RMS RAT

RMS RAT (also known as RMS RAT, Remote Manipulator System) is a C++-based remote access trojan active since 2015. Weaponized Remote Utilities. Key capabilities include: legitimate remote admin tool abused for RAT functionality, used by TA505, FIN7.

Overview & Background

Weaponized Remote Utilities. First observed in 2015, RMS RAT is attributed to eCrime / APT. The malware is written in C++ and provides operators with comprehensive remote access capabilities.

Active Threat

RMS RAT continues to be actively distributed and used in campaigns targeting organizations worldwide. Its capabilities include: legitimate remote admin tool abused for RAT functionality, used by TA505, FIN7.

Language: C++
Active since: 2015
Attribution: eCrime / APT
Also known as: RMS RAT, Remote Manipulator System

Technical Capabilities

Legitimate Remote Admin Tool Abused For Rat Functionality: Core RMS RAT capability T1059
Used By Ta505: Core RMS RAT capability T1059
Fin7: Core RMS RAT capability T1059

Distribution Methods

RMS RAT is typically distributed through phishing emails with malicious attachments, cracked software downloads, and malvertising campaigns. Common delivery mechanisms include Office macros, ISO/IMG containers, and script-based downloaders.

Phishing emails: Malicious attachments and links T1566.001
Malvertising: SEO poisoning and malicious ads T1189
Cracked software: Bundled with pirated applications

MITRE ATT&CK Mapping

Tactic	Technique	Usage
Initial Access	T1566.001 Phishing Attachment	Malicious email attachments
Execution	T1204.002 Malicious File	User executes RAT payload
Persistence	T1547.001 Registry Run Keys	Autostart persistence
Defense Evasion	T1027 Obfuscated Files	Payload obfuscation
Credential Access	T1056.001 Keylogging	Keystroke capture
Collection	T1113 Screen Capture	Screenshot collection
Collection	T1125 Video Capture	Webcam access
C2	T1071.001 Web Protocols	HTTP/HTTPS C2 communication

Detection & Defense

Endpoint detection: Monitor for C++ processes with network connections from unusual locations
Network monitoring: Detect C2 traffic patterns associated with RMS RAT
Email security: Block malicious attachments and links in phishing campaigns
Application whitelisting: Restrict execution of unauthorized binaries
YARA rules: Deploy detection signatures for known RMS RAT variants

Protect Against Remote Access Trojans

Mjolnir Security provides comprehensive detection and response capabilities against RMS RAT and similar RAT threats.

RAT DetectionEndpoint SecurityThreat HuntingIncident ResponseMDR Services

RAT Detection & Removal Identify and remediate RMS RAT infections including persistence mechanisms and lateral movement artifacts.
Threat Intelligence Continuous monitoring for RMS RAT campaigns and infrastructure targeting your organization.
24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.

Written by: Mjolnir Security  |  Published: November 21, 2025

Overview & Background

Technical Capabilities

Distribution Methods

MITRE ATT&CK Mapping

Detection & Defense

Protect Against Remote Access Trojans

NjRAT: The Immortal .NET RAT

DcRAT: The Budget MaaS RAT