A sophisticated Remote Access Trojan (RAT) has been identified that operates stealthily within legitimate Windows processes by deliberately corrupting its Portable Executable (PE) and DOS headers. This corruption hinders traditional static analysis and signature-based detection methods, requiring advanced dynamic and memory forensic techniques for effective identification. The malware was analyzed by Fortinet's FortiGuard Incident Response Team using full memory dumps to reconstruct the compromised environment. The RAT interacts extensively with the Windows operating system, leveraging over 250 Windows APIs to perform malicious activities such as screenshot capture, remote server mode operation for command reception, and control over Windows services, which facilitates persistence and privilege escalation. Communication with its command and control (C2) servers is encrypted using a custom XOR-based encryption layered over TLS, complicating network traffic analysis and interception. The malware employs multiple MITRE ATT&CK techniques including screen capture (T1113), input capture/keylogging (T1056.001), encrypted channels (T1573.001), process injection (T1055), and others, highlighting its capability to evade detection, maintain persistence, and exfiltrate sensitive data stealthily. Indicators of compromise include domains like "rushpapers.com," potentially used for C2 communication. The RAT’s embedding within legitimate processes and use of corrupted headers demonstrate a high level of sophistication aimed at bypassing conventional endpoint security solutions. Detection and mitigation require advanced endpoint detection and response (EDR) tools with memory analysis capabilities, behavioral monitoring, and network traffic inspection that can identify anomalous encrypted communications and tampering of process headers.

For European organizations, this RAT poses significant risks to the confidentiality, integrity, and availability of critical systems. Its ability to capture screenshots and potentially log user inputs threatens exposure of sensitive intellectual property, personal data, and credentials, which is especially critical under GDPR and other stringent data protection regulations in Europe. The malware’s control over Windows services and process injection capabilities enable persistence and lateral movement within networks, increasing the risk of widespread compromise. Encrypted C2 communications hinder network-based detection, allowing attackers to maintain stealthy control over infected hosts. Sectors such as finance, healthcare, government, manufacturing, and critical infrastructure are particularly vulnerable due to the high value of their data and operational importance. The complexity and stealth of the RAT may delay detection and response, increasing potential damage and recovery costs. The use of corrupted headers complicates incident response and forensic analysis, requiring specialized skills and tools. Organizations lacking advanced EDR and memory forensic capabilities are at higher risk. Additionally, the threat raises concerns about supply chain security if legitimate processes are compromised to host the malware. Overall, this RAT could facilitate espionage, data theft, and disruption of services, representing a medium to high operational risk depending on the target environment.

1. Deploy advanced endpoint detection and response (EDR) solutions with capabilities for memory analysis and behavioral monitoring to detect anomalies within legitimate processes, especially those exhibiting unusual API usage or service control activities. 2. Implement continuous monitoring of process integrity and use tools capable of detecting corrupted or tampered PE headers, as traditional signature-based antivirus solutions may fail against such evasion techniques. 3. Utilize network traffic analysis tools that can detect anomalous encrypted communications, including custom XOR-based encryption patterns, and implement SSL/TLS inspection where legally and technically feasible to identify suspicious C2 traffic. 4. Harden Windows environments by restricting service control permissions and enforcing the principle of least privilege to limit the malware’s ability to manipulate services. 5. Conduct regular threat hunting exercises focusing on memory dumps and live system analysis to uncover stealthy malware that evades disk-based detection. 6. Maintain updated threat intelligence feeds and block known malicious domains such as "rushpapers.com" at network perimeter defenses. 7. Educate security teams on advanced evasion techniques, including corrupted header exploitation, to improve incident response readiness. 8. Employ application whitelisting and code integrity verification to prevent unauthorized code execution within legitimate processes. 9. Regularly patch and update all software to reduce the attack surface, even though no specific affected versions are identified, as this RAT may exploit other vulnerabilities to gain initial access. 10. Implement multi-factor authentication and network segmentation to limit lateral movement in case of infection.