MostereRAT is a sophisticated Remote Access Trojan (RAT) actively deployed via a targeted phishing campaign primarily affecting Japanese users. The attack chain is multi-staged and complex, beginning with the delivery of an Easy Programming Language (EPL) payload, which is a less common scripting language that helps evade traditional detection mechanisms. Once executed, the malware employs advanced evasion techniques such as running with the TrustedInstaller account privileges, which is the highest Windows system privilege, allowing it to bypass many security controls and maintain persistence. It also disables security tools and blocks antivirus traffic, further complicating detection and mitigation efforts. Communication with its command and control (C2) servers is secured using mutual TLS (mTLS), ensuring encrypted and authenticated data exchange that hinders network-based detection. MostereRAT can deploy legitimate remote access tools like AnyDesk and TightVNC, which are commonly used for remote support but here are weaponized to grant attackers covert full system control. Additional tactics include creating hidden administrator accounts and using various Windows persistence and execution techniques (such as T1113, T1543, T1053, T1562, T1219, T1055, T1218, T1112, T1059, T1566, T1574, T1027, T1546, T1573, T1056, T1588, T1134, T1136) to maintain long-term access and evade detection. The use of legitimate tools and high privilege escalation makes this threat particularly stealthy and difficult to detect using conventional endpoint detection and response (EDR) solutions. The campaign’s complexity and the use of phishing as the initial infection vector highlight the critical importance of user awareness and robust email security controls.

For European organizations, the deployment of MostereRAT represents a significant risk to confidentiality, integrity, and availability of systems. The malware’s ability to gain TrustedInstaller privileges and create hidden administrator accounts means attackers can fully control infected systems, potentially leading to data exfiltration, intellectual property theft, sabotage, or ransomware deployment. The use of legitimate remote access tools like AnyDesk and TightVNC complicates detection and may allow attackers to move laterally within networks undetected. European organizations with remote workforce setups or those using AnyDesk/TightVNC for legitimate purposes could be particularly vulnerable. The phishing vector also means that organizations with less mature user training and email filtering are at higher risk. While the campaign currently targets Japanese users, the techniques and tools used could be adapted or spread to Europe, especially given the global use of the affected remote access tools. The encrypted mTLS communication channel further complicates network monitoring and intrusion detection, increasing the likelihood of prolonged undetected compromise.

1. Implement advanced email filtering solutions that use machine learning and threat intelligence to detect and block phishing emails, especially those containing EPL payloads or suspicious attachments. 2. Enforce strict application whitelisting and restrict execution of uncommon scripting languages like EPL unless explicitly required. 3. Monitor for unusual privilege escalations, especially processes running as TrustedInstaller, and alert on creation of hidden administrator accounts. 4. Use endpoint detection and response (EDR) tools capable of behavioral analysis to detect the use of legitimate remote access tools in suspicious contexts, such as AnyDesk or TightVNC launched by unknown or unauthorized processes. 5. Employ network segmentation to limit lateral movement opportunities if a system is compromised. 6. Monitor network traffic for mTLS connections to unusual or suspicious domains listed in the indicators (e.g., huanyu3333.com, mostere.com) and block or investigate accordingly. 7. Conduct regular user awareness training focused on phishing threats and the risks of enabling remote access tools. 8. Maintain up-to-date security patches and endpoint protection solutions that can detect and block known hashes and indicators associated with MostereRAT. 9. Implement strict access controls and multi-factor authentication (MFA) for remote access tools to prevent unauthorized use. 10. Regularly audit and review administrator accounts and privileges to detect unauthorized additions or changes.