Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Gophish Framework Used to Spread Trojans

October 23, 2024
Reading Time: 2 mins read
in Alerts
Gophish Framework Used to Spread Trojans

A new phishing campaign is actively targeting Russian-speaking users, leveraging the Gophish framework to deliver two remote access trojans (RATs): DarkCrystal RAT (DCRat) and PowerRAT. The campaign is designed with modular infection chains that begin with malicious emails containing attachments or links that disguise themselves as well-known services like Yandex Disk or VK, a popular Russian social media platform. These phishing emails entice victims to open malware-laden Microsoft Word documents or HTML files embedded with JavaScript, initiating the infection process.

Once a victim interacts with these malicious attachments, the infection chain begins. In the case of Microsoft Word documents, enabling macros triggers a Visual Basic (VB) script that extracts and executes a rogue HTML application (HTA) file and a PowerShell loader. This process leads to the deployment of PowerRAT, a previously undocumented RAT that performs system reconnaissance, collects device details such as the drive serial number, and communicates with command-and-control (C2) servers located in Russia. PowerRAT is also capable of executing additional PowerShell commands, enabling further infections on the compromised machine.

Alternatively, victims who interact with HTML files embedded with JavaScript are targeted by DCRat. When a user clicks on a malicious link, a JavaScript file containing a Base64-encoded 7-Zip archive is downloaded through a technique called HTML smuggling. The archive contains a password-protected self-extracting (SFX) RAR file, which ultimately delivers the DCRat payload. DCRat is a modular RAT capable of stealing sensitive data, capturing keystrokes and screenshots, and allowing remote control of the infected system. It establishes persistence by creating Windows tasks that run during system login or at intervals.

This campaign is particularly dangerous due to its ability to deliver two different RATs depending on the initial access vector and its use of sophisticated techniques like HTML smuggling and modular infection chains. The Gophish framework, originally designed to test phishing defenses, is being weaponized by threat actors to launch highly targeted phishing campaigns. With the capability to collect sensitive data and maintain long-term access to compromised systems, both PowerRAT and DCRat pose significant risks to affected users.

Reference:
  • Threat actor abuses Gophish to deliver new PowerRAT and DCRAT
Tags: Cyber AlertsCyber Alerts 2024Cyber threatsCybersecurityDarkCrystalGophishMalwareOctober 2024PhishingPowerRATRATRemote Access TrojansTrojans
ADVERTISEMENT

Related Posts

Fake PyPI Login Site Steals Credentials

Fake PyPI Login Site Steals Credentials

September 26, 2025
Fake PyPI Login Site Steals Credentials

Google Warns of BRICKSTORM Malware

September 26, 2025
Fake PyPI Login Site Steals Credentials

Hidden WordPress Backdoors Create Admins

September 26, 2025
BadIIS Malware Spreads Via SEO Poisoning

Hackers Target AWS and Steal Credentials

September 24, 2025
BadIIS Malware Spreads Via SEO Poisoning

SonicWall SMA100 Update Removes Rootkit

September 24, 2025
BadIIS Malware Spreads Via SEO Poisoning

BadIIS Malware Spreads Via SEO Poisoning

September 24, 2025

Latest Alerts

Fake PyPI Login Site Steals Credentials

Google Warns of BRICKSTORM Malware

Hidden WordPress Backdoors Create Admins

Hackers Target AWS and Steal Credentials

SonicWall SMA100 Update Removes Rootkit

BadIIS Malware Spreads Via SEO Poisoning

Subscribe to our newsletter

    Latest Incidents

    Indian Bank Transfer Records Exposed

    Chinese Cyberspies Hit US Defense Firms

    Neon App Shuts Down After Data Leak

    Boyd Gaming Reports Data Breach After Attack

    Morrisroe UK Company Hit By Cyber Attack

    GeoServer Flaw Breaches US Agency Network

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial