A recently uncovered remote access trojan, KarstoRAT, has been identified in malware repositories and sandbox analyses since early 2026. This malicious software grants attackers extensive control over compromised Windows systems, enabling functions like webcam monitoring, audio recording, keylogging, and running additional payloads.
KarstoRAT’s Comprehensive Control Features
KarstoRAT is designed to grant operators complete authority over infected devices from its initial execution. The software, a 64-bit Windows executable compiled with Microsoft Visual Studio 2022, was timestamped on February 16, 2026. It maintains communication with a fixed command-and-control (C2) server at 212.227.65[.]132 via port 15144, utilizing the Windows Internet API (WinINet) for outgoing traffic. This connection remains active through heartbeat notifications sent every two seconds to the attacker’s server.
Private Development and Distribution Tactics
Analysts from LevelBlue discovered KarstoRAT during a threat assessment, noting its absence from public forums and cybercrime markets, suggesting it may be a privately developed tool used by a limited group. The presence of multiple samples in public analysis environments provides rare insight into a newly active private threat.
The distribution strategy of KarstoRAT raises significant concerns due to its social engineering tactics. The malware’s C2 server hosts a counterfeit Roblox trading website, ‘Blox Stocks,’ alongside a cheat download panel, ‘Venom Files,’ targeting gamers with promises of cheap in-game items and premium cheats. These sites are crafted to deceive users into downloading the trojan.
In-Depth Surveillance and Execution Capabilities
Once installed, KarstoRAT operates in an endless polling loop, awaiting instructions from the C2 server. It includes a webcam module activated by the WEBCAM command, capturing images discreetly without notifying the user. Similarly, the audio recording feature uses Windows Multimedia Command Interface (MCI) to silently record audio, uploading files to the C2 server.
The malware implements a keylogger, capturing keystrokes and sending them to the attacker’s server. For persistence, it employs methods such as a Windows Registry Run key, a Scheduled Task, and a startup folder copy. Additionally, a UAC bypass leverages fodhelper.exe for elevated privileges without user alerts.
Organizations are advised to block the C2 IP address 212.227.65[.]132, monitor specific ports, and scan for registry modifications and suspicious processes. Security teams should caution users against downloading unverified game tools.
Stay updated on the latest cyber threats by following us on Google News, LinkedIn, and X, and consider setting CSN as a preferred source on Google for real-time updates.
