Atroposia RAT modular toolkit promoted on underground forums
Malware Activity
Summary
Hide ▲
Show ▼
A new Atroposia RAT activity has surfaced as a modular criminal toolkit promoted on underground forums, increasing the risk of credential theft and unauthorized remote access. The malware bundles encrypted C2, hidden remote access, wallet theft, DNS hijacking, and persistence. It was first identified on October 15 and is being marketed as a plug-and-play package for offenders. The toolkit can also be paired with SpamGPT and MatrixPDF to support phishing, delivery, and data theft.
Related Happenings
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Atroposia malware-as-a-service remote access trojan activity
Malware Activity
First: 28.10.2025 15:15
Last: 28.10.2025 15:15
Sources 1
About this happening:
The **Atroposia** platform now offers a **remote access trojan** that gives buyers **persistent access**, **evasion**, **data theft**, and **local vulnerability scanning** on **Wi...
Atroposia malware-as-a-service remote access trojan activity
Malware ActivityAbout this happening: The **Atroposia** platform now offers a **remote access trojan** that gives buyers **persistent access**, **evasion**, **data theft**, and **local vulnerability scanning** on **Wi...
MatrixPDF ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 30.09.2025 21:57
Last: 30.09.2025 21:57
Sources 1
About this happening:
**MatrixPDF** is being marketed on **cybercrime forums** and **Telegram**, widening access to a paid phishing toolkit that can turn ordinary PDFs into lures for **credential theft...
MatrixPDF ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **MatrixPDF** is being marketed on **cybercrime forums** and **Telegram**, widening access to a paid phishing toolkit that can turn ordinary PDFs into lures for **credential theft...
Timeline
-
29.10.2025 13:15 1 articles · 7mo ago
Varonis first identifies Atroposia as a modular RAT on underground forums
Initial DisclosureVaronis first identifies Atroposia on October 15 and observes it being promoted on underground forums as a modular remote access trojan with encrypted command channels, hidden remote access, credential and cryptocurrency wallet theft, DNS hijacking, local vulnerability scanning, UAC bypass, and persistence mechanisms.
Show sources
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
-
29.10.2025 13:15 2 articles · 7mo ago
Varonis details Atroposia's encrypted C2, HRDP Connect, and UAC bypass
Technical Analysis UpdateVaronis' technical analysis on 2025-10-29 describes Atroposia using an encrypted command and control (C2) server to foil traffic inspection, hidden remote desktop takeover branded HRDP Connect, automatic privilege escalation via UAC bypass, and multiple persistence mechanisms to survive reboots while bypassing antivirus software. The same analysis says the RAT can be combined with SpamGPT and MatrixPDF as a plug-and-play criminal toolkit for phishing, delivery, and data theft.
Show sources
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15
- New Atroposia RAT Surfaces on Dark Web — www.infosecurity-magazine.com — 29.10.2025 13:15