A new Windows Remote Access Trojan (RAT) evaded detection for weeks by using corrupted DOS and PE headers, making it hard for analysts to examine the malware. The attack, discovered by Fortinet, involved execution via PowerShell scripts and PsExec, and the malware ran under the dllhost.exe process. It decrypted its C2 domain (rushpapers[.]com) in memory and used TLS communication. The malware included features such as screenshot capture, system service control, and multi-threaded client handling, effectively turning the infected system into a remote-access platform.

‍