Why Is RAT Malware Surging?

Uploaded on 2025-08-05 in TECHNOLOGY--Resilience, FREE TO VIEW

Remote Access Trojans, also known as RATs, have been around for years - although their prevalence in the market has surged over the last few years. RATs are digital skeleton keys, giving an attacker remote control over a system, often without the user ever knowing. This kind of access often starts with someone clicking a malicious link or opening a rogue attachment in a phishing email or messaging app.

From there, the attacker can move laterally, steal data, monitor activity, or trigger ransomware.

RATs have always been a threat, but today they rank as one of the most common forms of attack vector. Today XWorm, a newer and more advanced variant, is pushing the  capabilities of RATs into more dangerous territory.

XWorm is cheap, modular, and extremely effective. And it's showing up everywhere.

The Swiss Army knife Of RATs

What makes XWorm stand out is its accessibility. It’s simple to configure, loaded with features, and devastatingly effective. Think of it like a Swiss Army knife of commodity malware - remote desktop access, keylogging, file theft, even ransomware deployment. That’s what makes it so appealing. Who needs bespoke tooling when this off-the-shelf option works just as well? 

Attackers can use XWorm to hit you from every angle. And because it's sold as a plug-and-play malware kit, it’s being used by both experienced attackers and opportunists with very little technical skill.

The worst part? It’s not hidden in some dark corner of the internet. XWorm is out in the open, traded on forums, complete with version updates, user support, and how-to guides.

The Perfect Conditions For XWorm

It doesn’t matter what sector you’re in. XWorm’s versatility allows for effective deployment in a myriad of locations, and most organisations will have vulnerable points that can be exploited. Financial services, healthcare, education, government - for any organisation with strained teams, ageing infrastructure, or limited visibility, it’s open season. 

Attackers don’t need to rush. They can lie dormant, map out the environment, and gradually expand their access.

They’ll wait for distractions. When staff are busy, alerts are missed, or logs start to pile up; that dwell time is what makes XWorm so dangerous. It thrives in the routine: overlooked systems, default configurations, missed updates. It doesn’t crash through the front door, it blends in.

RATs In  The Stacks: How Can Businesses Detect XWorm?

And that’s what makes detection so tricky. XWorm won’t always trigger alarms. It doesn’t need to. Spotting XWorm malware often comes down to recognising behaviour that doesn’t fit. Things like workstations reaching out to unfamiliar IPs at 2am, PowerShell or cmd.exe launching without reason, or privilege changes that don’t align with user roles. 

If your logs show a machine calling out to a remote server and then spinning up a command line, you’ve got a problem. It might look subtle but that’s exactly how XWorm survives. 

Ultimately, what you want is normal. ‘Normal’ is your friend. And the more you understand what that looks like, the easier it is to spot when something is off.

Getting Ready Before RATs Attack

As much as you might want to, you can’t assume you’ll keep every attacker out. That’s not the game anymore. Though you must run point diligently on your points of potential ingress, the priority now is detection, containment, and response - knowing what to do when something breaks, and who’s responsible for what when it does. 

That starts with running tabletop exercises well before you’re in crisis mode. It also means understanding what “normal” looks like in your environment. When you have that baseline, the outliers, the things that don't quite fit, become a lot easier to spot.

You can also lock down unnecessary admin rights, and limit script execution unless you know exactly what’s running and why. And most importantly, don’t wait until after an incident to start looking at access logs, audit them regularly and treat anything unexpected as a lead worth chasing.

The organisations that respond best are the ones who already have a plan, and have tested it, before things go wrong.

The Real Threat

XWorm isn’t revolutionary or flashy. But it’s highly effective, easy to use, and spreading fast — and that makes it a real problem. It’s a sign of where malware is heading, freely traded in open channels, ready for anyone curious enough to click and careless enough to run it.

This is what makes readiness essential. You might not be the target today. But if you were, would you catch it in time?

Teoderick Contreras is Senior Threat Researcher at Splunk and Mick Baccio is Global Security Advisor with Splunk SURGe

Image:

You Might Also Read:

Under A Watchful Eye - Unified Observability:

If you like this website and use the comprehensive 8,000+ service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Cybersecurity Leadership - The 15% Advantage
Security Teams Must Embrace What They Can't Control »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Cyber Security Research Centre - University of Cardiff

Cyber Security Research Centre - University of Cardiff

Cardiff University's Centre for Cyber Security Research is a leading UK academic research unit for cyber security analytics.

Beta Systems Software

Beta Systems Software

Beta Systems automate IT-based business processes, control access rights, monitor processes, secure the network and optimize the infrastructure management of corporate IT.

ADL Process

ADL Process

ADL Process offer secure data destruction, certified product destruction and responsible electronics recycling services to businesses and institutions.

Cyber Intelligence 4U

Cyber Intelligence 4U

Cyber Intelligence 4U is an educational services company that provides two levels of cybersecurity training programs: executive and technical.

Kasada

Kasada

Kasada has developed a radical approach to defeating automated cyberthreats based on its unmatched understanding of the human minds behind them.

SecureThings

SecureThings

SecureThings focus is to provide guidance and technology to secure connected vehicles in order to build end-to-end security for the automotive industry.

Censys

Censys

Our customers rely on Censys data to get the global visibility they need of their attack surfaces in order to proactively prevent nation-state attacks and emerging threats.

Commonwealth Cyber Initiative (CCI)

Commonwealth Cyber Initiative (CCI)

The Commonwealth Cyber Initiative is establishing Virginia as a global center of excellence at the intersection of security, autonomous systems, and data.

ACSG Corp

ACSG Corp

ACSG Corp is a Critical Infrastructure Protection Company with a multi-disciplinary focus on building analytics software for various industry sectors.

Invicti Security

Invicti Security

Invicti Security is an AppSec leader transforming the way web applications are secured.

Nicoll Curtin

Nicoll Curtin

Nicoll Curtin is a global company with over 20 years of experience in connecting outstanding talent with industry leading companies within Technology, Change and Cyber Security.

Stack Identity

Stack Identity

Stack Identity protects access to cloud data by prioritizing identity and access vulnerabilities via a live data attack map.

ZoobeTek

ZoobeTek

ZoobeTek are a company focused on preventing leaks related to the security of business information3.

NSW IT Support

NSW IT Support

NSW IT Support: Your exclusive hub for comprehensive Business IT services in Sydney. Our skilled team ensures seamless technology solutions nationwide, consistently delivering top-tier IT support.

Ncontracts

Ncontracts

Our mission at Ncontracts is to continually improve our clients’ ability to manage risk and compliance.

Pellera Technologies

Pellera Technologies

Pellera Technologies is by a singular purpose: to empower organizations with innovative IT solutions that unlock potential, drive progress, and fuel transformation.