OctoRAT Malware Analysis

OctoRAT Malware Analysis

February 6, 2026
Fuad Aliyev
Malware Analysis
Reverse Engineering
RAT
Windows

What is OctoRAT?

OctoRAT is a .NET-based Remote Access Trojan (RAT) that supports a lot of commands. It was first publicly identified in late November 2025 when threat hunters traced suspicious VBScript payloads back to a GitHub repository. OctoRAT is marketed as a "remote administration framework" and has been sold via Telegram for around $800.

Static Analysis

Information

Looking up the binary in CFF Explorer (or you can just use any tool you want), we can see it is 32 bit .NET Assembly. Which in this case we will basically use dnspy-x86 (or your own favourite tool) to decompile binary. But before doing that, we can see there is Resource directory in CFF Explorer:

1|1000

Which is interesting, using Resource Hacker tool we can see, RCData holds 3 data:

  1. 185.163.204.93
  2. 8080
  3. 185.163.204.93|8080|false|false|false

We can guess from there, these are probably related to C2 server. Doing little checkup in VirusTotal, we can see the binary contacted with this ip at 2026-02-03.

Decompilation

Now we can use dnspy to continue with our research. First thing the malware does is, checking if sqlite3.dll is available in system, if not, it retrieves sqlite3 from "ftp://server09.mentality.cloud/public_html/sqlite3.dll" using credentials "admin_syn:Black900".

1|1000

Next up, it checks if program runs as admin, if not, uses Function: GetConfig(), which reads 3th Resource string, that we found using resource hacker before. if last flag is "true" (which is false in our case), it calls to BypassUACFodHelper():

1|1000

This is a well known UAC Bypass technique, which is also mapped in MITRE ATT&CK How it works is, malware modifies "Software\Classes\ms-settings\Shell\Open\command" key to point malware path, and modifies DelegateExecute key to make it empty so, command doesn't get ignored. fodhelper is in Microsoft's trusted whitelist, so when it is launched, it has elevations. using this technqique, malware actually launches itself and cleans current binary. (Continues with elevated privileges)

Browser Data Extraction

The first thing malware does after checking privileges is, extracting browser data, same function for "Chrome, Edge, Brave, Opera, Opera GX, Yandex" and different one for Firefox.

1|1000

it gets passwords and cookies using same function for them, and tries to get master key if last flag is set to true, or if browser name is Edge, it tries different way to get it. Also different way to get cookies for edge browser. At the end, a zip archive created with all data. Next up, gets the ip and port (we found using Resource Hacker), sends the zip arhive in "Credentials_{0}_{1:yyyyMMdd_HHmmss}.zip" format to server.

RAT Setup

After sending zip archive, malware creates a mutex: "OctoRAT_Client_Mutex_{B4E5F6A7-8C9D-0E1F-2A3B-4C5D6E7F8A9B}".

For initialization, it reads config again, in our case all flags were set "false", but if 2th flag was set to true, malware would delete itself at the end and if 3th flag was set to true, malware would start up every minute even if you kill the process. It would be set up using "schtasks", MITRE ATT&CK.

Next, malware connects to server and sends client info: hostname, username, os, country, monitorcount, (if client has crypto wallets).

NOTE: malware checks if client has crypto wallets by checking "\\Ethereum", "\\Electrum", "\\Exodus" in application data folder and "\\Programs\\Exodus" in local application data folder

And, there we are... in main loop. Where all important RAT features and stealers run.

Main loop

In main loop, there is HandlePacket() function which processes the packet retrieved if it is not null, but before going into it, there are 2 main things in main loop.

  1. Keylogger will be in queue if it is active (which will be set to active if server activates it by sending the packet)
  2. And if IsDesktopActive is set to true (which is also set to true if server activates it by sending packet), it periodically captures screen and sends to server.

Now we can continue with HandlePacket, which is around 1801 lines of code when decompiled. I will list all commands possible one by one, but to make it clear, i cant go to depth of all of them cause it would take a lot of time, you can use .Net decompilers to see how they are implemented by yourself, it is pretty easy to understand: Commands

End

And finally, after connection is lost or server exits, it cleans up and malware stops.

1|1000

IOC

OctoRAT_MalwareBazaar