Cybersecurity researchers have uncovered a phishing campaign distributing a new strain of malware called MostereRAT, a remote access Trojan (RAT) targeting Microsoft Windows systems that gives attackers full control over infected machines.

According to FortiGuard Labs, the campaign stands out due to its layered use of advanced evasion techniques. The malware is written in Easy Programming Language (EPL), a rarely used Chinese-based coding language in cyberattacks, and operates in multiple stages to conceal malicious behavior.

MostereRAT can disable security tools, block antivirus traffic, and establish secure communication with its command-and-control (C2) server using mutual TLS (mTLS).

Attack Chain and Delivery

The campaign begins with phishing emails posing as legitimate business inquiries, primarily targeting Japanese users. When victims click a link, a Word document containing a hidden archive is downloaded, which then prompts the user to run an embedded executable that launches the malware.

The executable decrypts its components and installs them in the system directory. Services are created to ensure persistence, some running under SYSTEM-level privileges for maximum access. Before closing, the program displays a fake message in Simplified Chinese claiming the file is incompatible, encouraging further spread.

Lauren Rucker, senior cyber threat intelligence analyst at Deepwatch, noted:

“Since the initial attack vector is phishing emails leading to malicious links and downloads, browser security is a critical area for defense.”

Evasion and Privilege Escalation

MostereRAT interferes with multiple Windows protections: disabling Windows Update, terminating antivirus processes, and blocking security tools from communicating with servers.

It also escalates privileges by mimicking the TrustedInstaller account, one of the most powerful accounts in Windows. James Maude, Field CTO at BeyondTrust, explained:

“While this malware uses creative techniques combining uncommon scripting languages with trusted remote access tools, it still follows a common pattern of exploiting overprivileged users and endpoints without application control.”

Malware Capabilities

Once established, MostereRAT supports:

• Keylogging and system information collection
• Downloading and executing payloads in EXE, DLL, EPK, or shellcode formats
• Creating hidden administrator accounts for persistence
• Running remote access tools such as AnyDesk, TightVNC, and RDP Wrapper

FortiGuard Labs noted that parts of MostereRAT’s infrastructure were previously linked to a banking trojan reported in 2020, highlighting how threat actors continue refining techniques to evade modern detection systems.

James Maude stressed the importance of reducing privileges and controlling applications:

“Removing local administrator privileges drastically reduces the attack surface and limits the impact of a malware infection.”

Source: https://www.infosecurity-magazine.com/news/rat-targets-windows-users-stealth