exploring the growth and the commoditization of RATs. We focused on publishing a scientific paper with three main components: first, the timeline of the last 30 years of RATs. Second, an overview of the commoditization of the most well-known RATs in 2019-2020. Third, the types of attacks and attackers using RATs.
We have two publications on this topic:
Virus Bulletin Conference 2020, Growth and commoditization of remote access trojans [Paper] [Slides] [Recording]
CERT-EU’s 2020 Annual Conference: ‘Tomorrow comes the Harvest’. [Slides]
2nd Workshop on Attackers and Cyber-Crime Operations, IEEE European Symposium on Security and Privacy 2020, Growth and commoditization of remote access trojans [Paper] [PDF] [Slides]
Blog posts published
RATs Indexed
The following RATs have been indexed so far. We are working on adding more information of 2019 and 2020, as most of our cataloging work was done up to early 2019.
| First Seen | Remote Access Trojan Name | |:----------:|:-------------------------------------------------------:| | 1989 | Netsupport manager remote control software | | 1996 | NokNok | | 1997 | D.I.R.T. (Data Interception by Remote Transmission) | | 1998 | Socket23 | | 1998 | Netbus | | 1998 | BO2K/Back Orifice/Body Odour | | 1998 | Y3k RAT | | 1998 | Vortex | | 1998 | Girlfriend | | 1998 | Acid Shivers | | 1998 | Casus | | 1998 | Grifin | | 1998 | Troyano Argentino | | 1999 | Deep Throat | | 1999 | Subseven / Sub7 / Backdoor G | | 1999 | Mosucker / MiniMo | | 1999 | BF Evolution | | 2000 | Dolly | | 2001 | Gh0st / Moudoor | | 2001 | Lithium | | 2001 | AWRC / Atelier Web Remote Commander | | 2001 | LetMeRule | | 2002 | Beast | | 2002 | Optix Pro | | 2002 | Assasin / Assassin? | | 2002 | Net Devil | | 2002 | Theef | | 2002 | ProRAT | | 2002 | A4zeta | | 2002 | LanFiltrator | | 2002 | Nova RAT | | 2002 | Pandora | | 2002 | Greek Hackers RAT | | 2002 | MRA RAT | | 2002 | Snoopy | | 2002 | Sparta RAT | | 2003 | Turkojan | | 2003 | HawkEye | | 2003 | LokiTech | | 2003 | MadRAT | | 2003 | Vigilix | | 2004 | Hydrogen | | 2004 | Bifrost | | 2004 | Hacker's door | | 2004 | Nuclear RAT | | 2004 | Tequila Bandita | | 2004 | Toquito Bandito | | 2005 | Poison Ivy / Darkmoon | | 2005 | Bandook | | 2005 | Dark RAT | | 2005 | ProAgent RAT | | 2005 | IKlogger | | 2006 | BlackWorm / Blackmal / Nyxem / MyWife | | 2006 | Arabian-Attacker | | 2006 | Casper | | 2006 | MofoTro | | 2006 | Comfoo | | 2006 | hsidir | | 2007 | Hav-RAT | | 2007 | xHacker RAT | | 2007 | Agent.BTZ/ ComRAT | | 2007 | Tapaoux / Darkhotel | | 2007 | 4H RAT | | 2007 | DarkNet RAT | | 2007 | Punisher | | 2007 | LostDoor | | 2007 | ZombieRAT | | 2008 | CIA RAT? | | 2008 | DarkComet | | 2008 | Derusbi | | 2008 | MegaTrojan | | 2008 | Minimo | | 2008 | miniRAT | | 2008 | Pain RAT | | 2008 | PlugX/Korplug | | 2008 | Shark RAT | | 2008 | UNITEDRAKE | | 2008 | Gimmiv.A | | 2008 | RCS (hacking team) | | 2008 | Predator Pain | | 2009 | AAR / Albertino Advanced RAT | | 2009 | Apocalypse | | 2009 | Cerberus | | 2009 | Venomous Ivy | | 2009 | Terminator RAT / FakeM RAT | | 2009 | PcClient RAT | | 2009 | Aryan RAT | | 2010 | Dameware RAT | | 2010 | BlackShades | | 2010 | Xtreme RAT | | 2010 | Deeper RAT | | 2010 | Schwarze Sonne/Daleth RAT | | 2010 | Xploit | | 2010 | Arctic R.A.T. | | 2010 | Golden Phoenix Rat | | 2010 | GraphicBooting RAT | | 2010 | Pocket RAT | | 2010 | Erebus | | 2010 | SharpEye | | 2010 | VorteX RAT | | 2010 | Archelaus Beta | | 2010 | Vanguard | | 2010 | Syndrome RAT | | 2010 | 5p00f3r.N$ RAT | | 2010 | SpyNet | | 2010 | Dark Moon | | 2010 | Adzok/Adsocks (confirm date) | | 2010 | Bioazih | | 2010 | LeoUncia | | 2010 | VinSelf | | 2010 | DerSpaeher / derSphear RAT | | 2010 | Flu Project | | 2010 | MSpy | | 2010 | Oko Szefa | | 2010 | Bisonal/Korlia | | 2011 | BlackHole | | 2011 | CyberGate | | 2011 | Ahtapot | | 2011 | Adwind/Frutas/AlienSpy/Unrecom/Sockrat/JSocket/JBifrost | | 2011 | Ammyy Admin | | 2011 | P. Storrie RAT | | 2011 | Seed RAT | | 2011 | SharpBot/SB RAT | | 2011 | Shady RAT | | 2011 | Vertex | | 2011 | Xpert RAT | | 2011 | HellRaiser | | 2011 | IncognitoRAT | | 2011 | VertexNet | | 2011 | Hupigon / MFC Huner | | 2011 | WinSpy | | 2011 | Novalite | | 2011 | Loki RAT | | 2011 | RCIS by BKA | | 2011 | Ruski RAT | | 2012 | Rabasheeta | | 2012 | MacControl | | 2012 | Matrix / Hikit / Gaolmay | | 2012 | IcoScript | | 2012 | GlassRAT | | 2012 | Winnti | | 2012 | A32s RAT | | 2012 | AndroRAT | | 2012 | Arcom | | 2012 | Black Nix | | 2012 | Blue Banana | | 2012 | Char0n | | 2012 | Client Mesh | | 2012 | Cobalt Strike | | 2012 | Crimson | | 2012 | FinSpy | | 2012 | hcdLoader | | 2012 | Jacksbot | | 2012 | jRAT/JacksBot | | 2012 | Netwire | | 2012 | njRAT/Njw0rm | | 2012 | Nytro Rat | | 2012 | Mirage/MirageFox | | 2012 | Sakula/Sakurel/Viper | | 2012 | Syla RAT | | 2012 | TorCT PHP RAT | | 2012 | RMS / Remote Manipulator System | | 2012 | Xyligan | | 2012 | China Chopper (web shell + backdoor) | | 2012 | Graeme | | 2012 | Szefpatrzy | | 2013 | KimJongRAT | | 2013 | ShadowLogger | | 2013 | Shiz RAT / Mutant | | 2013 | Alusinus | | 2013 | H-W0rm/Houdini/Dunihi | | 2013 | Kjw0rm | | 2013 | Bozok | | 2013 | Ghost/Ucul | | 2013 | Imminent Monitor RAT | | 2013 | Jspy | | 2013 | Jcage | | 2013 | 9002/Hydraq/McRAT | | 2013 | Sandro RAT | | 2013 | Greame | | 2013 | Havex | | 2013 | Small Net | | 2013 | SpyGate | | 2013 | NanoCore | | 2013 | CT RAT | | 2013 | MM RAT / Goldsun | | 2013 | Pitty Tiger | | 2013 | Paladin RAT | | 2013 | Leo RAT | | 2013 | RARSTONE | | 2013 | Dragon Eye – Mini | | 2013 | PCRat | | 2013 | Galaxy RAT | | 2013 | KeyBoy | | 2013 | GDRAT | | 2013 | Omega RAT | | 2014 | Setro RAT | | 2014 | Vantom (njrat variant likely) | | 2014 | Dendroid | | 2014 | BX | | 2014 | Mega | | 2014 | WiRAT/Winner RAT | | 2014 | 3PARA RAT | | 2014 | BBS RAT | | 2014 | Konni | | 2014 | Felismus RAT | | 2014 | Quasar RAT (derives into: TRZ RAT) | | 2014 | Xsser / mRAT | | 2014 | Crimsom | | 2014 | DroidJack | | 2014 | LuxNet | | 2014 | Cohhoc | | 2014 | COMpfun | | 2014 | Zxshell / Sensode | | 2014 | DeputyDog / Fexel | | 2014 | HijackRAT | | 2014 | GimmeRat | | 2014 | Krysanec | | 2014 | PlasmaRAT | | 2014 | OrcaRAT | | 2014 | BlackNess | | 2014 | DNSChan RAT | | 2014 | Spygofree | | 2014 | SzefPatrzy | | 2014 | Diamond RAT | | 2015 | Ozone | | 2015 | Skywyder | | 2015 | NanHaishu | | 2015 | Luminosity Link | | 2015 | Pupy | | 2015 | GovRAT | | 2015 | Orcus | | 2015 | Rottie3 | | 2015 | Killer RAT | | 2015 | Hi-Zor | | 2015 | Quaverse/QRAT | | 2015 | Heseber | | 2015 | Cardinal | | 2015 | OmniRAT / Omni Android RAT | | 2015 | Jfect | | 2015 | Trochilus RAT | | 2015 | Matryoshka (v1, v2) | | 2015 | Hallaj PRO | | 2015 | HellSpy | | 2015 | JadeRAT | | 2015 | wonknu | | 2015 | Xena | | 2015 | Babylon RAT | | 2015 | Storm RAT | | 2015 | Moker / Yebot / Tilon | | 2015 | EggShell | | 2015 | TV RAT / TV Spy / Trojan.Pavica / Trojan.Mezzo | | 2015 | HttpBrowser RAT | | 2015 | Os Celestial | | 2015 | RadRAT | | 2016 | Remvio RAT | | 2016 | Spynote | | 2016 | Mangit | | 2016 | LeGeNd | | 2016 | BlueShades (related to blackshades?) | | 2016 | Revenge RAT | | 2016 | vjw0rm 0.1 sample (houdini variant) | | 2016 | rokrat | | 2016 | Qarallax / Qrat / Quaverse / Qrypter | | 2016 | Ratty | | 2016 | MoonWind | | 2016 | RemCos | | 2016 | TheFatRAT | | 2016 | RedLeaves | | 2016 | NOPEN | | 2016 | iSpy | | 2016 | Lilith | | 2016 | htpRAT | | 2016 | BetterRAT | | 2016 | Coldroot RAT | | 2016 | FALLCHILL | | 2016 | FlawedAmmyy | | 2016 | Shadow Tech | | 2016 | NavRAT | | 2016 | Gravity RAT | | 2016 | InnaputRAT | | 2016 | 888 RAT | | 2016 | Maus RAT | | 2016 | Loda RAT | | 2017 | Bondupdater | | 2017 | GhostCtrl | | 2017 | RETADUP | | 2017 | AhMyth Android RAT | | 2017 | AthenaGo | | 2017 | Cobian RAT | | 2017 | DarkTrack (confirm date) | | 2017 | DNSMessenger | | 2017 | KhRAT | | 2017 | MacSpy | | 2017 | NewCore | | 2017 | PentagonRAT Ransomware | | 2017 | PowerRAT | | 2017 | RATAttack | | 2017 | RevCode | | 2017 | Rurktar RAT | | 2017 | Stitch RAT | | 2017 | xRAT | | 2017 | Basic RAT | | 2017 | Proton | | 2017 | SilentBytes RAT | | 2017 | RingRAT | | 2017 | Iskander RAT | | 2017 | UBoatRAT | | 2017 | SonicSpy | | 2017 | Overlay RAT | | 2017 | CrossRAT | | 2017 | Vermin | | 2017 | Kedi | | 2017 | Parat (python, gituhub) | | 2017 | EvilOSX | | 2017 | Micropsia | | 2017 | RunningRat | | 2017 | TelegramRAT | | 2017 | A-RAT | | 2017 | HeroRAT | | 2017 | TeleRAT | | 2017 | IRRAT | | 2017 | BrainDamage | | 2017 | Caesar RAT | | 2017 | Pinky RAT | | 2017 | Comet Rat | | 2017 | Voyager RAT / Android Voyager | | 2017 | WebMonitor RAT | | 2017 | Bankshot | | 2018 | Trooper RAT | | 2018 | MicroRAT (github) | | 2018 | CannibalRAT | | 2018 | LimeRAT / Lime Controller | | 2018 | Powershell RAT | | 2018 | tRAT | | 2018 | Parasite HTTP RAT | | 2018 | DogCall | | 2018 | Vayne RAT | | 2018 | KevDroid | | 2018 | PubNubRAT | | 2018 | AsyncRAT | | 2018 | OverSeer RAT | | 2019 | JhoneRAT | | 2020 | ObliqueRAT |