Compromised Website Images Camouflage ObliqueRAT Malware


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
The ObliqueRAT malware is now cloaking its payloads as seemingly-innocent image files that are hidden on compromised websites.

The remote access trojan (RAT), which has been operating since 2019, spreads via emails, which have malicious Microsoft Office documents attached. Previously, payloads were embedded into the documents themselves. Now, if users click on the attachment, they’re redirected to malicious URLs where the payloads are hidden with steganography.

Researchers warn that this new tactic has been seen helping ObliqueRAT operators to avoid detection during the malware’s targeting of various organizations in South Asia — where the goal is to ultimately sends victims an email with malicious Microsoft Office documents, which, once clicked, fetch the payloads and ultimately exfiltrate various data from the victim.

“This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections,” said Asheer Malhotra, researcher with Cisco Talos, on Tuesday. “Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms.”

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.