Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Consumers, Enterprises Targeted With Cross-Platform AlienSpy RAT

Researchers have conducted a detailed analysis of AlienSpy, a Java-based remote access Trojan (RAT) that has been used by malicious actors to target regular Internet users and enterprises worldwide.

Researchers have conducted a detailed analysis of AlienSpy, a Java-based remote access Trojan (RAT) that has been used by malicious actors to target regular Internet users and enterprises worldwide.

According to General Dynamics Fidelis Cybersecurity Solutions, AlienSpy is the successor of well-known RATs such as Frutas, Adwind and Unrecom. These predecessors are still being used in attacks, particularly Adwind, but researchers have noticed a wave of AlienSpy samples targeted at consumers and organizations in sectors such as energy, government, financial services, and technology.

AlienSpy, which is advertised on the alienspy(dot)net website as “the best software for take (sic) remote control of your devices,” supports multiple platforms, including Windows, Linux, Mac and Android. The tool is not promoted as a piece of malware, but the antivirus disabling features and the fact that customers can test their builds to see if they are detected by security products provide some clues to AlienSpy’s true nature.

AlienSpy RAT

The RAT, sold for between $20 and $220 depending on the package, uses a dozen plugins to accomplish various tasks. Because it uses a modular plugin framework, AlienSpy can be easily upgraded with new capabilities, Fidelis noted in its report.

Similar to other RATs, the threat can collect information on the infected system, download and execute other malware, capture data from the device’s webcam and microphone, initiate a remote desktop session to monitor the victim’s activities, access files on the system, log keystrokes, and steal web browser passwords.

In addition to these standard features, AlienSpy can detect the presence of sandboxes, and detect and disable antivirus and security tools. Another noteworthy aspect is the use of the Transport Layer Security (TLS) protocol for command and control (C&C) server communications.

The samples analyzed by Fidelis researchers have been distributed through phishing campaigns involving emails that appear to be related to payments and orders. On one of the infected machines, experts noticed that AlienSpy downloaded the Citadel banking Trojan.

Experts have found several clues linking AlienSpy to Unrecom and its other predecessors, including code reuse and similar configuration files.

“Since November 2013, Adwind RAT has been known to be sold under the Unrecom RAT name. Adwind RAT is known to have evolved from Frutas RAT. Frutas RAT has been used in phishing emails against high-profile companies in Europe and Asia in sectors such as finance, mining, telecom, and government,” Fidelis explained in its report.

The complete report on AlienSpy, which includes a Yara rule and indicators of compromise (IoC), is available online.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.