Connect with us

Hi, what are you looking for?


Malware & Threats

GlassRAT Malware Stayed Under Radar For Years: RSA

A remote access Trojan (RAT) that managed to stay under the radar for several years has been used by malicious actors to target Chinese nationals associated with multinational corporations.

A remote access Trojan (RAT) that managed to stay under the radar for several years has been used by malicious actors to target Chinese nationals associated with multinational corporations.

According to a report published by RSA on Monday, the threat, dubbed “GlassRAT,” managed to avoid detection by most antivirus products because it was used only in highly targeted attacks.

Researchers believe the Trojan, which has been named a “zero detection” threat, has been around since at least September 2012, but a sample was only uploaded to VirusTotal on December 2014. Another important factor that helped the threat maintain a low profile is the fact that its dropper, which had been signed with a legitimate certificate stolen from a popular Chinese software developer, was only uploaded to public malware databases in September 2015. RSA said the sample was uploaded from a Chinese IP address.

GlassRAT has typical RAT capabilities, including reverse shell functionality that provides attackers access to the infected device. RSA has determined that the malware has been used in a highly targeted campaign aimed at Chinese nationals and other Chinese speakers associated with large multinational corporations in China and other countries since at least early 2013.

RSA first discovered the threat on the computer of a Chinese national in February 2015 while analyzing an incident at a multinational company based in the United States.

One noteworthy aspect is that some pieces of GlassRAT’s code are similar to Taidoor and a possibly related malware family called Taleret. Taidoor first appeared in 2008 and it has been mainly used in cyber espionage campaigns targeting government agencies, corporations and think tanks, particularly ones with an interest in Taiwan.

In addition to malware code similarities, RSA also discovered that GlassRAT operations briefly overlapped with other major campaigns in terms of command and control (C&C) infrastructure. Links have been found to the C&C domains used in cyber espionage campaigns leveraging malware known as Mirage, MagicFire and PlugX.

Advertisement. Scroll to continue reading.

These geopolitical operations were mainly aimed at organizations in the Asia-Pacific region, including the Philippine military and the Mongolian government.

However, RSA pointed out that the profile and volume of targeted entities, along with the fact that the time period of the C&C overlap was relatively short, suggests that it might have been a “security slip” by the operators of GlassRAT. On the other hand, experts believe it’s also possible that “subordinate departments of a much larger organization with shared infrastructure and developers run these campaigns.”

Different APT actors using parts of the same C&C infrastructure is not unheard of. The Hellsing group, whose activities were detailed by Kaspersky Lab in April, leveraged infrastructure also used by Mirage, PlayfullDragon (Gref), and Cycldek (Goblin Panda).

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...