You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
KarstoRAT

KarstoRAT

ID: 67bbd9322176e6d8a2d234ee973edd1f80413
Crimeware RAT Trojan
Threat types: Remote Access Trojan, Malware
Unknown
Updated: 2026-02-26
Created: 2026-02-26
Progress: 67% Completeness: 66% Freshness: 70%
Operation zone:
Aliases Limited alias preview
Karsto RAT
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®

KarstoRAT is an emerging modular RAT described in Feb 2026 OSINT as using victim profiling (external IP check), modular web-based C2 with heartbeat/logging endpoints, and a stealthy User-Agent string (SecurityNotifier). Reported capabilities include credential/token theft, keylogging, clipboard capture, remote command execution, payload upload, file exfiltration, and screenshot/webcam/audio capture. Persistence is described via Run keys, Startup folder, and a scheduled task named SystemCheck; privilege escalation is described via a fodhelper UAC bypass using ms-settings\Shell\Open\command registry hijack. Evidence is currently limited and should be treated as time-bounded and medium-confidence.


Technique Technique name Tactics Evidence
T1071.001 Web Protocols TA0011
  • 2026-02-25 — Web-based C2 with heartbeat/logging endpoints is described. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • 2026-02-25 — Persistence via Run keys and Startup folder is described. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • 2026-02-25 — Scheduled task persistence (SystemCheck) is described. · ref
T1548.002 Bypass User Account Control TA0004 TA0005
  • 2026-02-25 — UAC bypass via fodhelper and ms-settings hijack is described. · ref
T1056.001 Keylogging TA0006 TA0009
  • 2026-02-25 — Keylogging capability is described. · ref
T1115 Clipboard Data TA0009
  • 2026-02-25 — Clipboard capture capability is described. · ref
T1113 Screen Capture TA0009
  • 2026-02-25 — Screenshot capture capability is described. · ref
T1125 Video Capture TA0009
  • 2026-02-25 — Webcam capture capability is described. · ref
T1123 Audio Capture TA0009
  • 2026-02-25 — Audio capture capability is described. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2026-02-25 — File exfiltration over C2 is described. · ref
T1112 Modify Registry TA0003 TA0005
  • 2026-02-25 — Registry modification implied by ms-settings hijack/persistence. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-26T04:16:58+00:00

KarstoRAT

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — KarstoRAT


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — KarstoRAT (Victim Profiling RAT)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-26T04:18:10+00:00

IOC Appendix — KarstoRAT (Operational Seed Set)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-26T04:24:51+00:00

OSINT Library — KarstoRAT


2026-02-25 — Reddit r/cybersecurity (post quoting ANY.RUN findings) — “New Modular RAT With Victim Profiling (KarstoRAT) — IOC seed set”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0

No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited

No images found for this threat.