3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Moonrise RAT

Moonrise RAT

ID: 48396eec7b4adc6bf620a111588d377e53789
Crimeware RAT Trojan
Threat types: Malware, Remote Access Trojan, Data Theft
Unknown
Updated: 2026-02-27
Created: 2026-02-27
Progress: 67% Completeness: 66% Freshness: 70%
Operation zone:
Aliases Limited alias preview
Moonrise MoonriseRAT
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Moonrise RAT is a Go-based remote access trojan publicly documented in Feb 2026 with rapid WebSocket-based C2 establishment and a broad operator command set. Observed behavior includes masquerading (svchost.exe in a user Temp directory), persistence via a Startup VBS script (WindowsService.vbs), host enumeration (process/file/monitor/webcam lists), remote command execution (cmd and PowerShell), file upload and execution, keylogging, clipboard monitoring, and screen/webcam/microphone capture. A public sandbox report shows C2 traffic to 193.23.199.88:8765 with a WebSocket upgrade. Treat infrastructure indicators as time-bounded and prioritize behavioral pivots for durable detection.


Technique Technique name Tactics Evidence
T1036.005 Match Legitimate Resource Name or Location TA0005
  • 2026-02-XX — Masqueraded payload uses the name svchost.exe in a non-standard user Temp path. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • 2026-02-XX — Startup folder persistence via WindowsService.vbs is documented. · ref
  • 2026-02-16 — Sandbox report flags creation of files in the Startup directory. · ref
T1071.001 Web Protocols TA0011
  • 2026-02-16 — Web-based communication observed to http://193.23.199.88:8765/ with WebSocket upgrade request. · ref
T1059.003 Windows Command Shell TA0002
  • 2026-02-24 — Remote command execution via cmd is described in the command set. · ref
  • 2026-02-16 — Sandbox report notes svchost.exe starting CMD.EXE for command execution. · ref
T1059.001 PowerShell TA0002
  • 2026-02-16 — Sandbox report notes svchost.exe starting POWERSHELL.EXE for command execution. · ref
T1105 Ingress Tool Transfer TA0011
  • 2026-02-24 — File upload and execution functions (file_upload, file_run, file_execute) are described. · ref
T1056.001 Keylogging TA0006 TA0009
  • 2026-02-24 — Keylogger functions (keylogger_start/stop/logs) are described. · ref
T1115 Clipboard Data TA0009
  • 2026-02-24 — Clipboard monitoring/history functions are described. · ref
T1113 Screen Capture TA0009
  • 2026-02-24 — Screenshot and screen stream functions are described. · ref
  • 2026-02-16 — Sandbox report indicates functionality for taking screenshot (YARA). · ref
T1125 Video Capture TA0009
  • 2026-02-24 — Webcam capture is described in the command set. · ref
T1123 Audio Capture TA0009
  • 2026-02-24 — Microphone record is described in the command set. · ref
T1489 Service Stop TA0040
  • 2026-02-24 — Process kill and explorer_restart commands imply disruption of processes (map cautiously to service disruption). · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2026-02-24 — File download and data extraction commands suggest exfiltration over C2 (INFERENCE). · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-28T02:44:27+00:00

Moonrise RAT

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Moonrise RAT


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Moonrise RAT (Go-based WebSocket RAT)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-28T02:45:17+00:00

IOC Appendix — Moonrise RAT (Operational Seed Set)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-28T02:47:38+00:00

OSINT Library — Moonrise RAT


2026-02-24 — ANY.RUN — “Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.