My IP Help

Remote Access Trojan

Also known as: RAT

A type of malware that gives an attacker full, covert, interactive control of an infected computer — as if they were sitting at the keyboard.

Last updated:

What is a remote access trojan?

A remote access trojan, or RAT, is a category of malware that gives the attacker interactive, hands-on control of the compromised host. Unlike a worm that simply spreads, or ransomware that announces itself by encrypting files, a RAT is designed to stay hidden for weeks or months while the attacker rummages around. Typical capabilities include:

  • Executing arbitrary shell commands
  • Uploading and downloading files
  • Logging keystrokes
  • Capturing the webcam and microphone
  • Taking screenshots
  • Pivoting to other hosts on the internal network

How RATs differ from other malware

Generic botnet malware does one or two things — send spam, launch DDoS — with no ability for the operator to improvise. A RAT is a general-purpose remote shell, closer in spirit to a legitimate remote-administration tool like TeamViewer or SSH, except that the victim didn't install it and can't see it running. Commercial RAT families (NjRAT, DarkComet, Quasar, AsyncRAT, Remcos, DCRat) are sold or leaked on underground forums and get continuously re-skinned by low-skill attackers.

RAT network signature

RAT implants establish a persistent outbound connection to the attacker's command and control server and either hold it open or reconnect every few seconds. That long-lived outbound connection from a workstation to an unusual IP is one of the classic network indicators of a RAT infection. Checking that destination IP in an IP abuse report checker quickly confirms whether the host is associated with a known RAT family.

Frequently Asked Questions

The most common delivery vectors are phishing emails with weaponized attachments (Excel macros, ISO files, OneNote documents), drive-by downloads from compromised legitimate sites, fake software cracks bundled with malware, malicious ads (malvertising) that drop payloads, and exploitation of unpatched remote-access services like RDP and VPN appliances. Targeted intrusions sometimes deploy RATs after initial access via stolen credentials or supply-chain compromise.
Substantial overlap, but the emphasis differs. A backdoor is any covert method of bypassing normal authentication to access a system — sometimes just a hidden user account or a magic password. A RAT is a full interactive remote-control payload with file transfer, screen capture, keylogging, and shell access. All RATs include backdoor functionality, but not all backdoors are full RATs. In casual usage the terms are often used interchangeably.
Known RAT families (NjRAT, DarkComet, Quasar, AsyncRAT) are detected reliably by signature-based AV when the sample is stock. The cat-and-mouse problem is that attackers run RAT builders that produce slightly different binary every time ("crypters", "packers"), which evade signature detection until the new variant is analyzed and added. Behavioral EDR catches the runtime activity (persistent outbound connection, keylogging hooks, webcam access) regardless of whether the file signature is known.
No — the underlying technology is identical to legitimate remote-administration tools (TeamViewer, AnyDesk, ScreenConnect, RustDesk). What makes a tool a "RAT" rather than a remote-admin tool is the deception: installed without consent, hidden from the user, used for malicious purposes. Some RAT codebases (like Quasar) are open source and were originally written for legitimate remote administration, then adopted by attackers. Possession of a RAT may be legal; using one against systems you don't own is criminal everywhere.
"FUD" stands for "Fully UnDetectable" — a marketing claim by RAT vendors that their build is not detected by any current antivirus product. The claim is always temporary; once a FUD sample is sold to enough customers, one of them gets caught and the sample is submitted to VirusTotal, after which AV signatures are added within hours to days. The underground market includes "FUD-checking" services and "re-FUD" services that re-pack samples after they get burned.
Back to glossary