Atroposia malware-as-a-service platform discovered

First reported

28.10.2025 15:15

Last updated

29.10.2025 13:15

2 unique sources, 2 articles

Summary

Hide ▲

A new malware-as-a-service (MaaS) platform named Atroposia offers cybercriminals a remote access trojan (RAT) with capabilities for persistent access, evasion, data theft, and local vulnerability scanning. The malware is available for a $200 monthly subscription and includes advanced features such as hidden remote desktop, file system control, data exfiltration, clipboard theft, credential theft, cryptocurrency wallet theft, and DNS hijacking. Atroposia was first identified by researchers at Varonis on October 15, 2025, and has been observed being promoted on underground forums. The platform includes modules for hidden remote desktop sessions, file management, data exfiltration, credential theft, clipboard monitoring, DNS hijacking, and local vulnerability scanning. The vulnerability scanner audits missing patches, unsafe settings, and vulnerable software, allowing attackers to prioritize exploits. The platform can be combined with SpamGPT and MatrixPDF to create a plug-and-play criminal toolkit. SpamGPT automates phishing campaign creation, SMTP/IMAP cracking, and deliverability tooling, while MatrixPDF weaponizes ordinary PDF files to bypass email filters. Atroposia uses encrypted command and control (C2) servers to foil traffic inspection and automatically escalates privileges via UAC bypass to gain admin rights and install multiple persistence mechanisms.

Timeline

28.10.2025 15:15 2 articles · 13d ago

Atroposia malware-as-a-service platform discovered
Atroposia was first identified by Varonis on October 15, 2025. The platform is being promoted on underground forums as a modular RAT with a full complement of offensive capabilities. It is priced at $200 per month, $500 every three months, or $900 for six months. The platform can be combined with SpamGPT and MatrixPDF to create a plug-and-play criminal toolkit. SpamGPT automates phishing campaign creation, SMTP/IMAP cracking, and deliverability tooling, while MatrixPDF weaponizes ordinary PDF files to bypass email filters. Atroposia uses encrypted command and control (C2) servers to foil traffic inspection and automatically escalates privileges via UAC bypass to gain admin rights and install multiple persistence mechanisms.
Show sources

New Atroposia malware comes with a local vulnerability scanner — www.bleepingcomputer.com — 28.10.2025 15:15

New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Open in new tab

Information Snippets

Atroposia is a modular RAT that communicates with its command-and-control (C2) infrastructure over encrypted channels.
First reported: 28.10.2025 15:15

2 sources, 2 articles
Show sources
- New Atroposia malware comes with a local vulnerability scanner — www.bleepingcomputer.com — 28.10.2025 15:15
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia bypasses User Account Control (UAC) protection to increase privileges on Windows systems.
First reported: 28.10.2025 15:15

2 sources, 2 articles
Show sources
- New Atroposia malware comes with a local vulnerability scanner — www.bleepingcomputer.com — 28.10.2025 15:15
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia includes a hidden remote desktop (HRDP) module that spawns a covert desktop session in the background.
First reported: 28.10.2025 15:15

2 sources, 2 articles
Show sources
- New Atroposia malware comes with a local vulnerability scanner — www.bleepingcomputer.com — 28.10.2025 15:15
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia features an explorer-style file manager for remote file browsing, copying, deleting, and execution.
First reported: 28.10.2025 15:15

1 source, 1 article
Show sources
- New Atroposia malware comes with a local vulnerability scanner — www.bleepingcomputer.com — 28.10.2025 15:15
Atroposia's grabber component targets specific files, compresses them into password-protected ZIP archives, and exfiltrates them using in-memory techniques.
First reported: 28.10.2025 15:15

2 sources, 2 articles
Show sources
- New Atroposia malware comes with a local vulnerability scanner — www.bleepingcomputer.com — 28.10.2025 15:15
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia's stealer module targets saved logins, crypto wallets, and chat files.
First reported: 28.10.2025 15:15

2 sources, 2 articles
Show sources
- New Atroposia malware comes with a local vulnerability scanner — www.bleepingcomputer.com — 28.10.2025 15:15
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia includes a clipboard manager that captures everything copied in real-time, including passwords, API keys, and wallet addresses.
First reported: 28.10.2025 15:15

2 sources, 2 articles
Show sources
- New Atroposia malware comes with a local vulnerability scanner — www.bleepingcomputer.com — 28.10.2025 15:15
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia's DNS hijack module maps domains to attacker IPs, enabling phishing, MITM, fake updates, ad or malware injection, and DNS-based exfiltration.
First reported: 28.10.2025 15:15

2 sources, 2 articles
Show sources
- New Atroposia malware comes with a local vulnerability scanner — www.bleepingcomputer.com — 28.10.2025 15:15
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia's local vulnerability scanner audits missing patches, insecure settings, and outdated software versions.
First reported: 28.10.2025 15:15

2 sources, 2 articles
Show sources
- New Atroposia malware comes with a local vulnerability scanner — www.bleepingcomputer.com — 28.10.2025 15:15
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia is available for a $200 monthly subscription, making it accessible to low-skilled threat actors.
First reported: 28.10.2025 15:15

2 sources, 2 articles
Show sources
- New Atroposia malware comes with a local vulnerability scanner — www.bleepingcomputer.com — 28.10.2025 15:15
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia was first identified by Varonis on October 15, 2025.
First reported: 29.10.2025 13:15

1 source, 1 article
Show sources
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia is being promoted on underground forums as a modular RAT with a full complement of offensive capabilities.
First reported: 29.10.2025 13:15

1 source, 1 article
Show sources
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia is priced at $200 per month, $500 every three months, or $900 for six months.
First reported: 29.10.2025 13:15

1 source, 1 article
Show sources
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia can be combined with SpamGPT and MatrixPDF to create a plug-and-play criminal toolkit.
First reported: 29.10.2025 13:15

1 source, 1 article
Show sources
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
SpamGPT automates phishing campaign creation, SMTP/IMAP cracking, and deliverability tooling.
First reported: 29.10.2025 13:15

1 source, 1 article
Show sources
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
MatrixPDF weaponizes ordinary PDF files by adding overlays, redirects, and embedded actions to bypass email filters.
First reported: 29.10.2025 13:15

1 source, 1 article
Show sources
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia uses techniques like encrypted command and control (C2) servers to foil traffic inspection.
First reported: 29.10.2025 13:15

1 source, 1 article
Show sources
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Atroposia automatically escalates privileges via UAC bypass to gain admin rights and install multiple persistence mechanisms.
First reported: 29.10.2025 13:15

1 source, 1 article
Show sources
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
Defending against Atroposia involves reducing initial access through strong phishing defenses, regular patching, user training, and multifactor authentication (MFA) enforcement.
First reported: 29.10.2025 13:15

1 source, 1 article
Show sources
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15

Similar Happenings

TA558 Uses AI-Generated Scripts to Deliver Venom RAT in Brazil Hotel Attacks

TA558, tracked as RevengeHotels, has launched new attacks targeting hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts to deploy Venom RAT via phishing emails. The campaign aims to capture credit card data from guests and travelers. The threat actor has been active since 2015, focusing on hospitality and travel sectors. They have historically used various RATs and custom malware to achieve their goals. The latest campaign involves phishing emails with Portuguese and Spanish lures, leading to the download of malicious scripts and payloads. Venom RAT, based on Quasar RAT, includes features like data exfiltration, reverse proxy, and anti-kill mechanisms. It spreads via USB drives and disables Microsoft Defender Antivirus.

Open in new tab