Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RokRAT malware activity on Windows hosts

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The RokRAT malware is being delivered through malicious LNK and PowerShell chains, giving operators control over infected Windows hosts and enabling cloud-based exfiltration. The payload can collect system information, execute arbitrary commands, enumerate files, capture screenshots, and download additional payloads. The infection chains use a ZIP archive and masqueraded PDF lure to trigger execution. Collected data is sent through Dropbox, Google Cloud, pCloud, and Yandex Cloud.

Related Happenings

Amnesia RAT retrieved from Dropbox for data theft and remote control

Malware Activity
First: 24.01.2026 13:09 Last: 24.01.2026 13:09 Sources 1

About this happening: The **Amnesia RAT** payload is being staged from **Dropbox**, giving the operators a **remote-access trojan** that can steal data and control infected endpoints. It is the final s...

Open Happening

AsyncRAT distribution via TryCloudflare, Dropbox, and WSH infection chain

Malware Activity
First: 14.01.2026 16:18 Last: 14.01.2026 16:18 Sources 1

About this happening: A **multi-stage phishing chain** is distributing **AsyncRAT** through **TryCloudflare tunnels** and **Dropbox ZIP links**, creating a persistent **Windows** infection path that en...

Open Happening

Patchwork-linked StreamSpy Trojan adds WebSocket and HTTP C2

Malware Activity
First: 02.01.2026 15:52 Last: 02.01.2026 15:52 Sources 1

About this happening: A **Windows malware packer/loader** named **pkr_mtsi** was first observed on **April 24 2025** and is used in **large-scale malvertising** and **SEO-poisoning** campaigns to deliv...

Latest development: 07.01.2026 18:45

ReversingLabs identified pkr_mtsi as a flexible Windows malware packer and loader first seen on April 24 2025, used in large-scale malvertising and SEO-poisoning campaigns to distribute trojanized installers masquerading as legitimate software and deliver Oyster, Vidar, Vanguard Stealer and Supper.

Open Happening

UDPGangster backdoor deployed by MuddyWater

Malware Activity
First: 08.12.2025 08:46 Last: 08.12.2025 08:46 Sources 1

About this happening: The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...

Open Happening

Kimsuky HttpTroy spear-phishing campaign targeting South Korea

Campaign
First: 03.11.2025 12:42 Last: 03.11.2025 12:42 Sources 1

About this happening: A **Kimsuky** spear-phishing operation delivered **HttpTroy** to **a single victim in South Korea**, giving the attackers a multi-stage path to remote control and persistence. The...

Open Happening

Timeline

  1. 01.09.2025 11:26 2 articles · 8mo ago

    RokRAT is delivered through a malicious LNK phishing chain

    Initial Disclosure

    Seqrite Labs identified Operation HanKook Phantom as a ScarCruft (APT37) phishing campaign against people associated with the National Intelligence Research Association in South Korea, using a ZIP archive with a Windows shortcut (LNK) masquerading as a PDF document to launch a decoy newsletter and drop RokRAT on infected Windows hosts. RokRAT can collect system information, execute arbitrary commands, enumerate the file system, capture screenshots, download additional payloads, and exfiltrate data through Dropbox, Google Cloud, pCloud, and Yandex Cloud.

    Show sources
    Open in new tab