Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/alphaSeclab/awesome-rat

RAT And C&C Resources. 250+ Open Source Projects, 1200+ RAT/C&C blog/video.
https://github.com/alphaSeclab/awesome-rat

List: awesome-rat

c2 command-and-control command-control malware-analysis rat rat-analysis rat-malware remote-access-tool remote-administration-tool

Last synced: 3 months ago
JSON representation

RAT And C&C Resources. 250+ Open Source Projects, 1200+ RAT/C&C blog/video.

Awesome Lists containing this project

README

        

# [所有收集类项目](https://github.com/alphaSeclab/all-my-collection-repos)

# RAT

- 250+ 开源远控/C&C工具,1200+ RAT分析报告\C&C相关文章等。
- [English Version](https://github.com/alphaSeclab/awesome-rat/blob/master/Readme_en.md)

# 目录
- [开源工具](#39bad1d60c8fbb697fd8701ffafc50a6)
- [pupy](#98000cf45f63bf295d39e9255d7972ca) -> [(1)工具](#ff6ee8128d4f01f80c3f2bb522f0d5e9) [(6)文章](#4f5ffa16436730588e8d009febe1bd5c)
- [Covenant](#1acc99cd2330bc55f1dffecfa75b9c7d) -> [(3)工具](#05d2a0aed9499aea447e90668c8d5103) [(18)文章](#81af73c48e520a45619cbf7769cc64b5)
- [Slackor](#cf120400afb57c2af9b8da037b3b7c3b) -> [(1)工具](#280aaf2c1b0f44b6f5ec7095d7b35578) [(3)文章](#8adba68f714e281a3bb7faa2c3661d1b)
- [QuasarRAT](#05df4f3dd6438b6f6d67f56a8b6e40f3) -> [(1)工具](#c2df559aa60f8bfd5da4d9fc7c0ea0d2) [(9)文章](#36c965d7808be2799f70e4d910a17abd)
- [EvilOSX](#380ea0abfdbf07624ebf45681b773e54) -> [(1)工具](#a69f3baa491547ddf6a628cda168b492) [(9)文章](#375dc16ed1cf6be4274da55140784610)
- [Merlin](#42a4a0bcb02fcb7a30fe7e42b7a9cdb5) -> [(1)工具](#941bae92e80ca3f9c21a232cc959eb67) [(3)文章](#5b3a7a286bac53bf26395ea5ffb6c590)
- [商业软件](#f1821c037c77e23ca5c2552477708930)
- [Team Viewer](#db69305116cf91a4e67b4c75465dfe3e) -> [(7)工具](#d42849969f2b53c898f0b6e710dc3027) [(34)文章](#eed97a5a9b2346759fb7bb30c5a98bbe)
- [恶意软件(部分)](#f6f85e2d4f8e5442884f4d9b6e56ca42)
- [Gh0st](#74d9131b5ad95c569c0afb9ee5a3c9b9) -> [(5)工具](#dcb10cc6813a25815201b36bacdef198) [(23)文章](#683b7000242336c05ea278c9ad3d7e5e)
- [NanoCore](#81308c6923f66db886efe8ae967c2845) -> [(1)工具](#c84aebee516fbf526701102cfa6d0a98) [(32)文章](#6df7f0da7bb260a54405579912678c0d)
- [NjRat](#31bd9e6c54fdd9a00a45542e53abc13b) -> [(4)工具](#ff7bcb6c765cb73cfadda9f06deda668) [(20)文章](#de09011e16164e950d653756212219ac)
- [Revenge RAT](#db2bbd5298638952f34060e4f8ee0053) -> [(1)工具](#cef60ee76daa3240e95bbf82f2994848) [(9)文章](#2dd3016da115b16c9de264b885105eff)
- [PlugX](#37466b42f2f777fa5a6400d78931995c) -> [(1)工具](#03b501e2e5da59c3c97027775e6a93b7) [(40)文章](#17ca6dd6130c10b726039472c20bb093)
- [(25) RemcosRAT](#ee2e3505664b3a7d26842b0278ccce23)
- [(3) L0rdixRAT](#3f113acb3b6863c4ec5cbe04ce69f841)
- [(1) LodaRAT](#07522f33ae58f9d0de0bdc202f6aa1aa)
- [(9) GulfRAT](#e8fa6ccd3f727add34525951a81fd493)
- [(14) NetWireRAT](#57ea699dadcafe202a31772c837f9b7f)
- [(1) JhoneRAT](#20cd83aa4b202931ed4597c506d61257)
- [(2) Dacls](#2da027a7cc244e466f914c996623d114)
- [(1) BlackRemote](#8bfe869e8aca6fa9e7d2d5b0353c0dc2)
- [(17) Orcus](#9ac323d054e6f52e9a92e449b51e75e6)
- [(1) NukeSped](#8038672c0b8ef4b0b82afdeae025b38c)
- [(21) DarkComet](#11b35c707990ed436d23cc7495713177)
- [(1) WarZone RAT](#5af0edca5a51bdd5fd8f8d37b08218c8)
- [(16) BlackShades](#84187b0e75ca2a5a844f0367bf6d3c6b)
- [(1) DenesRAT](#36531e67f10ecd7114880530e5e46e95)
- [(4) WSH RAT](#660f78a639f351f8404accad8c711ca4)
- [(2) Qrypter RAT](#319dcbdac181398a9b2ba7f5424a3e04)
- [(20) Adwind](#eb6a3a9a179678734be43ea1eb26f1c3)
- [(1) CannibalRAT](#eb3c9f8af4ebe91aca4649718ff595c2)
- [(3) jRAT](#5fe739ee0e8778979807558ccd439b07)
- [(5) jsRAT](#b62c18c1b4fc6d5b52ca826b36cf0819)
- [(4) CrossRat](#8d0732c4a6cf2393c0ff4e6cfe54f50f)
- [(1) ArmaRat](#bb9ad532c3a3c9235157325236380a96)
- [(6) RokRAT](#504b8511fe74ddb142775e007fa509f8)
- [(1) CatKARAT](#ec8fe0e42f60749c29b75ed6708a5323)
- [(5) TheFatRat](#c3abd29c4145412f661b02b37347e70b)
- [(2) OmniRAT](#f1e2e824425e798bf4e410e4496181ed)
- [(6) LuminosityLink](#bea46716ccf78713fbb9764999968e72)
- [(477) 其他](#6e0343d40b9606a34ad2ff311d0d259a)
- [利用公开服务](#e80bdc9447f3cdc9416282b598b14cf7)
- [Telegram](#17b978a5c371699ccd9a5687ae3f3949) -> [(3)工具](#492b34c27ab06b3696c0464465b74eec) [(2)文章](#06365f440cb6fa3e0daf933cb0874c8b)
- [Twitter](#a6303482a58e0d14bb8ce1849817ab5a) -> [(2)工具](#ae91172321950c1296375e9c9059d773) [(6)文章](#f6f5e4da48152e5b0bc45608a3f9a656)
- [GMail](#d2041a55efcfc29ca6a257916255b43b) -> [(3)工具](#be2346c808f9813f13da3526576e1839) [(8)文章](#4b9fa06652be565e5e53db0b094bfb80)
- [Github](#b37bc6073be9a78ed6dbd0d21251fc63) -> [(1)工具](#842ef8261474bd529ac72c43dcf9c1fa) [(5)文章](#d46b05d91c64bed9533dd00ba8eac513)
- [DropBox](#618ec29a95a1f90a2696490d1f1afb2f) -> [(1)工具](#a6091cce89af46f8e9deb0efe0a378cc) [(3)文章](#59b97649c4ed0a852859d07d2e640c45)
- [区块链](#2b58c60ed7c7920f03979756f6f72fcc) -> [(2)工具](#920d0c6167385c71e171ccbe71397f7a) [(1)文章](#3d26ec5c4c50edaaf343903e5fb182c2)
- [其他](#1e53961ca8fc592a588e18a5f1519078) -> [(15)工具](#77cdae7f8911e93ff055f270ef9bf562) [(5)文章](#8842ea68ff727ac4d5d970405f152161)
- [通信协议](#9f6f77f1fcf614c9738dfeac9cc5d1d3)
- [DNS协议](#7485e724ef5efd1daf9d672bd72fb595)
- [(9) 工具](#d70a62f77fa20a2219e81fa61527e644)
- [(18) 文章](#fa377fafdbd3ef80574411ef3a54c693)
- [Domain Generation Algorithm(DGA)](#41df71c75c08038e17e5526fe0afceb5) -> [(14)工具](#a2e73ce71da73fb1b4ab8cb52449d839) [(42)文章](#7c21e329221f50f2b9c1918ab01c26fd)
- [ICMP](#867ed7efa4643442ef6859571db8a587) -> [(5)文章](#aa2a205557d269a563191e7fc7f7eb0a)
- [WebSocket](#fe3abb0c040999744a648ed68780835c) -> [(2)工具](#097f22edaf98529c95353d8edef562b7) [(5)文章](#f2f397345d35d2cc574a4689ad4c8293)
- [C&C](#1c28538afe533f545b540cbd78637241)
- [Cobalt Strike](#e8d16b3301a2ab9109b503b89ec6eece) -> [(14)工具](#f587c1f0baaf7aa1d9e9c5fe533c7a6d) [(8)文章](#249b843c26732ce792d7448c2601f595)
- [工具](#ec8ac76dec379ff452f681a4504444b8)
- [(64) 新添加](#dbd38a8d8a1e246cd8628a34002c5fe7)
- [文章](#307c055d7414abc9ab9f2fb4e85456e1)
- [(258) 新添加](#dc96281ca669ac06c3d7d134c7f90643)
- [远控](#b318465d0d415e35fc0883e9894261d1)
- [工具](#9e3a9beb5ecf36b9624525bc3cfef78a)
- [(9) Android](#6ed48c90d1bd6a31a4ea7380f4f5768a)
- [(5) Linux](#fa50a59bde92471d60f030ea12817540)
- [(17) Windows](#1da695fd3dec80b88aadb1b7c724330f)
- [(4) Apple](#674863bb36ce7a2f814934480c7fd3d2)
- [(90) 新添加](#964a3580a7a7f66571ee1d2c0f34f2d6)
- [文章](#39ccec75049c60fa1d5dd46fea812331)

# 开源工具

***

## pupy

### 工具

- [**5265**星][1m] [Py] [n1nj4sec/pupy](https://github.com/n1nj4sec/pupy) Python编写的远控、后渗透工具,跨平台(Windows, Linux, OSX, Android)

### 文章

- 2020.01 [TheCyberWire] [PupyRAT is back. So is the Konni Group. Twitter storm over claims that MBS hacked Jeff Bezos....](https://www.youtube.com/watch?v=q_zqp7BTVyU)
- 2019.03 [hackingarticles] [Command & Control Tool: Pupy](https://www.hackingarticles.in/command-control-tool-pupy/)
- 2017.11 [chokepoint] [Pupy as a Metasploit Payload](http://www.chokepoint.net/2017/11/pupy-as-metasploit-payload.html)
- 2017.10 [boredhackerblog] [Pupy shell over Tor](http://www.boredhackerblog.info/2017/10/pupy-shell-over-tor.html)
- 2017.02 [n0where] [Open Source Cross Platform RAT: Pupy](https://n0where.net/open-source-cross-platform-rat-pupy)
- 2015.10 [hackingarticles] [Hack Remote PC using Pupy – Remote Administration Tool](http://www.hackingarticles.in/hack-remote-pc-using-pupy-remote-administration-tool/)

***

## Covenant

### 工具

- [**1147**星][6d] [C#] [cobbr/covenant](https://github.com/cobbr/covenant) Covenant is a collaborative .NET C2 framework for red teamers.
- [**95**星][9d] [C#] [cobbr/elite](https://github.com/cobbr/elite) Elite is the client-side component of the Covenant project. Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
- [**31**星][4m] [C#] [cobbr/c2bridge](https://github.com/cobbr/c2bridge) C2Bridges allow developers to create new custom communication protocols and quickly utilize them within Covenant.

### 文章

- 2020.01 [csis] [Embedding external DLLs into Covenant Tasks](https://medium.com/p/de443c4a2b84)
- 2020.01 [hakin9] [Covenant the .NET based C2 on Kali Linux | by Dan Dieterle](https://hakin9.org/covenant-the-net-based-c2-on-kali-linux/)
- 2019.12 [cyberarms] [Covenant the .NET based C2 on Kali Linux](https://cyberarms.wordpress.com/2019/12/30/covenant-the-net-based-c2-on-kali-linux/)
- 2019.12 [rastamouse] [Covenant Tasks 101](https://rastamouse.me/2019/12/covenant-tasks-101/)
- 2019.12 [rsa] [Using RSA NetWitness to Detect C&C: Covenant](https://community.rsa.com/community/products/netwitness/blog/2019/12/20/using-rsa-netwitness-to-detect-cc-covenant)
- 2019.11 [4hou] [Covenant利用分析](https://www.4hou.com/technology/21328.html)
- 2019.11 [3gstudent] [Covenant利用分析](https://3gstudent.github.io/3gstudent.github.io/Covenant%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90/)
- 2019.10 [cobbr] [Covenant: Developing Custom C2 Communication Protocols](https://cobbr.io/Covenant-Developing-Custom-C2-Protocols.html)
- 2019.10 [specterops] [Covenant: Developing Custom C2 Communication Protocols](https://medium.com/p/895587e7f325)
- 2019.09 [freebuf] [Covenant:针对红队设计的.NET命令行控制框架](https://www.freebuf.com/articles/system/213672.html)
- 2019.09 [stealthbits] [Setup, Configuration, and Task Execution with Covenant: The Complete Guide](https://blog.stealthbits.com/setup-configuration-and-task-execution-with-covenant-the-complete-guide/)
- 2019.08 [stealthbits] [Next-Gen Open Source C2 Frameworks in a Post PSEmpire World: Covenant](https://blog.stealthbits.com/next-gen-open-source-c2-frameworks/)
- 2019.08 [rastamouse] [Covenant, Donut, TikiTorch](https://rastamouse.me/2019/08/covenant-donut-tikitorch/)
- 2019.08 [cobbr] [Covenant: The Usability Update](https://cobbr.io/Covenant-The-Usability-Update.html)
- 2019.08 [specterops] [Covenant: The Usability Update](https://medium.com/p/9a7a596a4772)
- 2019.02 [cobbr] [Entering a Covenant: .NET Command and Control](https://cobbr.io/Covenant.html)
- 2019.02 [rvrsh3ll] [Entering a Covenant: .NET Command and Control](https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462)
- 2019.01 [specterops] [Entering a Covenant: .NET Command and Control](https://medium.com/p/e11038bcf462)

***

## Slackor

### 工具

- [**332**星][12d] [Py] [coalfire-research/slackor](https://github.com/coalfire-research/slackor) A Golang implant that uses Slack as a command and control server

### 文章

- 2019.09 [freebuf] [Slackor:Go语言写的一款C&C服务器](https://www.freebuf.com/sectool/212690.html)
- 2019.08 [freebuf] [Slackor:如何将Slack当作你的命令控制服务器](https://www.freebuf.com/articles/network/209252.html)
- 2019.06 [n00py] [Introducing Slackor, a Remote Access Tool Using Slack as a C2 Channel](https://www.n00py.io/2019/06/introducing-slackor-a-remote-access-tool-using-slack-as-a-c2-channel/)

***

## QuasarRAT

### 工具

- [**2932**星][10m] [C#] [quasar/quasarrat](https://github.com/quasar/quasarrat) Remote Administration Tool for Windows

### 文章

- 2019.10 [UltraHacks] [QuasarRAT [Free Download] | [TUTORIAL VIDEO] | Ultra Hacks](https://www.youtube.com/watch?v=0pyPk26lNiE)
- 2018.09 [malwarebytes] [Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT](https://blog.malwarebytes.com/threat-analysis/2018/09/buggy-implementation-of-cve-2018-8373-used-to-deliver-quasar-rat/)
- 2018.03 [4hou] [深入分析利用宏代码传播NetwiredRC和Quasar RAT的恶意RTF文档](http://www.4hou.com/web/10909.html)
- 2018.01 [paloaltonetworks] [VERMIN: Quasar RAT and Custom Malware Used I](https://unit42.paloaltonetworks.com/unit42-vermin-quasar-rat-custom-malware-used-ukraine/)
- 2017.12 [HackerSploit] [QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows](https://www.youtube.com/watch?v=kyueZUfSWO4)
- 2017.11 [n0where] [Free, Open-Source Remote Administration Tool for Windows: QuasarRAT](https://n0where.net/free-open-source-remote-administration-tool-for-windows-quasarrat)
- 2017.10 [TechnoHacker] [Quasar RAT review](https://www.youtube.com/watch?v=fS9OTERI3hg)
- 2017.10 [rsa] [MalSpam Delivers RAT SpyWare Quasar 9-27-2017](https://community.rsa.com/community/products/netwitness/blog/2017/10/02/malspam-delivers-rat-spyware-quasar-9-27-2017)
- 2017.01 [paloaltonetworks] [Downeks and Quasar RAT Used in Recent Targeted Attacks Against Go](https://unit42.paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/)

***

## EvilOSX

### 工具

- [**1376**星][2y] [Py] [marten4n6/evilosx](https://github.com/marten4n6/evilosx) An evil RAT (Remote Administration Tool) for macOS / OS X.

### 文章

- 2019.07 [hackingarticles] [EvilOSX-RAT for MacOS/OSX](https://www.hackingarticles.in/evilosx-rat-for-macos-osx/)
- 2019.06 [NullByte] [Take Control Over MacOS Computers with EvilOSX [Tutorial]](https://www.youtube.com/watch?v=qxymLHGnCo4)
- 2018.08 [freebuf] [EvilOSX:一款功能强大的macOS远程管理工具(RAT)](http://www.freebuf.com/sectool/180668.html)
- 2018.07 [pentesttoolz] [EvilOSX – Evil Remote Administration Tool (RAT) for macOS/OS X – Kali Linux 2018.2](https://pentesttoolz.com/2018/07/04/evilosx-evil-remote-administration-tool-rat-for-macos-os-x-kali-linux-2018-2/)
- 2018.06 [n0where] [Pure python post-exploitation RAT for macOS & OSX: EvilOSX](https://n0where.net/pure-python-post-exploitation-rat-for-macos-osx-evilosx)
- 2018.03 [applehelpwriter] [defending against EvilOSX, a python RAT with a twist in its tail](http://applehelpwriter.com/2018/03/09/defending-against-evilosx-a-python-rat-with-a-twist-in-its-tail/)
- 2018.03 [binarydefense] [EvilOSX - Binary Defense](https://www.binarydefense.com/evilosx/)
- 2018.03 [binarydefense] [EvilOSX](https://blog.binarydefense.com/evilosx)
- 2017.11 [NullByte] [EvilOSX RAT - How to build a payload and start a server](https://www.youtube.com/watch?v=csqnJUxrpOw)

***

## Merlin

### 工具

- [**2568**星][6m] [Go] [ne0nd0g/merlin](https://github.com/ne0nd0g/merlin) Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.

### 文章

- 2019.03 [hackingarticles] [Command and Control Guide to Merlin](https://www.hackingarticles.in/command-and-control-guide-to-merlin/)
- 2018.02 [lockboxx] [Merlin for Red Teams](https://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html)
- 2017.12 [n0where] [Cross-Platform Post-Exploitation HTTP/2 Command & Control Server: Merlin](https://n0where.net/cross-platform-post-exploitation-http-2-command-control-server-merlin)

# 商业软件

***

## Team Viewer

### 工具

- [**405**星][2y] [C++] [vah13/extracttvpasswords](https://github.com/vah13/extracttvpasswords) tool to extract passwords from TeamViewer memory using Frida
- [**277**星][2y] [C++] [gellin/teamviewer_permissions_hook_v1](https://github.com/gellin/teamviewer_permissions_hook_v1) A proof of concept injectable C++ dll, that uses naked inline hooking and direct memory modification to change your TeamViewer permissions.
- [**175**星][9d] [uknowsec/sharpdecryptpwd](https://github.com/uknowsec/sharpdecryptpwd) 对密码已保存在 Windwos 系统上的部分程序进行解析,包括:Navicat,TeamViewer,FileZilla,WinSCP,Xmangager系列产品(Xshell,Xftp)。
- [**59**星][2y] [Py] [attackercan/teamviewer-dumper](https://github.com/attackercan/teamviewer-dumper) 从内存中转储TeamViewer ID 和密码
- [**42**星][6d] [C#] [v1v1/decryptteamviewer](https://github.com/v1v1/decryptteamviewer) Enumerate and decrypt TeamViewer credentials from Windows registry
- [**36**星][5y] [C++] [kkar/teamviewer-dumper-in-cpp](https://github.com/kkar/teamviewer-dumper-in-cpp) Dumps TeamViewer ID,Password and account settings from a running TeamViewer instance by enumerating child windows.
- [**25**星][5m] [C++] [dydtjr1128/remoteassistance-cpp](https://github.com/dydtjr1128/remoteassistance-cpp) [WIP]RemoteAssistance like TeamViewer(C++)

### 文章

- 2020.02 [yoroi] [Importante Vulnerabilità su TeamViewer](https://blog.yoroi.company/warning/importante-vulnerabilita-su-teamviewer/)
- 2020.01 [freebuf] [“正版”监控软件被黑产利用,输出把关不严或成另一个TeamViewer?](https://www.freebuf.com/articles/system/225335.html)
- 2019.11 [sessionstack] [TeamViewer, and Alternative Remote Access and Web Conferencing Solutions, Through the Lens of Customer Service](https://blog.sessionstack.com/teamviewer-and-alternative-remote-access-and-web-conferencing-solutions-through-the-lens-of-c219d0db7f85)
- 2019.10 [threatbook] [“TeamViewer被黑门”是确有其事还是夸大其词?别慌!一文看懂应对方法](https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=1994)
- 2019.10 [freebuf] [TeamViewer据称“被入侵”事件的研判及结论](https://www.freebuf.com/articles/system/216444.html)
- 2019.04 [4hou] [利用木马化TeamViewer针对多个国家政府机构的攻击行动](https://www.4hou.com/web/17610.html)
- 2019.04 [0x00sec] [Port 5900 open on a MAC that used Teamviewer, trying to access it](https://0x00sec.org/t/port-5900-open-on-a-mac-that-used-teamviewer-trying-to-access-it/13173/)
- 2018.09 [blackmoreops] [Install TeamViewer on Kali Linux 2018](https://www.blackmoreops.com/2018/09/25/install-teamviewer-on-kali-linux-2018/)
- 2018.08 [freebuf] [你下载的TeamViewer13破解版可能有毒](http://www.freebuf.com/vuls/175689.html)
- 2018.08 [4hou] [使用RMS和TeamViewer攻击工业公司](http://www.4hou.com/web/12940.html)
- 2018.08 [kaspersky] [Attacks on industrial enterprises using RMS and TeamViewer](https://ics-cert.kaspersky.com/reports/2018/08/01/attacks-on-industrial-enterprises-using-rms-and-teamviewer/)
- 2018.08 [securelist] [Attacks on industrial enterprises using RMS and TeamViewer](https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/)
- 2017.12 [4hou] [TeamViewer 13.0.5058中的权限漏洞测试](http://www.4hou.com/vulnerable/9243.html)
- 2017.12 [3gstudent] [TeamViewer 13.0.5058中的权限漏洞测试](https://3gstudent.github.io/3gstudent.github.io/TeamViewer-13.0.5058%E4%B8%AD%E7%9A%84%E6%9D%83%E9%99%90%E6%BC%8F%E6%B4%9E%E6%B5%8B%E8%AF%95/)
- 2017.12 [3gstudent] [TeamViewer 13.0.5058中的权限漏洞测试](https://3gstudent.github.io/3gstudent.github.io/TeamViewer-13.0.5058%E4%B8%AD%E7%9A%84%E6%9D%83%E9%99%90%E6%BC%8F%E6%B4%9E%E6%B5%8B%E8%AF%95/)
- 2017.12 [malwarebytes] [Use TeamViewer? Fix this dangerous permissions bug with an update](https://blog.malwarebytes.com/cybercrime/2017/12/use-teamviewer-fix-this-dangerous-permissions-bug-with-an-update/)
- 2017.11 [360] [基于TeamViewer的瞄准小公司的远控木马分析](https://www.anquanke.com/post/id/87336/)
- 2017.08 [freebuf] [利用Frida从TeamViewer内存中提取密码](http://www.freebuf.com/sectool/142928.html)
- 2017.04 [4hou] [深入了解恶意软件如何滥用TeamViewer?](http://www.4hou.com/technology/4417.html)
- 2017.02 [4hou] [TeamSpy又回来了,TeamViewer变成了它的攻击载体](http://www.4hou.com/info/3461.html)
- 2016.12 [trendmicro] [New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer](https://blog.trendmicro.com/trendlabs-security-intelligence/new-smssecurity-variant-roots-phones-abuses-accessibility-features-teamviewer/)
- 2016.10 [broadanalysis] [Rig Exploit Kit via EITEST delivers malicious payload and TeamViewer Remote Control](http://www.broadanalysis.com/2016/10/22/rig-exploit-kit-via-eitest-delivers-malicious-payload-and-teamviewer-remote-control/)
- 2016.06 [trendmicro] [Unsupported TeamViewer Versions Exploited For Backdoors, Keylogging](https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging/)
- 2016.06 [] [运用最广的远控-TeamViewer被黑了](http://www.91ri.org/15890.html)
- 2016.06 [radware] [Has TeamViewer Been Hacked?](https://blog.radware.com/security/2016/06/has-teamviewer-been-hacked/)
- 2016.06 [fortinet] [Threat Landscape Perspectives: TeamViewer Attack – Spy vs. Spy Misdirection?](https://www.fortinet.com/blog/industry-trends/threat-landscape-perspectives-teamviewer-misdirection-like-spy-vs-spy.html)
- 2016.03 [privacy] [Surprise, Hackers Use TeamViewer to Spread Ransomware](http://privacy-pc.com/news/hackers-use-teamviewer.html)
- 2015.08 [volatility] [Recovering TeamViewer (and other) Credentials from RAM with EditBox](https://volatility-labs.blogspot.com/2015/08/recovering-teamviewer-and-other.html)
- 2015.06 [] [获取运行中的TeamViewer的账号和密码](http://www.91ri.org/13367.html)
- 2014.05 [trendmicro] [Remote Help for Family and Friends – Part 1: Installing and Using TeamViewer](http://blog.trendmicro.com/remote-help-family-friends-part-1/)
- 2014.02 [webroot] [Managed TeamViewer based anti-forensics capable virtual machines offered as a service](https://www.webroot.com/blog/2014/02/10/managed-teamviewer-based-anti-forensics-capable-virtual-machines-offered-service/)
- 2014.01 [robert] [Howto install Teamviewer 9.x on Ubuntu >= 12.04 64bit (in my case 13.10)](https://robert.penz.name/709/howto-install-teamviewer-9-x-on-ubuntu-12-04-64bit-in-my-case-13-10/)
- 2013.05 [security] [Installing Teamviewer 8 on Kali 64bit (Debian)](http://security-is-just-an-illusion.blogspot.com/2013/05/installing-teamviewer-8-on-kali-64bit.html)
- 2013.03 [securelist] [The TeamSpy Crew Attacks – Abusing TeamViewer for Cyberespionage](https://securelist.com/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/35520/)

# 恶意软件(部分)

***

## Gh0st

### 工具

- [**301**星][7d] [C++] [yuanyuanxiang/simpleremoter](https://github.com/yuanyuanxiang/simpleremoter) 基于gh0st的远程控制器:实现了终端管理、进程管理、窗口管理、远程桌面、文件管理、语音管理、视频管理、服务管理、注册表管理等功能
- [**273**星][7y] [C++] [sin5678/gh0st](https://github.com/sin5678/gh0st) a open source remote administrator tool
- [**91**星][6y] [C++] [igh0st/gh0st3.6_src](https://github.com/igh0st/gh0st3.6_src)
- [**90**星][1m] [C++] [zibility/remote](https://github.com/zibility/remote) 参考Gh0st源码,实现的一款PC远程协助软件,拥有远程Shell、文件管理、桌面管理、消息发送等功能。
- [**21**星][5m] [C++] [holmesian/gh0st-light](https://github.com/holmesian/gh0st-light) 精简之后的老东西

### 文章

- 2020.01 [z3roTrust] [Becoming Untraceable - 12.0_Gh0st_Us3r.dll](https://medium.com/p/4c43ed5c4872)
- 2020.01 [rsa] [Detecting Gh0st RAT in the RSA NetWitness Platform](https://community.rsa.com/community/products/netwitness/blog/2020/01/09/detecting-gh0st-rat-in-netwitness)
- 2019.06 [binarydefense] [Gh0stCringe (Formerly CirenegRAT) - Binary Defense](https://www.binarydefense.com/gh0stcringeformerly-cirenegrat/)
- 2019.03 [alienvault] [The odd case of a Gh0stRAT variant](https://www.alienvault.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant)
- 2018.11 [trendmicro] [使用机器学习对Gh0st远控变种恶意网络数据流进行归类](https://blog.trendmicro.com/trendlabs-security-intelligence/using-machine-learning-to-cluster-malicious-network-flows-from-gh0st-rat-variants/)
- 2018.08 [traffic] [[2018-08-12] KaiXinEK->Gh0stRAT](https://traffic.moe/2018/08/12/index.html)
- 2018.07 [traffic] [[2018-07-16] KaiXinEK->Gh0stRAT](https://traffic.moe/2018/07/16/index.html)
- 2018.07 [inquest] [Field Notes: Malicious HFS Instances Serving Gh0stRAT](https://inquest.net/blog/2018/07/09/field-notes-malicious-hfs-servers)
- 2018.07 [360] [针对一个远控木马Gh0st RAT样本的初始化分析](https://www.anquanke.com/post/id/150098/)
- 2018.05 [id] [CryptGh0st](http://id-ransomware.blogspot.com/2018/05/cryptgh0st-ransomware.html)
- 2018.05 [freebuf] [解码Gh0st RAT变种中的网络数据](http://www.freebuf.com/articles/network/170636.html)
- 2018.04 [freebuf] [Gh0st大灰狼RAT家族通讯协议分析](http://www.freebuf.com/articles/paper/167917.html)
- 2018.04 [360] [Gh0st/大灰狼RAT家族通讯协议分析](https://www.anquanke.com/post/id/103831/)
- 2017.12 [traffic] [[2017-12-06] KaiXinEK->Gh0stRAT](https://traffic.moe/2017/12/06/index.html)
- 2016.06 [cysinfo] [Hunting and Decrypting Communications of Gh0st RAT in Memory](https://cysinfo.com/hunting-and-decrypting-communications-of-gh0st-rat-in-memory/)
- 2014.05 [pediy] [[原创]Gh0st3.6 windows7无法连接bug分析](https://bbs.pediy.com/thread-187505.htm)
- 2014.04 [pediy] [[讨论]Gh0st3.6 IOCP发送BUG](https://bbs.pediy.com/thread-186833.htm)
- 2014.03 [trendmicro] [Kunming Attack Leads to Gh0st RAT Variant](https://blog.trendmicro.com/trendlabs-security-intelligence/kunming-attack-leads-to-gh0st-rat-variant/)
- 2013.08 [pediy] [二次的gh0st](https://bbs.pediy.com/thread-177231.htm)
- 2013.06 [trendmicro] [Targeted Attack in Taiwan Uses Infamous Gh0st RAT](https://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-in-taiwan-uses-infamous-gh0st-rat/)
- 2012.11 [trendmicro] [DaRK DDoSseR Leads to Gh0st RAT](https://blog.trendmicro.com/trendlabs-security-intelligence/dark-ddosser-leads-to-gh0st-rat/)
- 2012.06 [alienvault] [New MaControl variant targeting Uyghur users, the Windows version using Gh0st RAT](https://www.alienvault.com/blogs/labs-research/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0s)
- 2012.05 [forcepoint] [The Amnesty International UK website was compromised to serve Gh0st RAT [Update]](https://www.forcepoint.com/blog/security-labs/amnesty-international-uk-website-was-compromised-serve-gh0st-rat-update)

***

## NanoCore

### 工具

- [**2**星][10m] [Py] [jacobpimental/nanocore_extractor](https://github.com/jacobpimental/nanocore_extractor) Extracts nanocore sample from compile AutoIT script

### 文章

- 2020.01 [molly] [NanoCore: The RAT that keeps on keeping on. How to detect and prove an infection.](https://www.peerlyst.com/posts/nanocore-the-rat-that-keeps-on-keeping-on-how-to-detect-and-prove-an-infection-molly-payne)
- 2019.11 [4hou] [双加载的ZIP文件传播Nanocore RAT](https://www.4hou.com/info/news/21483.html)
- 2019.10 [morphisec] [NanoCore RAT Under the Microscope](https://blog.morphisec.com/nanocore-under-the-microscope)
- 2019.06 [myonlinesecurity] [More AgentTesla keylogger and Nanocore RAT in one bundle](https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/)
- 2019.06 [myonlinesecurity] [Nanocore RAT via fake DHL failed delivery in Chinese](https://myonlinesecurity.co.uk/nanocore-rat-via-fake-dhl-failed-delivery-in-chinese/)
- 2019.06 [4hou] [解析NanoCore犯罪软件攻击链](https://www.4hou.com/web/18610.html)
- 2019.06 [yoroi] [Dissecting NanoCore Crimeware Attack Chain](https://blog.yoroi.company/research/dissecting-nanocore-crimeware-attack-chain/)
- 2019.05 [myonlinesecurity] [nanocore RAT via fake order in password protected word doc with wrong password](https://myonlinesecurity.co.uk/nanocore-rat-via-fake-order-in-password-protected-word-doc-with-wrong-password/)
- 2019.05 [myonlinesecurity] [Fake Fedex Express Shipment For Pickup in iso delivers nanocore using Sendgrid](https://myonlinesecurity.co.uk/fake-fedex-express-shipment-for-pickup-in-iso-delivers-nanocore-using-sendgrid/)
- 2019.05 [goggleheadedhacker] [Unpacking NanoCore Sample Using AutoIT](https://www.goggleheadedhacker.com/blog/post/11)
- 2019.03 [carbonblack] [TAU Threat Intelligence Notification: NanoCore – Old Malware, New Tricks!](https://www.carbonblack.com/2019/03/20/tau-threat-intelligence-notification-nanocore-old-malware-new-tricks/)
- 2019.01 [myonlinesecurity] [Fake Autec Power purchase Order delivers Nanocore RAT](https://myonlinesecurity.co.uk/fake-autec-power-purchase-order-delivers-nanocore-rat/)
- 2019.01 [myonlinesecurity] [Nanocore via fake order using dde in csv files](https://myonlinesecurity.co.uk/nanocore-via-fake-order-using-dde-in-csv-files/)
- 2019.01 [myonlinesecurity] [Nanocore RAT via fake order emails](https://myonlinesecurity.co.uk/nanocore-rat-via-fake-order-emails/)
- 2019.01 [malware] [2019-01-04 - MALSPAM PUSHES NANOCORE RAT](http://malware-traffic-analysis.net/2019/01/04/index.html)
- 2018.11 [myonlinesecurity] [Fake Payment Receipt delivers Nanocore RAT malware](https://myonlinesecurity.co.uk/fake-payment-receipt-delivers-nanocore-rat-malware/)
- 2018.06 [UltraHacks] [NanoCore [Free Download] [No Virus] [DL] | Ultra Hacks](https://www.youtube.com/watch?v=lghASMr6VtA)
- 2018.04 [myonlinesecurity] [Fake PAYMENT CONFIRMATION emails deliver Nanocore RAT](https://myonlinesecurity.co.uk/fake-payment-confirmation-emails-deliver-nanocore-rat/)
- 2018.04 [myonlinesecurity] [Nanocore Rat delivered via fake order emails](https://myonlinesecurity.co.uk/nanocore-rat-delivered-via-fake-order-emails/)
- 2018.04 [myonlinesecurity] [Nanocore via fake Purchase order malspam using Microsoft Office Equation Editor exploits](https://myonlinesecurity.co.uk/nanocore-via-fake-purchase-order-malspam-using-microsoft-office-equation-editor-exploits/)
- 2018.04 [myonlinesecurity] [Nanocore RAT delivered by fake order malspam](https://myonlinesecurity.co.uk/nanocore-rat-delivered-by-fake-order-malspam/)
- 2018.02 [krebsonsecurity] [Bot Roundup: Avalanche, Kronos, NanoCore](https://krebsonsecurity.com/2018/02/bot-roundup-avalanche-kronos-nanocore/)
- 2017.11 [myonlinesecurity] [Fake Product Enquiry malspam delivers Nanocore RAT](https://myonlinesecurity.co.uk/fake-product-enquiry-malspam-delivers-nanocore-rat/)
- 2017.10 [fortinet] [PDF Phishing Leads to Nanocore RAT, Targets French Nationals](https://blog.fortinet.com/2017/10/12/pdf-phishing-leads-to-nanocore-rat-targets-french-nationals)
- 2017.10 [fortinet] [内置 JavaScript 脚本的PDF 恶意文件,启动时通过 Google Drive 分享链接下载 HTA 文件,由 HTA 文件下载并执行 NanoCore 远控](https://www.fortinet.com/blog/threat-research/pdf-phishing-leads-to-nanocore-rat-targets-french-nationals.html)
- 2017.08 [myonlinesecurity] [Angelika Rodriguez – [email protected] – Purchase Order malspam delivers nanocore RAT](https://myonlinesecurity.co.uk/angelika-rodriguez-zalesmunicipiodepaute-gob-ec-purchase-order-malspam-delivers-nanocore-rat/)
- 2017.05 [netskope] [NanocoreRAT delivery via cloud storage apps shifts from .uue to .r11](https://www.netskope.com/blog/nanocorerat-delivery-via-cloud-storage-apps-shifts-uue-r11/)
- 2017.03 [itsjack] [Nanocore Cracked Alcatraz – Leaving The Door Open](https://itsjack.cc/blog/2017/03/nanocore-cracked-alcatraz-leaving-the-door-open/)
- 2016.10 [sans] [Malspam delivers NanoCore RAT](https://isc.sans.edu/forums/diary/Malspam+delivers+NanoCore+RAT/21615/)
- 2016.02 [paloaltonetworks] [NanoCoreRAT Behind an Increase in Tax-Themed Phishin](https://unit42.paloaltonetworks.com/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/)
- 2015.11 [f] [Halloween RAT: NanoCore Served Via PageFair Service](https://labsblog.f-secure.com/2015/11/02/halloween-rat-nanocore-served-via-pagefair-service/)
- 2015.04 [ensilo] [NanoCore RAT: It’s Not 100% Original](https://blog.ensilo.com/nanocore-rat-not-100-original)

***

## NjRat

### 工具

- [**143**星][2y] [Visual Basic .NET] [alibawazeeer/rat-njrat-0.7d-modded-source-code](https://github.com/alibawazeeer/rat-njrat-0.7d-modded-source-code) NJR
- [**128**星][8d] [Visual Basic] [mwsrc/njrat](https://github.com/mwsrc/njrat) njRAT SRC Extract
- [**14**星][5m] [C#] [nyan-x-cat/njrat-0.7d-stub-csharp](https://github.com/nyan-x-cat/njrat-0.7d-stub-csharp) njRAT C# Stub - Fixed For PowerShell
- [**3**星][2y] [Py] [seep1959/njutils](https://github.com/seep1959/njutils) A client and chat program for njrat 0.6.4, 0.7d, and 0.7d golden edition.

### 文章

- 2019.12 [carbonblack] [Threat Analysis Unit (TAU) Threat Intelligence Notification: njRAT](https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-njrat/)
- 2019.09 [freebuf] [Gorgon APT组织再做文章:DropBox到NJRat的曲折历程](https://www.freebuf.com/articles/system/213082.html)
- 2019.05 [morphisec] [A look at Hworm / Houdini AKA njRAT](https://blog.morphisec.com/hworm-houdini-aka-njrat)
- 2019.05 [myonlinesecurity] [Fake Payment receipt vbs drops njrat bladabindi downloads Agent Tesla via Sendspace.](https://myonlinesecurity.co.uk/fake-payment-receipt-vbs-drops-njrat-bladabindi-downloads-agent-tesla-via-sendspace/)
- 2018.11 [trendmicro] [由AutoIt编译的蠕虫, 利用可移动介质传播, 投递无文件版的njRAT远控](https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/)
- 2018.06 [360] [老树开新花--njRAT家族恶意软件分析报告](https://www.anquanke.com/post/id/149654/)
- 2018.06 [freebuf] [技术讨论 | NjRAT通过base64编码加密混淆Code免杀绕过360杀毒实验](http://www.freebuf.com/articles/rookie/174776.html)
- 2018.04 [UltraHacks] [njRAT v0.7 | Tutorial | www.ultrahacks.org | Ultra Hacks](https://www.youtube.com/watch?v=qvURwIAzGo4)
- 2018.03 [broadanalysis] [Guest Blog Post: njRat Analysis with Volatility](http://www.broadanalysis.com/2018/03/25/guest-blog-post-njrat-analysis-with-volatility/)
- 2018.01 [rsa] [Malspam delivers njRAT 1-11-2018](https://community.rsa.com/community/products/netwitness/blog/2018/01/12/malspam-delivers-njrat-1-11-2018)
- 2017.12 [malwarenailed] [Revisiting HWorm and NjRAT](http://malwarenailed.blogspot.com/2017/05/revisiting-hworm-and-njrat.html)
- 2016.12 [freebuf] [史上最全的njRAT通信协议分析](http://www.freebuf.com/articles/network/122244.html)
- 2016.08 [MalwareAnalysisForHedgehogs] [Malware Analysis - Unpacking njRAT Protected by Confuser v.1.9 and others](https://www.youtube.com/watch?v=92GDWqCK1rQ)
- 2016.01 [sensecy] [Is There A New njRAT Out There?](https://blog.sensecy.com/2016/01/05/is-there-a-new-njrat-out-there/)
- 2015.12 [sec] [木马情报分析之:njRAT&H-worm](https://www.sec-un.org/trojan-information-analysis-njrath-worm/)
- 2015.11 [alienvault] [KilerRat: Taking over where Njrat remote access trojan left off](https://www.alienvault.com/blogs/labs-research/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off)
- 2015.08 [virusbulletin] [Paper: Life after the apocalypse for the Middle Eastern NJRat campaign](https://www.virusbulletin.com/blog/2015/08/paper-life-after-apocalypse-middle-eastern-njrat-campaign/)
- 2014.08 [mcafee] [Trailing the Trojan njRAT](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/trail-njrat/)
- 2014.08 [mcafee] [Trailing the Trojan njRAT](https://securingtomorrow.mcafee.com/mcafee-labs/trail-njrat/)
- 2014.01 [rsa] [Detecting njRAT in Your Environment](https://community.rsa.com/community/products/netwitness/blog/2014/01/02/detecting-njrat-in-your-environment)

***

## Revenge RAT

### 工具

- [**21**星][2m] [C#] [nyan-x-cat/revengerat-stub-cssharp](https://github.com/nyan-x-cat/revengerat-stub-cssharp) Revenge-RAT C# Stub - Fixed

### 文章

- 2020.01 [malware] [2020-01-15 - QUICK POST: MALSPAM PUSHING REVENGE RAT](http://malware-traffic-analysis.net/2020/01/15/index.html)
- 2019.11 [fortinet] [Double Trouble: RevengeRAT and WSHRAT](https://www.fortinet.com/blog/threat-research/malware-analysis-revenge-rat-sample.html)
- 2019.09 [360] [Revenge-RAT is used in phishing emails attacks against Italy](https://blog.360totalsecurity.com/en/revenge-rat-is-used-in-phishing-emails-attacks-against-italy/)
- 2019.04 [4hou] [利用钓鱼邮件传播RevengeRAT的Aggah行动](https://www.4hou.com/web/17521.html)
- 2019.03 [alienvault] [Mapping TrickBot and RevengeRAT with MITRE ATT&CK and AlienVault USM Anywhere](https://www.alienvault.com/blogs/labs-research/mapping-trickbot-and-revengerat-with-mitre-attck-and-alienvault-usm-anywhere)
- 2019.02 [4hou] [Revenge RAT恶意软件升级版来袭](http://www.4hou.com/web/16164.html)
- 2018.04 [dissectmalware] [Stealthy VBScript dropper dropping Revenge RAT](https://dissectmalware.wordpress.com/2018/04/08/stealthy-powershell-dropper-dropping-revenge-rat/)
- 2017.10 [rsa] [Malspam Delivers Revenge RAT October-2017](https://community.rsa.com/community/products/netwitness/blog/2017/10/26/malspam-delivers-revenge-rat-october-2017)
- 2016.08 [deniable] [Lurking Around Revenge-RAT](http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/)

***

## PlugX

### 工具

- [**28**星][7y] [Py] [kcreyts/plugxdecoder](https://github.com/kcreyts/plugxdecoder) Decodes PlugX traffic and encrypted/compressed artifacts

### 文章

- 2020.01 [hexacorn] [The Wizard of X – Oppa PlugX style, Part 2](http://www.hexacorn.com/blog/2020/01/24/the-wizard-of-x-oppa-plugx-style-part-2/)
- 2019.11 [BorjaMerino] [Rebind Socket Windows: PoC PlugX Controller](https://www.youtube.com/watch?v=MtscvthsaeY)
- 2018.06 [countuponsecurity] [Digital Forensics – PlugX and Artifacts left behind](https://countuponsecurity.com/2018/06/20/digital-forensics-plugx-and-artifacts-left-behind/)
- 2018.05 [countuponsecurity] [Malware Analysis – PlugX – Part 2](https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/)
- 2018.02 [4hou] [揭秘PlugX 恶意软件家族的攻击实力](http://www.4hou.com/technology/10394.html)
- 2018.02 [360] [PlugX恶意软件分析报告](https://www.anquanke.com/post/id/98166/)
- 2018.02 [countuponsecurity] [Malware Analysis – PlugX](https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/)
- 2017.09 [fortinet] [Deep Analysis of New Poison Ivy/PlugX Variant - Part II](https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii)
- 2017.09 [fortinet] [新型 Poison Ivy/PlugX 变种深入分析](https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii.html)
- 2017.09 [360] [Stack overflow in PlugX RAT](https://www.anquanke.com/post/id/86769/)
- 2017.07 [hexacorn] [The Wizard of X – Oppa PlugX style](http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/)
- 2017.02 [jpcert] [PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code -](https://blogs.jpcert.or.jp/en/2017/02/plugx-poison-iv-919a.html)
- 2016.06 [airbuscybersecurity] [Getting a PlugX builder](http://blog.airbuscybersecurity.com/post/2016/06/Getting-a-PlugX-builder)
- 2016.06 [cylance] [CylancePROTECT® vs. PlugX – JTB Breach Affects 7.93 Million People in Japan](https://www.cylance.com/en_us/blog/cylanceprotect-vs-plugx.html)
- 2016.03 [securelist] [PlugX malware: A good hacker is an apologetic hacker](https://securelist.com/plugx-malware-a-good-hacker-is-an-apologetic-hacker/74150/)
- 2015.11 [volatility] [PlugX: Memory Forensics Lifecycle with Volatility](https://volatility-labs.blogspot.com/2015/11/plugx-memory-forensics-lifecycle-with.html)
- 2015.09 [cyintanalysis] [Using threat_note To Track Campaigns: Returning to PIVY and PlugX Infrastructure](http://www.cyintanalysis.com/using-threat_note-to-track-campaigns-returning-to-pivy-and-plugx-infrastructure/)
- 2015.09 [airbuscybersecurity] [Volatility plugin for PlugX updated](http://blog.airbuscybersecurity.com/post/2015/08/Volatility-plugin-for-PlugX-updated)
- 2015.08 [rebsnippets] [PlugX Chronicles](http://rebsnippets.blogspot.com/2015/08/plugx-chronicles.html)
- 2015.08 [cyintanalysis] [Threat Analysis: Poison Ivy and Links to an Extended PlugX Campaign](http://www.cyintanalysis.com/threat-analysis-poison-ivy-and-links-to-an-extended-plugx-campaign/)
- 2015.08 [airbuscybersecurity] [Latest changes in PlugX](http://blog.airbuscybersecurity.com/post/2015/06/Latest-improvements-in-PlugX)
- 2015.05 [paloaltonetworks] [PlugX Uses Legitimate Samsung Application for DLL Sid](https://unit42.paloaltonetworks.com/plugx-uses-legitimate-samsung-application-for-dll-side-loading/)
- 2015.04 [freebuf] [恶意代码分析:台湾官方版英雄联盟LoL和流亡黯道PoE被植入远控工具PlugX](http://www.freebuf.com/vuls/63151.html)
- 2015.01 [jpcert] [Analysis of a Recent PlugX Variant - “P2P PlugX”](https://blogs.jpcert.or.jp/en/2015/01/analysis-of-a-r-ff05.html)
- 2015.01 [] [A Closer Look at PlugX from League of Legends / Path of Exile](http://909research.com/a-closer-look-at-plugx-from-league-of-legends-path-of-exile/)
- 2015.01 [trendmicro] [PlugX Malware Found in Official Releases of League of Legends, Path of Exile](https://blog.trendmicro.com/trendlabs-security-intelligence/plugx-malware-found-in-official-releases-of-league-of-legends-path-of-exile/)
- 2014.06 [trendmicro] [PlugX RAT With “Time Bomb” Abuses Dropbox for Command-and-Control Settings](https://blog.trendmicro.com/trendlabs-security-intelligence/plugx-rat-with-time-bomb-abuses-dropbox-for-command-and-control-settings/)
- 2014.06 [lastline] [An Analysis of PlugX Using Process Dumps from High-Resolution Malware Analysis](https://www.lastline.com/labsblog/an-analysis-of-plugx-using-process-dumps-from-high-resolution-malware-analysis/)
- 2014.01 [airbuscybersecurity] [PlugX "v2": meet "SController"](http://blog.airbuscybersecurity.com/post/2014/01/PlugX-v2%3A-meet-SController)
- 2014.01 [airbuscybersecurity] [PlugX: some uncovered points](http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html)
- 2013.12 [lastline] [An Analysis of PlugX Malware](https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/)
- 2013.05 [freebuf] [FireEye:PlugX老马新用,针对中国政治活动的APT攻击分析](http://www.freebuf.com/news/9555.html)
- 2013.04 [trendmicro] [New Wave of PlugX Targets Legitimate Apps](https://blog.trendmicro.com/trendlabs-security-intelligence/new-wave-of-plugx-targets-legitimate-apps/)
- 2013.04 [securelist] [Winnti returns with PlugX](https://securelist.com/winnti-returns-with-plugx/66960/)
- 2012.09 [freebuf] [国外大牛人肉定向攻击远控PlugX开发者全过程分析](http://www.freebuf.com/articles/others-articles/5718.html)
- 2012.09 [alienvault] [The connection between the Plugx Chinese gang and the latest Internet Explorer Zeroday](https://www.alienvault.com/blogs/labs-research/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo)
- 2012.09 [trendmicro] [Unplugging PlugX Capabilities](https://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx-capabilities/)
- 2012.09 [alienvault] [Tracking down the author of the PlugX RAT](https://www.alienvault.com/blogs/labs-research/tracking-down-the-author-of-the-plugx-rat)
- 2012.09 [freebuf] [新型远程控制工具Plugx正在被利用并通过钓鱼攻击日本政府](http://www.freebuf.com/news/5607.html)
- 2012.09 [trendmicro] [PlugX: New Tool For a Not So New Campaign](https://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new-tool-for-a-not-so-new-campaign/)

***

## RemcosRAT

- 2019.10 [fortinet] [New Variant of Remcos RAT Observed In the Wild](https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html)
- 2019.09 [myonlinesecurity] [Some changes to Remcos Rat persistence method](https://myonlinesecurity.co.uk/some-changes-to-remcos-rat-persistence-method/)
- 2019.09 [myonlinesecurity] [Fake invoice tries to deliver Remcos RAT](https://myonlinesecurity.co.uk/fake-invoice-tries-to-deliver-remcos-rat/)
- 2019.09 [freebuf] [钓鱼邮件中的Remcos RAT变种分析](https://www.freebuf.com/articles/network/212400.html)
- 2019.08 [trendmicro] [Analysis: New Remcos RAT Arrives Via Phishing Email](https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-new-remcos-rat-arrives-via-phishing-email/)
- 2019.06 [myonlinesecurity] [Remcos Rat via fake invoice using multiple delivery methods.](https://myonlinesecurity.co.uk/remcos-rat-via-fake-invoice-using-multiple-delivery-methods/)
- 2019.06 [HackerSploit] [Remcos RAT Review - The Most Advanced Remote Access Tool](https://www.youtube.com/watch?v=rffkJDcri18)
- 2018.11 [myonlinesecurity] [More Fake DHL invoices delivering Remcos RAT via office XML files](https://myonlinesecurity.co.uk/more-fake-dhl-invoices-delivering-remcos-rat-via-office-xml-files/)
- 2018.10 [myonlinesecurity] [Fake DHL READ : (DHL Express) -Delivery Address Confirmation delivers Remcos Rat](https://myonlinesecurity.co.uk/fake-dhl-read-dhl-express-delivery-address-confirmation-delivers-remcos-rat/)
- 2018.09 [myonlinesecurity] [Fake Purchase Order email delivers Remcos RAT](https://myonlinesecurity.co.uk/fake-purchase-order-email-delivers-remcos-rat/)
- 2018.09 [360] [揭秘Remcos下的僵尸网络](https://www.anquanke.com/post/id/158934/)
- 2018.08 [securityledger] [Cisco Links Remote Access Tool Remcos to Cybercriminal Underground](https://securityledger.com/2018/08/cisco-links-remote-access-tool-remcos-to-cybercriminal-underground/)
- 2018.08 [talosintelligence] [Picking Apart Remcos Botnet-In-A-Box](https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html)
- 2018.08 [UltraHacks] [Remcos RAT Tutorial | Remote Administration Tool | Ultra Hacks](https://www.youtube.com/watch?v=hlf5k86LwMI)
- 2018.07 [myonlinesecurity] [Fake DHL “Alert! Shipment Notification” delivers Remcos RAT](https://myonlinesecurity.co.uk/fake-dhl-alert-shipment-notification-delivers-remcos-rat/)
- 2018.05 [fortinet] [Remcos远控变种利用CVE-2017-11882传播](https://www.fortinet.com/blog/threat-research/new-remcos-rat-variant-is-spreading-by-exploiting-cve-2017-11882.html)
- 2018.04 [myonlinesecurity] [Remcos RAT delivered by fake ” your workers are fighting” message](https://myonlinesecurity.co.uk/remcos-rat-delivered-by-fake-your-workers-are-fighting-message/)
- 2018.04 [myonlinesecurity] [Remcos RAT delivered via fake CCICM international debt recovery service](https://myonlinesecurity.co.uk/remcos-rat-delivered-via-fake-ccicm-international-debt-recovery-service/)
- 2018.04 [myonlinesecurity] [Fake Payment recovery email spoofing CCICM international debt recovery service delivers Remcos rat via Microsoft Equation Editor Exploits](https://myonlinesecurity.co.uk/fake-payment-recovery-email-spoofing-ccicm-international-debt-recovery-service-delivers-remcos-rat-via-microsoft-equation-editor-exploits/)
- 2018.03 [tencent] [新型远控木马Remcos利用CVE-2017-11882漏洞进行实时攻击](https://s.tencent.com/research/report/442.html)
- 2018.03 [myonlinesecurity] [Fake order spoofed from Finchers ltd Sankyo-Rubber delivers Remcos RAT via ACE attachments](https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/)
- 2017.09 [malwarebreakdown] [Malvertising Leads to RIG EK and Drops Remcos RAT.](https://malwarebreakdown.com/2017/09/27/malvertising-leads-to-rig-ek/)
- 2017.09 [trendmicro] [云平台 Autodesk® A360 被利用传播 Adwind, Remcos, Netwire RAT 等恶意软件](https://blog.trendmicro.com/trendlabs-security-intelligence/a360-drive-adwind-remcos-netwire-rats/)
- 2017.08 [cybereason] [Cybereason creates 'vaccine' to stop Remcos RAT](https://www.cybereason.com/blog/blog-cybereason-creates-vaccine-to-stop-remcos-rat)
- 2017.02 [fortinet] [REMCOS: A New RAT In The Wild](https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html)

***

## L0rdixRAT

- 2019.08 [bromium] [Decrypting L0rdix RAT’s C2](https://www.bromium.com/decrypting-l0rdix-rats-c2/)
- 2019.07 [bromium] [An Analysis of L0rdix RAT, Panel and Builder](https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/)
- 2018.11 [ensilo] [L0RDIX: Multipurpose Attack Tool](https://blog.ensilo.com/l0rdix-attack-tool)

***

## LodaRAT

- 2020.02 [talosintelligence] [Loda RAT Grows Up](https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html)

***

## GulfRAT

- 2020.01 [TheCyberWire] [Phishing with a RAT in the Gulf. More on how Jeff Bezos was hacked. Microsoft discloses data...](https://www.youtube.com/watch?v=wFAcCuqdqSY)
- 2020.01 [TheCyberWire] [Escalation in the Gulf as a US air strike kills Iran’s Quds commander. Travelex and RavnAir...](https://www.youtube.com/watch?v=R6j1evxLj1g)
- 2019.08 [nettitude] [Tanker Cyber Attacks taking place in the Gulf](https://blog.nettitude.com/tanker-cyber-attacks)
- 2017.09 [mikefrobbins] [PowerShell Toolmaking session this Saturday, September 30th at Gulf Coast Code Camp 2017 in Mobile, Alabama](http://mikefrobbins.com/2017/09/28/powershell-toolmaking-session-this-saturday-september-30th-at-gulf-coast-code-camp-2017-in-mobile-alabama/)
- 2016.11 [fireeye] [FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region](https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html)
- 2016.03 [elearnsecurity] [Visit eLearnSecurity on Gulf Information Security and Gulf Expo 2016 in Dubai](https://blog.elearnsecurity.com/visit-elearnsecurity-on-gulf-information-security-and-gulf-expo-2016-in-dubai.html)
- 2015.07 [welivesecurity] [New report explains gulf between security experts and non-experts](https://www.welivesecurity.com/2015/07/28/new-report-explains-gulf-security-experts-non-experts/)
- 2010.08 [publicintelligence] [Los Zetas and Gulf Cartel Perpetrators of Mexican Drug Trafficking Violence Organizational Chart](https://publicintelligence.net/los-zetas-and-gulf-cartel-perpetrators-of-mexican-drug-trafficking-violence-organizational-chart/)
- 2010.05 [publicintelligence] [BP Minerals Management Service Workshop Brief: Unlocking Gulf of Mexico “Technological Challenges”](https://publicintelligence.net/bp-minerals-management-service-workshop-brief-gulf-of-mexico-technological-challenges/)

***

## NetWireRAT

- 2020.01 [securityintelligence] [New NetWire RAT Campaigns Use IMG Attachments to Deliver Malware Targeting Enterprise Users](https://securityintelligence.com/posts/new-netwire-rat-campaigns-use-img-attachments-to-deliver-malware-targeting-enterprise-users/)
- 2019.11 [carbonblack] [Active C2 Discovery Using Protocol Emulation Part1 (HYDSEVEN NetWire)](https://www.carbonblack.com/2019/11/20/active-c2-discovery-using-protocol-emulation-part1-hydseven-netwire/)
- 2019.09 [fortinet] [New NetWire RAT Variant Being Spread Via Phishing](https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing.html)
- 2019.08 [malware] [2019-08-23 - DATA DUMP (URSNIF, RIG EK, NETWIRE RAT)](http://malware-traffic-analysis.net/2019/08/23/index.html)
- 2019.04 [myonlinesecurity] [Fake DHL Shipment Notification delivers Netwire Trojan](https://myonlinesecurity.co.uk/fake-dhl-shipment-notification-delivers-netwire-trojan/)
- 2018.11 [traffic] [[2018-11-21] HookAds->FalloutEK->AZORult->NetWireRAT](https://traffic.moe/2018/11/21/index.html)
- 2017.11 [myonlinesecurity] [Fake HSBC Advising Service Payment Advice malspam delivers Netwire trojan](https://myonlinesecurity.co.uk/fake-hsbc-advising-service-payment-advice-malspam-delivers-netwire-trojan/)
- 2017.10 [myonlinesecurity] [Fake HSBC Swift Copy delivers Netwire trojan](https://myonlinesecurity.co.uk/fake-hsbc-swift-copy-delivers-netwire-trojan/)
- 2017.09 [TechnoHacker] [NetWire HKCU/Run vs ActiveX Startup](https://www.youtube.com/watch?v=B2Au16gy4nE)
- 2017.08 [TechnoHacker] [Netwire Tutorial: How to Sign the Android Host](https://www.youtube.com/watch?v=zEJrkKr29mU)
- 2017.04 [TechnoHacker] [How to crypt Netwire with Cyberseal](https://www.youtube.com/watch?v=hzZtBO95B-U)
- 2017.04 [TechnoHacker] [Netwire RAT Review](https://www.youtube.com/watch?v=jRCBTmBIT8g)
- 2014.08 [paloaltonetworks] [NetWire and MITRE](https://unit42.paloaltonetworks.com/netwire-mitre-chopshop/)
- 2014.08 [paloaltonetworks] [New Release: Decrypting NetWire C](https://unit42.paloaltonetworks.com/new-release-decrypting-netwire-c2-traffic/)

***

## JhoneRAT

- 2020.01 [talosintelligence] [JhoneRAT: Cloud based python RAT targeting Middle Eastern countries](https://blog.talosintelligence.com/2020/01/jhonerat.html)

***

## Dacls

- 2019.12 [360] [Lazarus Group使用Dacls RAT攻击Linux平台](https://blog.netlab.360.com/dacls-the-dual-platform-rat/)
- 2019.12 [360] [Dacls, the Dual platform RAT](https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/)

***

## BlackRemote

- 2019.12 [carbonblack] [Threat Analysis Unit (TAU) Threat Intelligence Notification: BlackRemote RAT](https://www.carbonblack.com/2019/12/13/threat-analysis-unit-tau-threat-intelligence-notification-blackremote-rat/)

***

## Orcus

- 2019.11 [krebsonsecurity] [Orcus RAT Author Charged in Malware Scheme](https://krebsonsecurity.com/2019/11/orcus-rat-author-charged-in-malware-scheme/)
- 2019.01 [morphisec] [New Campaign Delivers Orcus RAT](https://blog.morphisec.com/new-campaign-delivering-orcus-rat)
- 2018.04 [freebuf] [基于SYLK文件传播Orcus远控木马样本分析](http://www.freebuf.com/articles/system/167141.html)
- 2017.12 [fortinet] [Circle of the fraud: more information about Bitcoin Orcus RAT campaign](https://blog.fortinet.com/2017/12/22/circle-of-the-fraud-more-information-about-bitcoin-orcus-rat-campaign)
- 2017.12 [fortinet] [Circle of the fraud: more information about Bitcoin Orcus RAT campaign](https://www.fortinet.com/blog/threat-research/circle-of-the-fraud-more-information-about-bitcoin-orcus-rat-campaign.html)
- 2017.12 [fortinet] [A Peculiar Case of Orcus RAT Targeting Bitcoin Investors](https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors)
- 2017.12 [fortinet] [Orcus 远控瞄准比特币投资者, 伪装成比特币交易机器人 Gunbot 进行传播](https://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html)
- 2017.05 [freebuf] [Orcus VM的解题步骤](http://www.freebuf.com/articles/network/133796.html)
- 2017.04 [hackingarticles] [Hack the Orcus VM CTF Challenge](http://www.hackingarticles.in/hack-orcus-vm-ctf-challenge/)
- 2017.04 [techanarchy] [VulnHub Orcus Solution](http://techanarchy.net/2017/04/vulnhub-orcus-solution/)
- 2017.03 [vulnhub] [hackfest2016: Orcus](https://www.vulnhub.com/entry/hackfest2016-orcus,182/)
- 2017.03 [vulnhub] [hackfest2016: Orcus](https://www.vulnhub.com/entry/hackfest2016-orcus,182/)
- 2016.08 [deniable] [Cracking Orcus RAT](http://deniable.org/cracking-orcus-rat/)
- 2016.08 [deniable] [Cracking Orcus RAT](http://blog.deniable.org/blog/2016/08/09/cracking-orcus-rat/)
- 2016.08 [deniable] [Cracking Orcus RAT](http://deniable.org/reversing/cracking-orcus-rat)
- 2016.08 [paloaltonetworks] [Orcus – Birth of an unusual plugin bu](https://unit42.paloaltonetworks.com/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/)
- 2016.07 [krebsonsecurity] [Canadian Man Behind Popular ‘Orcus RAT’](https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/)

***

## NukeSped

- 2019.10 [fortinet] [A Deep-Dive Analysis of the NukeSped RATs](https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html)

***

## DarkComet

- 2018.09 [UltraHacks] [How to setup DarkCometRAT 5.3.1 + Portforward](https://www.youtube.com/watch?v=fTeUTvg1_jE)
- 2018.04 [freebuf] [CVE-2017-11882新动态:利用AutoIT脚本释放DarkComet后门](http://www.freebuf.com/vuls/166744.html)
- 2018.03 [tencent] [CVE-2017-11882新动态:利用AutoIT脚本释放DarkComet后门](https://s.tencent.com/research/report/451.html)
- 2017.10 [rsa] [Malspam Delivers DarkComet RAT October-2017](https://community.rsa.com/community/products/netwitness/blog/2017/10/12/malspam-delivers-darkcomet-rat-october-2017)
- 2017.01 [HackingMonks] [Darkcomet Rat Tutorial (Trojans are awesome)](https://www.youtube.com/watch?v=eS9BIFaFKNM)
- 2016.02 [hackingarticles] [Hack Remote PC using Darkcomet RAT with Metasploit](http://www.hackingarticles.in/hack-remote-pc-using-darkcomet-rat-with-metasploit/)
- 2015.11 [TechnoHacker] [How to setup DarkComet RAT [Voice Tutorial] [Download Link]](https://www.youtube.com/watch?v=Lqcg7gcKCfo)
- 2015.07 [SecurityBSidesLondon] [Kevin Breen - DarkComet From Defense To Offense - Identify your Attacker](https://www.youtube.com/watch?v=tRM6HrW7BAc)
- 2015.03 [heimdalsecurity] [Security Alert: Infamous DarkComet RAT Used In Spear Phishing Campaigns](https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/)
- 2015.03 [sketchymoose] [Smooshing the Square Peg into the Round Hole: DarkComet Plugin for 64-bit images](https://sketchymoose.blogspot.com/2015/03/smooshing-square-peg-into-round-hole.html)
- 2012.07 [freebuf] [DarkComet RAT作者宣布项目停止开发](http://www.freebuf.com/news/4939.html)
- 2012.06 [freebuf] [[更新]一款强大的远控 – DarkComet RAT V5.3.1](http://www.freebuf.com/sectool/3957.html)
- 2012.06 [malwarebytes] [You dirty RAT! Part 1: DarkComet](https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/)
- 2012.04 [trendmicro] [Fake Skype Encryption Software Cloaks DarkComet Trojan](https://blog.trendmicro.com/trendlabs-security-intelligence/fake-skype-encryption-software-cloaks-darkcomet-trojan/)
- 2012.04 [toolswatch] [DarkComet-RAT Remote Administration Tool v5.1.1 released](http://www.toolswatch.org/2012/04/darkcomet-rat-remote-administration-tool-v5-1-1released/)
- 2012.03 [quequero] [DarkComet Analysis – Understanding the Trojan used in Syrian Uprising](https://quequero.org/2012/03/darkcomet-analysis-understanding-the-trojan-used-in-syrian-uprising/)
- 2012.02 [trendmicro] [DarkComet Surfaced in the Targeted Attacks in Syrian Conflict](https://blog.trendmicro.com/trendlabs-security-intelligence/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/)
- 2011.08 [toolswatch] [DarkComet-RAT (Remote Administration Tool) v4.0 Fix 1 available](http://www.toolswatch.org/2011/08/darkcomet-rat-remote-administration-tool-v4-0-fix-1-available/)
- 2011.05 [toolswatch] [DarkComet-RAT v3.3 available](http://www.toolswatch.org/2011/05/darkcomet-rat-v3-3-available/)
- 2011.01 [toolswatch] [(EXCLUSIVE) DarkComet-RAT updated to v3.0.1](http://www.toolswatch.org/2011/01/darkcomet-rat-updated-to-v3-0-1/)
- 2011.01 [toolswatch] [EXCLUSIVE : DarkComet-RAT 3.0 released (Impressive RAT tool)](http://www.toolswatch.org/2011/01/exclusive-darkcomet-rat-3-0-released-impressive-rat-tool/)

***

## WarZone RAT

- 2018.11 [UltraHacks] [Warzone RAT C++ | Hidden VNC [PROMOTION VIDEO]| Ultra Hacks](https://www.youtube.com/watch?v=QV_21Qv-0d0)

***

## BlackShades

- 2017.01 [TechnoHacker] [Blackshades Revisited](https://www.youtube.com/watch?v=8lTFyk5CEQg)
- 2016.02 [TechnoHacker] [How to use Blackshades [download link]](https://www.youtube.com/watch?v=9lzbO-QW46o)
- 2016.02 [TechnoHacker] [How to setup Blackshades RAT [Voice Tutorial] [download link]](https://www.youtube.com/watch?v=PLYe1JwCoA8)
- 2014.05 [malwarebytes] [Taking off the Blackshades](https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/)
- 2014.05 [endgame] [Blackshades: Why We Should Care About Old Malware](https://www.endgame.com/blog/technical-blog/blackshades-why-we-should-care-about-old-malware)
- 2014.05 [trendmicro] [The Blackshades RAT – Entry-Level Cybercrime](https://blog.trendmicro.com/trendlabs-security-intelligence/the-blackshades-rat-entry-level-cybercrime/)
- 2014.05 [publicintelligence] [FBI Blackshades Remote Access Tool Private Sector Bulletins and Domain List](https://publicintelligence.net/fbi-blackshades-bulletins/)
- 2014.05 [alienvault] [Blackshades Smackdown & Poking China in the Eye](https://www.alienvault.com/blogs/industry-insights/blackshades-smackdown-poking-china-in-the-eye)
- 2014.05 [cylance] [A Study in Bots: BlackShades Net](https://www.cylance.com/en_us/blog/a-study-in-bots-blackshades-net.html)
- 2014.05 [welivesecurity] [Behind Blackshades: a closer look at the latest FBI cyber crime arrests](https://www.welivesecurity.com/2014/05/20/blackshades-rat-fbi-cybercrime-malware-takedown/)
- 2014.05 [krebsonsecurity] [‘Blackshades’ Trojan Users Had It Coming](https://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming/)
- 2014.05 [malwaretech] [FBI Cybercrime Crackdown – Blackshades](https://www.malwaretech.com/2014/05/fbi-cybercrime-crackdown-blackshades.html)
- 2012.07 [malwarebytes] [BlackShades Co-Creator Arrested!](https://blog.malwarebytes.com/cybercrime/2012/07/blackshades-co-creator-arrested/)
- 2012.06 [malwarebytes] [BlackShades in Syria](https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/)
- 2012.06 [citizenlab] [Syrian Activists Targeted with BlackShades Spy Software](https://citizenlab.ca/2012/06/syrian-activists-targeted-with-blackshades-spy-software/)
- 2012.06 [malwarebytes] [You Dirty RAT! Part 2 – BlackShades NET](https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/)

***

## DenesRAT

- 2019.10 [nsfocus] [海莲花(APT32)组织 DenesRAT木马与相关攻击链分析](http://blog.nsfocus.net/apt32-organization-denesrat-trojan-related-attack-chain-analysis/)

***

## WSH RAT

- 2019.10 [angelalonso] [WSH RAT - Analysis of the code](https://blog.angelalonso.es/2019/10/wsh-rat-analysis-of-code.html)
- 2019.10 [angelalonso] [Fudcrypt using H-Worm from WSH RAT](https://blog.angelalonso.es/2019/10/fudcrypt-using-h-worm-from-wshrat.html)
- 2019.09 [freebuf] [黑客购买新型WSH RAT最新变种样本,攻击银行客户](https://www.freebuf.com/articles/system/214269.html)
- 2019.09 [angelalonso] [WSH RAT and the link to unknowcrypter and Fudcrypt](https://blog.angelalonso.es/2019/09/wsh-rat-and-link-to-unknowcrypter-and.html)

***

## Qrypter RAT

- 2018.04 [4hou] [对愈加流行的Qrypter RAT运作情况进行分析](http://www.4hou.com/web/10902.html)
- 2017.12 [angelalonso] [Qrypter Java RAT using Tor](http://blog.angelalonso.es/2017/12/qrypter-java-rat-using-tor.html)

***

## Adwind

- 2019.08 [4hou] [Adwind远控当前被广泛用于公共事业部门的攻击活动中](https://www.4hou.com/info/19812.html)
- 2018.10 [reversinglabs] [eWeek: Cisco Talos and ReversingLabs warn that the Adwind Remote Access Trojan (RAT) has added capabilities that enable it bypass some anti-virus technologies](https://www.reversinglabs.com/newsroom/news/eweek-cisco-talos-and-reversinglabs-warn-adwind-remote-access-trojan-rat-has-added.html)
- 2018.04 [4hou] [垃圾邮件活动使用XTRAT、DUNIHI和Adwind后门](http://www.4hou.com/info/news/11169.html)
- 2018.04 [trendmicro] [趋势科技研究人员监控到垃圾邮件传播跨平台远控Adwind, 同时捆绑了后门XTRAT和DUNIHI和Loki](https://blog.trendmicro.com/trendlabs-security-intelligence/xtrat-and-dunihi-backdoors-bundled-with-adwind-in-spam-mails/)
- 2018.04 [ensilo] [enSilo Blocks New Variant of Adwind RAT](https://blog.ensilo.com/ensilo-blocks-new-variant-of-adwind-rat)
- 2018.03 [OALabs] [Analyzing Adwind / JRAT Java Malware](https://www.youtube.com/watch?v=yHrr9v0E6MQ)
- 2018.03 [heimdalsecurity] [Security Alert: Spam Campaign Spreads Adwind RAT variant, Targeting Computer Systems](https://heimdalsecurity.com/blog/security-alert-spam-campaign-adwind-rat-variant-targeting-systems/)
- 2018.02 [fortinet] [New jRAT/Adwind Variant Being Spread With Package Delivery Scam](https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html)
- 2018.02 [rsa] [Winds of Winter - MalSpam Delivers Adwind RAT 2-1-2018](https://community.rsa.com/community/products/netwitness/blog/2018/02/05/winds-of-winter-malspam-delivers-adwind-rat-february-2018)
- 2018.02 [myonlinesecurity] [Fake Swift Copy malspam via compromised sites delivering Java Adwind/ QRAT /JRAT Trojan](https://myonlinesecurity.co.uk/fake-swift-copy-malspam-via-compromised-sites-delivering-java-adwind-qrat-jrat-trojan/)
- 2017.12 [myonlinesecurity] [Fake “Your UPS Invoice Is Ready” malspam delivers Java Adwind / Java JRAT Trojan](https://myonlinesecurity.co.uk/fake-your-ups-invoice-is-ready-malspam-delivers-java-adwind-java-jrat-trojan/)
- 2017.08 [netskope] [Adwind RAT employs new obfuscation techniques](https://www.netskope.com/blog/adwind-rat-employs-new-obfuscation-techniques/)
- 2017.07 [trendmicro] [Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind](https://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat/)
- 2017.03 [freebuf] [Adwind RAT针对企业攻击,目标超过100个国家和地区](http://www.freebuf.com/news/128021.html)
- 2017.01 [codemetrix] [Decrypting Adwind jRAT jBifrost trojan](https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/)
- 2016.08 [fortinet] [JBifrost: Yet Another Incarnation of the Adwind RAT](https://www.fortinet.com/blog/threat-research/jbifrost-yet-another-incarnation-of-the-adwind-rat.html)
- 2016.07 [heimdalsecurity] [Security Alert: Adwind RAT Used in Targeted Attacks with Zero AV Detection](https://heimdalsecurity.com/blog/security-alert-adwind-rat-targeted-attacks-zero-av-detection/)
- 2016.02 [securelist] [Expert: cross-platform Adwind RAT](https://securelist.com/expert-cross-platform-adwind-rat/73773/)
- 2016.02 [kaspersky] [The wind that smells like RAT: The story of Adwind MaaS](https://www.kaspersky.com/blog/adwind-rat-2/15126/)
- 2013.11 [crowdstrike] [Adwind RAT Rebranding](https://www.crowdstrike.com/blog/adwind-rat-rebranding/)

***

## CannibalRAT

- 2018.02 [talosintelligence] [CannibalRAT targets Brazil](http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html)

***

## jRAT

- 2018.10 [cofense] [H-Worm and jRAT Malware: Two RATs are Better than One](https://cofense.com/h-worm-jrat-malware-two-rats-better-one/)
- 2018.08 [Sebdraven] [Lammers, stealers and RATs: same technics like Formbook malware to install JRAT and HawkEye…](https://medium.com/p/8c010e9f40d4)
- 2018.03 [trustwave] [Crypter-as-a-Service Helps jRAT Fly Under The Radar](https://www.trustwave.com/Resources/SpiderLabs-Blog/Crypter-as-a-Service-Helps-jRAT-Fly-Under-The-Radar/)

***

## jsRAT

- 2018.02 [netskope] [ShortJSRAT leverages cloud with scriptlets](https://www.netskope.com/blog/shortjsrat-leverages-cloud-scriptlets/)
- 2017.07 [rsa] [Recreating the Crime Scene - A JSRat Story](https://community.rsa.com/community/products/netwitness/blog/2017/07/13/httpscommunityrsacomblogcreate-postjspacontainertype37containerid1034draftid43558recreating-the-crime-scene-a-jsrat-story)
- 2016.05 [evi1cg] [JSRAT几种启动方式](https://evi1cg.me/archives/Run_JSRAT.html)
- 2016.03 [hackingarticles] [Hack Remote Windows 10 PC using JSRAT](http://www.hackingarticles.in/hack-remote-windows-10-pc-using-jsrat/)
- 2015.07 [secist] [使用JSRAT远程管理win10系统](http://www.secist.com/archives/305.html)

***

## CrossRat

- 2018.01 [360] [分析一款全球网络间谍活动中的跨平台恶意软件-CrossRAT(下)](https://www.anquanke.com/post/id/96383/)
- 2018.01 [4hou] [CrossRat远程控制软件的分析](http://www.4hou.com/technology/10131.html)
- 2018.01 [360] [分析一款全球网络间谍活动中的跨平台恶意软件-CrossRAT(上)](https://www.anquanke.com/post/id/96323/)
- 2018.01 [objective] [分析用于全球网络间谍活动的跨平台远控 CrossRAT](https://objective-see.com/blog/blog_0x28.html)

***

## ArmaRat

- 2018.09 [360] [ArmaRat:针对伊朗用户长达两年的间谍活动](https://www.anquanke.com/post/id/159264/)

***

## RokRAT

- 2018.01 [morphisec] [Threat Profile: RokRAT](http://blog.morphisec.com/threat-profile-rokrat)
- 2017.12 [MalwareAnalysisForHedgehogs] [Malware Analysis - ROKRAT Unpacking from Injected Shellcode](https://www.youtube.com/watch?v=uoBQE5s2ba4)
- 2017.11 [talosintelligence] [ROKRAT Reloaded](https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html)
- 2017.06 [alienvault] [A RAT that Tweets: New ROKRAT Malware Hides behind Twitter, Amazon, and Hulu Traffic](https://www.alienvault.com/blogs/security-essentials/a-rat-that-tweets-new-rokrat-malware-hides-behind-twitter-amazon-and-hulu-traffic)
- 2017.04 [360] [使用云平台的ROKRAT木马分析](https://www.anquanke.com/post/id/85847/)
- 2017.04 [talosintelligence] [ROKRAT 远控分析:从钓鱼到payload,以Twitter/Yandex/Mediafire做C&C。](https://blog.talosintelligence.com/2017/04/introducing-rokrat.html)

***

## CatKARAT

- 2018.01 [hackingarticles] [TCP & UDP Packet Crafting with CatKARAT](http://www.hackingarticles.in/tcp-udp-packet-crafting-catkarat/)

***

## TheFatRat

- 2018.11 [freebuf] [技术分享 | 看我如何使用TheFatRat黑掉你的Android手机](https://www.freebuf.com/articles/terminal/188986.html)
- 2017.11 [TheHackerStuff] [TheFatRat - Hacking Over WAN - Embedding Payload in Original Android APK - Without Port Forwarding](https://www.youtube.com/watch?v=XLNigYZ5-fM)
- 2016.12 [TheHackerStuff] [Kali Linux - TheFatRat - Creating an Undetectable Backdoor - Bypass all AntiVirus](https://www.youtube.com/watch?v=uwMRuQBVS7k)
- 2016.09 [freebuf] [TheFatRat:Msfvenom傻瓜化后门生成工具](http://www.freebuf.com/sectool/113597.html)
- 2016.07 [hackingarticles] [Hack Remote Windows 10 PC using TheFatRat](http://www.hackingarticles.in/hack-remote-windows-10-pc-using-thefatrat/)

***

## OmniRAT

- 2017.07 [skycure] [Nasty backdoor OmniRAT is back, disguised as GhostCtrl on Android mobile devices](https://www.skycure.com/blog/nasty-backdoor-omnirat-back-disguised-ghostctrl-android-mobile-devices/)
- 2015.11 [freebuf] [OmniRAT变种木马被恶意利用](http://www.freebuf.com/news/85281.html)

***

## LuminosityLink

- 2018.10 [welivesecurity] [LuminosityLink RAT pack leader jailed 30 months in the US](https://www.welivesecurity.com/2018/10/24/luminositylink-rat-author-sentenced-jail/)
- 2018.02 [paloaltonetworks] [RAT Trapped? LuminosityLink Falls Foul of Vermin Eradicatio](https://unit42.paloaltonetworks.com/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/)
- 2017.05 [UltraHacks] [How to setup LuminosityLink RAT with nVPN | PORTFORWARD FIX!!!](https://www.youtube.com/watch?v=AiiQNtJfgBc)
- 2017.05 [umbrella] [The Weather Report: Seamless Campaign, LuminosityLink RAT, and OG-Miner!](https://umbrella.cisco.com:443/blog/2017/05/24/weather-report-seamless-campaign-luminositylink-rat-og-miner/)
- 2017.03 [myonlinesecurity] [Request for 1st new order proforma invoice malspam delivers LuminosityLink RAT](https://myonlinesecurity.co.uk/request-for-1st-new-order-proforma-invoice-malspam-delivers-luminositylink-rat/)
- 2016.07 [paloaltonetworks] [Investigating the LuminosityLink Remote Access Trojan Conf](https://unit42.paloaltonetworks.com/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/)

***

## 其他

- 2020.02 [proofpoint] [Proofpoint Q4 2019 Threat Report and Year in Review — The Year of the RAT Ends with More of the Same](https://www.proofpoint.com/us/threat-insight/post/proofpoint-q4-2019-threat-report-and-year-review-year-rat-ends-more-same)
- 2020.01 [sentinelone] [CISO Essentials | How Remote Access Trojans Affect the Enterprise](https://www.sentinelone.com/blog/ciso-essentials-how-remote-access-trojans-affect-the-enterprise/)
- 2020.01 [TheCyberWire] [RATs, backdoors, and a remote code execution zero-day. Hoods breach Mitsubishi Electric. Telnet...](https://www.youtube.com/watch?v=8jdAA2O7_EI)
- 2020.01 [freebuf] [针对在有效数字证书内植入远控木马病毒分析报告](https://www.freebuf.com/articles/paper/224147.html)
- 2020.01 [rambus] [Cable Haunt vulnerability can give hackers remote access to approximately 200 million cable modems](https://www.rambus.com/blogs/cable-haunt-vulnerability-can-give-hackers-remote-access-to-approximately-200-million-cable-modems/)
- 2020.01 [proofpoint] [Threat Insight 2019 in Review: Year of the RAT](https://www.proofpoint.com/us/threat-insight/post/threat-insight-2019-review-year-rat)
- 2019.12 [ptsecurity] [Turkish tricks with worms, RATs… and a freelancer](http://blog.ptsecurity.com/2019/12/turkish-tricks-with-worms-rats-and.html)
- 2019.12 [infosecinstitute] [Malware spotlight: What is a Remote Access Trojan (RAT)?](https://resources.infosecinstitute.com/malware-spotlight-what-is-a-remote-access-trojan-rat/)
- 2019.12 [UltraHacks] [Dark Shades Android RAT | Ultra Hacks](https://www.youtube.com/watch?v=toO_edSq_t0)
- 2019.11 [broadanalysis] [Fallout Exploit Kit delivers suspect Remote Access Trojan (RAT)](https://broadanalysis.com/2019/11/25/fallout-exploit-kit-delivers-suspect-remote-access-trojan-rat/)
- 2019.11 [carbonblack] [Threat Analysis Unit (TAU) Threat Intelligence Notification: AsyncRAT](https://www.carbonblack.com/2019/11/19/threat-analysis-unit-tau-threat-intelligence-notification-asyncrat/)
- 2019.11 [proofpoint] [Proofpoint Q3 2019 Threat Report — Emotet’s return, RATs reign supreme, and more](https://www.proofpoint.com/us/threat-insight/post/proofpoint-q3-2019-threat-report-emotets-return-rats-reign-supreme-and-more)
- 2019.10 [tencent] [快Go矿工(KuaiGoMiner)控制数万电脑挖矿,释放远控木马窃取机密](https://s.tencent.com/research/report/824.html)
- 2019.10 [4hou] [快go矿工(KuaiGoMiner)控制数万电脑挖矿,释放远控木马窃取机密](https://www.4hou.com/system/20919.html)
- 2019.10 [proofpoint] [TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader](https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader)
- 2019.10 [tencent] [“月光(Moonlight)”蠕虫威胁高校网络,中毒电脑被远程控制](https://s.tencent.com/research/report/821.html)
- 2019.10 [4hou] [“月光(Moonlight)”蠕虫威胁高校网络,中毒电脑被远程控制](https://www.4hou.com/system/20853.html)
- 2019.10 [freebuf] [反间谍之旅:首款安卓远控木马工具分析](https://www.freebuf.com/articles/terminal/214201.html)
- 2019.09 [4hou] [病毒团伙利用phpStudy RCE漏洞批量抓鸡,下发四个远控木马](https://www.4hou.com/system/20637.html)
- 2019.09 [aliyun] [利用badusb对用户进行木马远控](https://xz.aliyun.com/t/6386)
- 2019.09 [sensecy] [ARABIC-SPEAKING THREAT ACTOR RECYCLES THE SOURCE CODE OF POPULAR RAT SPYNOTE AND SELLS IT IN THE DARK WEB, AS NEW](https://blog.sensecy.com/2019/09/15/arabic-speaking-threat-actor-recycles-the-source-code-of-popular-rat-spynote-and-sells-it-in-the-dark-web-as-new/)
- 2019.08 [securelist] [Fully equipped Spying Android RAT from Brazil: BRATA](https://securelist.com/spying-android-rat-from-brazil-brata/92775/)
- 2019.08 [talosintelligence] [RAT Ratatouille: Backdooring PCs with leaked RATs](https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html)
- 2019.08 [malware] [2019-08-26 - DATA DUMP: SOCGHOLISH CAMPAIGN PUSHES NETSUPPORT RAT](http://malware-traffic-analysis.net/2019/08/26/index.html)
- 2019.08 [fortinet] [Fake Indian Income Tax Calculator Delivers xRAT Variant](https://www.fortinet.com/blog/threat-research/fake-indian-income-tax-calculator-xrat-variant.html)
- 2019.07 [tencent] [商贸信家族新活跃:利用钓鱼邮件传播商业远控木马RevetRAT](https://s.tencent.com/research/report/767.html)
- 2019.07 [freebuf] [关于远控木马你应该了解的知识点](https://www.freebuf.com/articles/system/207643.html)
- 2019.07 [trendmicro] [Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/)
- 2019.07 [freebuf] [APT34核心组件Glimpse:远控复现与流量分析](https://www.freebuf.com/articles/database/207469.html)
- 2019.07 [d] [Red Team Diary, Entry #1: Making NSA’s PeddleCheap RAT Invisible](https://medium.com/p/f88ccbdc484d)
- 2019.07 [yoroi] [Spotting RATs: Tales from a Criminal Attack](https://blog.yoroi.company/research/spotting-rats-tales-from-a-criminal-attack/)
- 2019.07 [cybersecpolitics] [Book Review: Delusions of Intelligence, R.A. RATCLIFF](https://cybersecpolitics.blogspot.com/2019/07/book-review-delusions-of-intelligence.html)
- 2019.07 [4hou] [探寻木马进化趋势:APT32多版本远控木马Ratsnif的横向分析](https://www.4hou.com/reverse/18994.html)
- 2019.07 [4hou] [浅谈远控木马](https://www.4hou.com/info/observation/19022.html)
- 2019.07 [freebuf] [投递恶意lnk使用JwsclTerminalServer实现远程控制和信息获取](https://www.freebuf.com/articles/system/207109.html)
- 2019.07 [securityintelligence] [Taking Over the Overlay: What Triggers the AVLay Remote Access Trojan (RAT)?](https://securityintelligence.com/posts/taking-over-the-overlay-what-triggers-the-avlay-remote-access-trojan-rat/)
- 2019.07 [securityintelligence] [Taking Over the Overlay: Reverse Engineering a Brazilian Remote Access Trojan (RAT)](https://securityintelligence.com/posts/taking-over-the-overlay-reverse-engineering-a-brazilian-remote-access-trojan-rat/)
- 2019.07 [talosintelligence] [RATs and stealers rush through “Heaven’s Gate” with new loader](https://blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html)
- 2019.06 [4hou] [警惕H-worm蠕虫病毒伪装电影样片钓鱼,草率点击附件会中远控木马](https://www.4hou.com/web/18741.html)
- 2019.06 [nightst0rm] [Tôi đã chiếm quyền điều khiển của rất nhiều trang web như thế nào?](https://medium.com/p/61efdf4a03f5)
- 2019.06 [4hou] [TA505在最新攻击活动中使用HTML, RAT和其他技术](https://www.4hou.com/web/18563.html)
- 2019.06 [trendmicro] [Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns](https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/)
- 2019.05 [4hou] [提高恶意软件多任务处理能力的Babylon RAT](https://www.4hou.com/web/18114.html)
- 2019.05 [360] [记一次利用XLM宏投放远控工具的垃圾邮件活动](https://www.anquanke.com/post/id/178366/)
- 2019.05 [arxiv] [[1905.07273] Finding Rats in Cats: Detecting Stealthy Attacks using Group Anomaly Detection](https://arxiv.org/abs/1905.07273)
- 2019.05 [freebuf] [基于Python的BS远控Ares实战](https://www.freebuf.com/articles/system/202419.html)
- 2019.05 [4hou] [C&C远控工具:WebSocket C2](https://www.4hou.com/tools/17528.html)
- 2019.04 [paloaltonetworks] [BabyShark Malware Part Two – Attacks Continue Using KimJongRAT](https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/)
- 2019.04 [freebuf] [看我如何揪出远控背后的幕后黑手](https://www.freebuf.com/vuls/200895.html)
- 2019.04 [4hou] [C&C远控工具:Ares](https://www.4hou.com/tools/17527.html)
- 2019.04 [krebsonsecurity] [Who’s Behind the RevCode WebMonitor RAT?](https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/)
- 2019.04 [freebuf] [门罗币挖矿&远控木马样本分析](https://www.freebuf.com/articles/system/200875.html)
- 2019.04 [4hou] [门罗币挖矿+远控木马样本分析](https://www.4hou.com/system/17380.html)
- 2019.04 [4hou] [LimeRAT在野外传播](https://www.4hou.com/web/17312.html)
- 2019.04 [yoroi] [LimeRAT spreads in the wild](https://blog.yoroi.company/research/limerat-spreads-in-the-wild/)
- 2019.04 [alexander] [Week 6 Cyberattack Digest 2019 – ExileRAT trojan, Eskom Group, and others](https://www.peerlyst.com/posts/week-6-cyberattack-digest-2019-exilerat-trojan-eskom-group-and-others-alexander-polyakov)
- 2019.03 [360] [木马作者主动提交Tatoo远控后门程序](https://www.anquanke.com/post/id/175513/)
- 2019.03 [flashpoint] [FIN7 Revisited: Inside Astra Panel and SQLRat Malware](https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/)
- 2019.03 [tencent] [挖矿木马针对SQL服务器爆破攻击 中招可致服务器被远程控制](https://s.tencent.com/research/report/684.html)
- 2019.03 [paloaltonetworks] [Cardinal RAT Sins Again, Targets Israeli Fin-T](https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/)
- 2019.03 [aliyun] [分析如何使用JAVA-VBS来传播RAT](https://xz.aliyun.com/t/4287)
- 2019.03 [malware] [2019-03-06 - QUICK POST: KOREAN MALSPAM PUSHES FLAWED AMMYY RAT MALWARE](http://malware-traffic-analysis.net/2019/03/06/index.html)
- 2019.03 [4hou] [JAVA+VBS传播RAT](https://www.4hou.com/system/16495.html)
- 2019.03 [mcafee] [JAVA-VBS Joint Exercise Delivers RAT](https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/java-vbs-joint-exercise-delivers-rat/)
- 2019.02 [dodgethissecurity] [Reverse Engineering an Unknown RAT – Lets call it SkidRAT 1.0](https://www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/)
- 2019.02 [4hou] [ExileRAT与LuckyCat共享C2基础设施](http://www.4hou.com/web/16112.html)
- 2019.02 [freebuf] [小米M365电动滑板车面临黑客攻击和远程控制风险](https://www.freebuf.com/news/195635.html)
- 2019.02 [myonlinesecurity] [Fake Blockchain authentication update delivers Dark Comet RAT](https://myonlinesecurity.co.uk/fake-blockchain-authentication-update-delivers-dark-comet-rat/)
- 2019.02 [securityartwork] [Case study: “Imminent RATs” (III)](https://www.securityartwork.es/2019/02/08/case-study-imminent-rats-iii/)
- 2019.02 [securityartwork] [Case study: “Imminent RATs” (II)](https://www.securityartwork.es/2019/02/06/case-study-imminent-rats-ii/)
- 2019.02 [securityledger] [ExileRAT Malware Targets Tibetan Exile Government](https://securityledger.com/2019/02/exilerat-malware-targets-tibetan-exile-government/)
- 2019.02 [securityartwork] [Case study: “Imminent RATs” (I)](https://www.securityartwork.es/2019/02/04/case-study-imminent-rats-i/)
- 2019.02 [talosintelligence] [ExileRAT shares C2 with LuckyCat, targets Tibet](https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html)
- 2019.02 [0x00sec] [Programming language for Remote Access Toolkit](https://0x00sec.org/t/programming-language-for-remote-access-toolkit/11290/)
- 2019.01 [angelalonso] [Fudcrypt: the service to crypt Java RAT through VBS scripts and Houdini malware](https://blog.angelalonso.es/2019/01/fudcrypt-service-to-crypt-java-rat.html)
- 2019.01 [yoroi] [The Story of Manuel’s Java RAT](https://blog.yoroi.company/research/the-story-of-manuels-java-rat/)
- 2019.01 [0x00sec] [RATs question. Long break](https://0x00sec.org/t/rats-question-long-break/11084/)
- 2019.01 [aliyun] [使用AMP技术分析RAT威胁](https://xz.aliyun.com/t/3900)
- 2019.01 [360] [利用Marvell Avastar Wi-Fi中的漏洞远程控制设备:从零知识入门到RCE漏洞挖掘利用(下)](https://www.anquanke.com/post/id/170078/)
- 2019.01 [aliyun] [使用MS Word文档传播.Net RAT恶意软件](https://xz.aliyun.com/t/3873)
- 2019.01 [tencent] [腾讯电脑管家:“大灰狼”远控木马伪装成“会所会员资料”传播](https://s.tencent.com/research/report/640.html)
- 2019.01 [360] [利用Marvell Avastar Wi-Fi中的漏洞远程控制设备:从零知识入门到RCE漏洞挖掘利用(上)](https://www.anquanke.com/post/id/169892/)
- 2019.01 [4hou] [使用MS Word文档传播.Net RAT恶意软件](http://www.4hou.com/system/15835.html)
- 2019.01 [0x00sec] [VPS or a VPN for a RAT?](https://0x00sec.org/t/vps-or-a-vpn-for-a-rat/10973/)
- 2019.01 [talosintelligence] [What we learned by unpacking a recent wave of Imminent RAT infections using AMP](https://blog.talosintelligence.com/2019/01/what-we-learned-by-unpacking-recent.html)
- 2019.01 [fortinet] [.Net RAT Malware Being Spread by MS Word Documents](https://www.fortinet.com/blog/threat-research/-net-rat-malware-being-spread-by-ms-word-documents.html)
- 2019.01 [4hou] [TA505将新的ServHelper Backdoor和FlawedGrace RAT添加到其军火库中](http://www.4hou.com/web/15732.html)
- 2019.01 [tencent] [劫持浏览器、远程控制、视频刷量,这种破解激活工具有毒!](https://s.tencent.com/research/report/630.html)
- 2019.01 [4hou] [广告恶意软件伪装成游戏、远程控制APP感染900万Google play用户](http://www.4hou.com/web/15676.html)
- 2019.01 [UltraHacks] [Ozone RAT C++ | Hidden VNC [TUTORIAL VIDEO] | Ultra Hacks](https://www.youtube.com/watch?v=72ej6IJPOoY)
- 2019.01 [micropoor] [高级持续渗透-第八季demo便是远控](https://micropoor.blogspot.com/2019/01/demo.html)
- 2019.01 [tencent] [疑似Gorgon组织使用Azorult远控木马针对中国外贸行业的定向攻击活动](https://s.tencent.com/research/report/624.html)
- 2019.01 [4hou] [JungleSec勒索软件通过IPMI远程控制台感染受害者](http://www.4hou.com/typ/15461.html)
- 2019.01 [sans] [Remote Access Tools: The Hidden Threats Inside Your Network](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1569959492.pdf)
- 2018.12 [freebuf] [tRat:一种出现在多起垃圾电子邮件活动中的新型模块化RAT](https://www.freebuf.com/articles/terminal/191004.html)
- 2018.12 [k7computing] [Scumbag Combo: Agent Tesla and XpertRAT](https://blog.k7computing.com/?p=15672)
- 2018.12 [360] [Flash 0day + Hacking Team远控:利用最新Flash 0day漏洞的攻击活动与关联分析](https://www.anquanke.com/post/id/167334/)
- 2018.12 [freebuf] [Flash 0day+Hacking Team远控:利用最新Flash 0day漏洞的攻击活动与关联分析](https://www.freebuf.com/articles/system/191382.html)
- 2018.11 [4hou] [tRat:新模块化RAT](http://www.4hou.com/system/14606.html)
- 2018.11 [proofpoint] [tRat: 多个垃圾邮件行动中传播的新型模块化远控](https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns)
- 2018.11 [checkpoint] [October 2018’s Most Wanted Malware: For The First Time, Remote Access Trojan Reaches Top 10 Threats | Check Point Software Blog](https://blog.checkpoint.com/2018/11/13/october-2018s-most-wanted-malware-for-the-first-time-remote-access-trojan-reaches-top-threats-cryptomining/)
- 2018.11 [checkpoint] [October 2018’s Most Wanted Malware: For The First Time, Remote Access Trojan Reaches Global Threat Index’s Top 10](https://www.checkpoint.com/press/2018/october-2018s-most-wanted-malware-for-the-first-time-remote-access-trojan-reaches-global-threat-indexs-top-10/)
- 2018.10 [DEFCONConference] [DEF CON 26 CAR HACKING VILLAGE - Dan Regalado - Meet Salinas, 1st SMS commanded Car Infotainment RAT](https://www.youtube.com/watch?v=j3dfgTKa7pQ)
- 2018.10 [cybrary] [“I smell a rat!” – AhMyth, not a Myth](https://www.cybrary.it/2018/10/ahmyth-not-myth/)
- 2018.10 [4hou] [如何在工业领域中使用RAT进行攻击](http://www.4hou.com/web/13875.html)
- 2018.10 [360] [远控木马盗用网易官方签名](https://www.anquanke.com/post/id/162056/)
- 2018.10 [ncsc] [RATs, Mimikatz and other domestic pests](https://www.ncsc.gov.uk/blog-post/rats-mimikatz-and-other-domestic-pests)
- 2018.10 [infosecinstitute] [Interview with RaT, the High Council President of SOLDIERX](https://resources.infosecinstitute.com/interview-with-rat-the-high-council-president-of-soldierx/)
- 2018.10 [vulnerability0lab] [Facebook Inc via Instagram Business - Remote Access Token Vulnerability (Original Facebook Video)](https://www.youtube.com/watch?v=4Obsd1Qw7uU)
- 2018.10 [securityledger] [Episode 114: Complexity at Root of Facebook Breach and LoJax is a RAT You Can’t Kill](https://securityledger.com/2018/10/episode-114-complexity-at-root-of-facebook-breach-and-lojax-is-a-rat-you-cant-kill/)
- 2018.10 [sophos] [IP EXPO Europe 2018: Sophos experts talk AI, privacy vs security, and RATs](https://news.sophos.com/en-us/2018/10/02/ip-expo-europe-2018-sophos-experts-talk-ai-privacy-vs-security-and-rats/)
- 2018.09 [kaspersky] [Threats posed by using RATs in ICS](https://ics-cert.kaspersky.com/reports/2018/09/20/threats-posed-by-using-rats-in-ics/)
- 2018.09 [kaspersky] [Industrial networks in need of RAT control](https://www.kaspersky.com/blog/rats-in-ics/23949/)
- 2018.09 [securelist] [Threats posed by using RATs in ICS](https://securelist.com/threats-posed-by-using-rats-in-ics/88011/)
- 2018.08 [traffic] [[2018-08-22] Unknown->RigEK->AZORult->BabylonRAT](https://traffic.moe/2018/08/22/index.html)
- 2018.08 [freebuf] [Hero RAT:一种基于Telegram的Android恶意软件](http://www.freebuf.com/articles/terminal/179842.html)
- 2018.08 [4hou] [垃圾邮件活动滥用SettingContent-ms传播FlawedAmmyy RAT](http://www.4hou.com/web/12902.html)
- 2018.08 [aliyun] [基于Telegram的安卓恶意软件HeroRAT分析](https://xz.aliyun.com/t/2525)
- 2018.08 [alienvault] [Off-the-shelf RATs Targeting Pakistan](https://www.alienvault.com/blogs/labs-research/off-the-shelf-rats-targeting-pakistan)
- 2018.07 [k7computing] [Weaponized.IQY: A Quest to Deliver the FlawedAmmyy RAT](https://blog.k7computing.com/?p=6877)
- 2018.07 [trendmicro] [Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmy RAT Distributed by Necurs](https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-abusing-settingcontent-ms-found-dropping-same-flawedammy-rat-distributed-by-necurs/)
- 2018.07 [k7computing] [Weaponized.IQY: A Quest to Deliver the FlawedAmmyy RAT](http://blog.k7computing.com/2018/07/weaponized-iqy-a-quest-to-deliver-the-flawedammyy-rat/)
- 2018.07 [4hou] [高度复杂的寄生虫RAT已出现在暗网](http://www.4hou.com/web/12820.html)
- 2018.07 [proofpoint] [Parasite HTTP RAT cooks up a stew of stealthy tricks](https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks)
- 2018.07 [aliyun] [Vermin RAThole深度分析](https://xz.aliyun.com/t/2462)
- 2018.07 [proofpoint] [TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT](https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat)
- 2018.07 [welivesecurity] [Vermin one of three RATs used to spy on Ukrainian government institutions](https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/)
- 2018.07 [freebuf] [HeroRAT:一款全新的基于Telegram的安卓远程访问木马](http://www.freebuf.com/articles/terminal/175450.html)
- 2018.06 [heimdalsecurity] [Security Alert: New Spam Campaign Delivers Flawed Ammyy RAT to Infect Victims’ Computers](https://heimdalsecurity.com/blog/security-alert-flawed-ammyy-rat/)
- 2018.06 [welivesecurity] [HeroRAT: 基于Telegram的Android远控, 使用Xamarin框架编写](https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/)
- 2018.06 [4hou] [美国政府最新技术警报:警惕朝鲜黑客组织Hidden Cobra正在使用的两款RAT和蠕虫病毒](http://www.4hou.com/info/news/11930.html)
- 2018.06 [4hou] [NavRAT利用美朝元首脑会晤作为对韩国袭击的诱饵](http://www.4hou.com/web/11941.html)
- 2018.06 [360] [NavRAT借美朝会晤话题攻击韩国](https://www.anquanke.com/post/id/146816/)
- 2018.05 [talosintelligence] [NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea](https://blog.talosintelligence.com/2018/05/navrat.html)
- 2018.05 [myonlinesecurity] [Necurs delivering Flawed Ammy RAT via IQY Excel Web Query files](https://myonlinesecurity.co.uk/necurs-delivering-flawed-ammy-rat-via-iqy-excel-web-query-files/)
- 2018.05 [freebuf] [被黑的Drupal网站被用来挖矿,传播远控,发送诈骗邮件](http://www.freebuf.com/articles/web/172563.html)
- 2018.05 [andreafortuna] [Malware VM detection techniques evolving: an analysis of GravityRAT](https://www.andreafortuna.org/malware-analysis/malware-vm-detection-techniques-evolving-an-analysis-of-gravityrat/)
- 2018.05 [360] [GravityRAT:以印度为APT目标两年内的演变史](https://www.anquanke.com/post/id/106933/)
- 2018.05 [pcsxcetrasupport3] [A closer look at “NetSupport”(Rat) top 2 layers](https://pcsxcetrasupport3.wordpress.com/2018/05/04/a-closer-look-at-netsupportrat-top-2-layers/)
- 2018.05 [freebuf] [神话传奇:一款通过卖号在微信群传播的远控木马](http://www.freebuf.com/articles/system/170196.html)
- 2018.04 [virusbulletin] [GravityRAT malware takes your system's temperature](https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/)
- 2018.04 [360] [神话传奇——通过卖号微信群传播的远控木马](https://www.anquanke.com/post/id/106767/)
- 2018.04 [talosintelligence] [GravityRAT - The Two-Year Evolution Of An APT Targeting India](https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html)
- 2018.04 [UltraHacks] [WebMonitor RAT - NO PORTFORWARD NEEDED + FREE VPN *NEW*](https://www.youtube.com/watch?v=Yg-5ZUKbd3c)
- 2018.04 [4hou] [吃鸡辅助远控木马分析](http://www.4hou.com/system/11194.html)
- 2018.04 [freebuf] [吃鸡辅助远控木马分析](http://www.freebuf.com/articles/paper/169504.html)
- 2018.04 [360] [吃鸡辅助远控木马分析](https://www.anquanke.com/post/id/105670/)
- 2018.04 [4hou] [利用Digital Ocean构建远控基础设施](http://www.4hou.com/technology/11107.html)
- 2018.04 [flashpoint] [RAT Gone Rogue: Meet ARS VBS Loader](https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/)
- 2018.04 [lookout] [mAPT ViperRAT Found in Google Play](https://blog.lookout.com/viperrat-google-play)
- 2018.04 [bitdefender] [RadRAT: An all-in-one toolkit for complex espionage ops](https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/)
- 2018.04 [paloaltonetworks] [Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Servic](https://unit42.paloaltonetworks.com/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/)
- 2018.04 [freebuf] [DELPHI黑客编程(三):简单远控原理实现](http://www.freebuf.com/articles/system/166876.html)
- 2018.04 [fireeye] [Fake Software Update Abuses NetSupport Remote Access Tool](http://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html)
- 2018.04 [freebuf] [PowerShell-RAT:一款基于Python的后门程序](http://www.freebuf.com/sectool/165789.html)
- 2018.03 [UltraHacks] [Spynote v5.8 Android RAT | Tutorial | www.ultrahacks.org | Ultra Hacks](https://www.youtube.com/watch?v=SIqed5aL6F0)
- 2018.03 [360] [TeleRAT:再次发现利用Telegram来定位伊朗用户的Android恶意软件](https://www.anquanke.com/post/id/102398/)
- 2018.03 [paloaltonetworks] [TeleRAT: Another Android Trojan Leveraging Telegram’s Bot API to Target Iran](https://unit42.paloaltonetworks.com/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/)
- 2018.03 [4hou] [三星SmartCam相机被曝存在十多个安全漏洞,可被远程控制、修改视频画面](http://www.4hou.com/info/news/10696.html)
- 2018.03 [360] [针对OS X上Coldroot RAT跨平台后门的详细分析](https://www.anquanke.com/post/id/100727/)
- 2018.03 [freebuf] [前端黑魔法之远程控制地址栏](http://www.freebuf.com/articles/web/164711.html)
- 2018.03 [broadanalysis] [EiTest campaign Hoefler Text Pop-up delivers NetSupport Manager RAT](http://www.broadanalysis.com/2018/03/11/eitest-campaign-hoefler-text-pop-up-delivers-netsupport-manager-rat-5/)
- 2018.03 [leavesongs] [前端黑魔法之远程控制地址栏](https://www.leavesongs.com/PENETRATION/use-target-to-spoof-fishing.html)
- 2018.03 [broadanalysis] [Fake Flash update leads to NetSupport RAT](http://www.broadanalysis.com/2018/03/08/fake-flash-update-leads-to-netsupport-rat-2/)
- 2018.03 [broadanalysis] [EiTest campaign Hoefler Text Pop-up delivers NetSupport Manager RAT](http://www.broadanalysis.com/2018/03/08/eitest-campaign-hoefler-text-pop-up-delivers-netsupport-manager-rat-4/)
- 2018.03 [4hou] [高清无码!比鬼片还刺激!且听“诡娃”远控的这首惊魂曲](http://www.4hou.com/technology/10558.html)
- 2018.03 [freebuf] [高清无码!比鬼片还刺激!且听“诡娃”远控的这首惊魂曲](http://www.freebuf.com/articles/system/163988.html)
- 2018.03 [360] [胆小者慎入!比鬼片还刺激!且听“诡娃”远控的这首惊魂曲](https://www.anquanke.com/post/id/99667/)
- 2018.02 [broadanalysis] [Fake Flash update leads to NetSupport RAT](http://www.broadanalysis.com/2018/02/27/fake-flash-update-leads-to-netsupport-rat/)
- 2018.02 [broadanalysis] [EiTest campaign Hoefler Text Pop-up delivers NetSupport Manager RAT](http://www.broadanalysis.com/2018/02/24/eitest-campaign-hoefler-text-pop-up-delivers-netsupport-manager-rat-3/)
- 2018.02 [myonlinesecurity] [Fake DHL notification delivers some sort of Java RAT](https://myonlinesecurity.co.uk/fake-dhl-notification-delivers-some-sort-of-java-rat/)
- 2018.02 [4hou] [新的AndroRAT变种正在利用过期的Root漏洞伺机发起攻击](http://www.4hou.com/info/news/10413.html)
- 2018.02 [objective] [Tearing Apart the Undetected (OSX)Coldroot RAT](https://objective-see.com/blog/blog_0x2A.html)
- 2018.02 [trendmicro] [New AndroRAT Exploits Dated Privilege Escalation Vulnerability, Allows Permanent Rooting](https://blog.trendmicro.com/trendlabs-security-intelligence/new-androrat-exploits-dated-permanent-rooting-vulnerability-allows-privilege-escalation/)
- 2018.02 [360] [远控木马巧设“白加黑”陷阱:瞄准网店批发商牟取钱财](https://www.anquanke.com/post/id/97329/)
- 2018.01 [broadanalysis] [EiTest campaign Hoefler Text Pop-up delivers NetSupport Manager RAT](http://www.broadanalysis.com/2018/01/25/eitest-campaign-hoefler-text-pop-up-delivers-netsupport-manager-rat-2/)
- 2018.01 [4hou] [暴雪游戏存在严重远程控制漏洞,数亿用户受影响](http://www.4hou.com/info/news/10096.html)
- 2018.01 [riskiq] [Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors](https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/)
- 2018.01 [freebuf] [NDAY漏洞CVE-2017-11882与0Day漏洞CVE-2018-0802漏洞组合传播远控木马的样本分析](http://www.freebuf.com/vuls/160252.html)
- 2018.01 [broadanalysis] [EiTest campaign Hoefler Text Pop-up delivers NetSupport Manager RAT](http://www.broadanalysis.com/2018/01/18/eitest-campaign-hoefler-text-pop-up-delivers-netsupport-manager-rat/)
- 2018.01 [netskope] [Git Your RATs Here!](https://www.netskope.com/blog/git-your-rats-here/)
- 2018.01 [redcanary] [We Smell a RAT: Detecting a Remote Access Trojan That Snuck Past a User](https://redcanary.com/blog/detecting-remote-access-trojan/)
- 2018.01 [rsa] [Malspam delivers BITTER RAT 01-07-2018](https://community.rsa.com/community/products/netwitness/blog/2018/01/10/malspam-delivers-bitter-rat-07-01-2018)
- 2018.01 [freebuf] [移动端C#病毒“东山再起”,利用知名应用通信实现远控隐私窃取](http://www.freebuf.com/articles/terminal/158503.html)
- 2017.12 [tencent] [通过CHM文件传播的Torchwood远控木马分析](https://s.tencent.com/research/report/161.html)
- 2017.12 [avlsec] [移动端C#病毒“东山再起”,利用知名应用通信实现远控隐私窃取](http://blog.avlsec.com/2017/12/5020/tba/)
- 2017.12 [broadanalysis] [Fake Flash Player update delivers Net Support RAT](http://www.broadanalysis.com/2017/12/20/fake-flash-player-update-delivers-net-support-rat/)
- 2017.12 [netskope] [TelegramRAT evades traditional defenses via the cloud](https://www.netskope.com/blog/telegramrat-evades-traditional-defenses-via-cloud/)
- 2017.12 [4hou] [Palo Alto Networks最新发现:UBoatRAT远程木马访问程序入侵东亚](http://www.4hou.com/info/news/9209.html)
- 2017.12 [TechnoHacker] [RATs in a Nutshell](https://www.youtube.com/watch?v=JTfqMEfokNg)
- 2017.11 [paloaltonetworks] [UBoatRAT Navigates](https://unit42.paloaltonetworks.com/unit42-uboatrat-navigates-east-asia/)
- 2017.11 [buguroo] [New banking malware in Brazil - XPCTRA RAT ANALYSIS](https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis)
- 2017.11 [traffic] [[2017-11-18] KaiXinEK->RAT](https://traffic.moe/2017/11/18/index.html)
- 2017.11 [freebuf] [通过CHM文件传播的Torchwood远控木马分析](http://www.freebuf.com/articles/system/153850.html)
- 2017.11 [qq] [通过CHM文件传播的Torchwood远控木马分析](https://tav.qq.com/index/newsDetail/315.html)
- 2017.11 [TechnicalMujeeb] [A-RAt exploit Tool Remote Access Android using Termux App.](https://www.youtube.com/watch?v=bzYsfe6WT7M)
- 2017.11 [securityintelligence] [使用 AutoIt 脚本绕过 AV 检测的远控分析](https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/)
- 2017.11 [360] [Powershell Empire 绕过AV实现远控](https://www.anquanke.com/post/id/87132/)
- 2017.10 [riskiq] [New htpRAT Gives Complete Remote Control Capabilities to Chinese Threat Actors](https://www.riskiq.com/blog/labs/htprat/)
- 2017.10 [lookout] [JadeRAT mobile surveillanceware spikes in espionage activity](https://blog.lookout.com/mobile-threat-jaderat)
- 2017.10 [buguroo] [RAT Protection for Banking Customers That Works](https://www.buguroo.com/en/blog/rat-protection-for-banking-customers-that-works)
- 2017.10 [cylance] [Cylance vs. Hacker’s Door Remote Access Trojan](https://www.cylance.com/en_us/blog/cylance-vs-hackers-door-remote-access-trojan.html)
- 2017.10 [malwarebytes] [一个“正常的”Word 文档启动时自动下载恶意的 RTF 文件(利用 CVE-2017-8759),再由此 RTF 文件下载执行最终的 Payload](https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/)
- 2017.10 [rsa] [Malspam Delivers HWorm RAT October, 2017](https://community.rsa.com/community/products/netwitness/blog/2017/10/09/malspam-delivers-hworm-rat-october2017)
- 2017.09 [freebuf] [【评论更新“木马”作者回复】“大黄蜂”远控挖矿木马分析与溯源](http://www.freebuf.com/articles/network/147301.html)
- 2017.09 [intezer] [Agent.BTZ/ComRAT 变种分析](https://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/)
- 2017.09 [360] [分析利用“永恒之蓝”漏洞传播的RAT](https://www.anquanke.com/post/id/86822/)
- 2017.09 [UltraHacks] [SilentBytes RAT 1.6.3c | Multi Administration Tool!](https://www.youtube.com/watch?v=OCz1b2Xyr8c)
- 2017.09 [freebuf] [螳螂捕蝉黄雀在后,免费散播Cobian远控工具背后的秘密](http://www.freebuf.com/news/146974.html)
- 2017.09 [360] [如何远程控制别人的无线鼠标:深度揭露鼠标劫持内幕](https://www.anquanke.com/post/id/86784/)
- 2017.09 [4hou] [“钓鱼”插件实战:看我如何让粗心开发者的编辑器自动变身远控](http://www.4hou.com/technology/7329.html)
- 2017.09 [fortinet] [针对越南组织的 APT 攻击中使用的Rehashed 远控分析](https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html)
- 2017.09 [TechnoHacker] [Arcom RAT: Is It Worth $3000?](https://www.youtube.com/watch?v=u39nMqPoiz0)
- 2017.08 [lookout] [安卓远控 xRAT](https://blog.lookout.com/xrat-mobile-threat)
- 2017.08 [paloaltonetworks] [Updated KHRAT Malware Used in Cambodi](https://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/)
- 2017.08 [JackkTutorials] [How to make a HTTP RAT (#3)](https://www.youtube.com/watch?v=qPrF5Hh5hwo)
- 2017.08 [freebuf] [远控木马上演白利用偷天神技:揭秘假破解工具背后的盗刷暗流](http://www.freebuf.com/articles/terminal/144590.html)
- 2017.08 [4hou] [远控木马上演白利用偷天神技:揭秘假破解工具背后的盗刷暗流](http://www.4hou.com/technology/7302.html)
- 2017.08 [fortinet] [A Quick Look at a New KONNI RAT Variant](https://www.fortinet.com/blog/threat-research/a-quick-look-at-a-new-konni-rat-variant.html)
- 2017.08 [freebuf] [如何把Photoshop改造成远程控制工具(RAT)来利用](http://www.freebuf.com/news/142783.html)
- 2017.08 [n0where] [Koadic C3 COM Command & Control – JScript RAT](https://n0where.net/com-command-control-koadic)
- 2017.08 [cylance] [Threat Spotlight: KONNI – A Stealthy Remote Access Trojan](https://www.cylance.com/en_us/blog/threat-spotlight-konni-stealthy-remote-access-trojan.html)
- 2017.08 [cylance] [Cylance vs. KONNI RAT](https://www.cylance.com/en_us/blog/cylance-vs-konni-rat.html)
- 2017.08 [intezer] [New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2](https://www.intezer.com/new-variants-of-agent-btz-comrat-found/)
- 2017.08 [rsa] [Malspam delivers Xtreme RAT 8-1-2017](https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017)
- 2017.07 [CodeColorist] [How to turn Photoshop into a remote access tool](https://medium.com/p/805485a9480)
- 2017.07 [pentestmag] [Stitch – a Python written cross platform RAT](https://pentestmag.com/stitch-python-written-cross-platform-rat/)
- 2017.07 [freebuf] [【BlackHat 2017】小米9号平衡车国际版存在严重安全漏洞可被攻击者远程控制](http://www.freebuf.com/news/141341.html)
- 2017.07 [pentestingexperts] [Hacking Android Smart Phone Using AhMyth Android RAT](http://www.pentestingexperts.com/hacking-android-smart-phone-using-ahmyth-android-rat/)
- 2017.07 [JackkTutorials] [How to make a HTTP RAT (#2)](https://www.youtube.com/watch?v=BqwcSsMdJEI)
- 2017.07 [ringzerolabs] [Bladabindi RAT](https://www.ringzerolabs.com/2017/07/bladabindi-rat.html)
- 2017.07 [krebsonsecurity] [Who is the GovRAT Author and Mirai Botmaster ‘Bestbuy’?](https://krebsonsecurity.com/2017/07/who-is-the-govrat-author-and-mirai-botmaster-bestbuy/)
- 2017.07 [JackkTutorials] [How to make a HTTP RAT (#1)](https://www.youtube.com/watch?v=whwGVk33NXA)
- 2017.06 [freebuf] [白利用的集大成者:新型远控木马上演移形换影大法](http://www.freebuf.com/articles/system/138164.html)
- 2017.06 [pediy] [[原创]一个远控木马的行为分析](https://bbs.pediy.com/thread-218739.htm)
- 2017.06 [ColinHardy] [JavaScript that drops a RAT - Reverse Engineer it like a pro](https://www.youtube.com/watch?v=qzGLCqW_wrM)
- 2017.06 [4hou] [白利用的集大成者:新型远控木马上演移形换影大法](http://www.4hou.com/info/news/5742.html)
- 2017.06 [360] [白利用的集大成者:新型远控木马上演移形换影大法](https://www.anquanke.com/post/id/86311/)
- 2017.06 [freebuf] [Metasploit实验:制作免杀payload+对任意“外网”主机的远控](http://www.freebuf.com/sectool/136736.html)
- 2017.06 [cylance] [Cylance vs. FF-Rat Malware](https://www.cylance.com/en_us/blog/cylance-vs-ff-rat-malware.html)
- 2017.06 [cylance] [Threat Spotlight: Breaking Down FF-Rat Malware](https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html)
- 2017.06 [alienvault] [Mac 平台首个 MaaS(恶意软件即服务)恶意软件 MacSpy 分析](https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service)
- 2017.05 [TechnoHacker] [How to check if you're infected with a RAT in 10 seconds](https://www.youtube.com/watch?v=ZWcTAiyZrEI)
- 2017.05 [freebuf] [远控木马中的VIP:盗刷网购账户购买虚拟礼品卡](http://www.freebuf.com/articles/system/135081.html)
- 2017.05 [pediy] [[原创]从0分析一款经典的感染型远控木马](https://bbs.pediy.com/thread-217755.htm)
- 2017.05 [4hou] [远控木马中的VIP:盗刷网购账户购买虚拟礼品卡](http://www.4hou.com/info/observation/4847.html)
- 2017.05 [sec] [远控木马中的VIP:盗刷网购账户购买虚拟礼品卡](https://www.sec-un.org/%e8%bf%9c%e6%8e%a7%e6%9c%a8%e9%a9%ac%e4%b8%ad%e7%9a%84vip%ef%bc%9a%e7%9b%97%e5%88%b7%e7%bd%91%e8%b4%ad%e8%b4%a6%e6%88%b7%e8%b4%ad%e4%b9%b0%e8%99%9a%e6%8b%9f%e7%a4%bc%e5%93%81%e5%8d%a1/)
- 2017.05 [360] [远控木马中的VIP:盗刷网购账户购买虚拟礼品卡](https://www.anquanke.com/post/id/86128/)
- 2017.05 [aliyun] [FlexiSpy For Android远程控制后门](https://xz.aliyun.com/t/167)
- 2017.05 [UltraHacks] [Imminent Monitor RAT setup & New update review 2017](https://www.youtube.com/watch?v=Mwp-VbaYM0w)
- 2017.05 [TechnoHacker] [How to spread your RAT](https://www.youtube.com/watch?v=bI3AngFahb4)
- 2017.05 [esecurityplanet] [Shodan Partners with Recorded Future to Detect Botnets and RATs](https://www.esecurityplanet.com/hackers/shodan-partners-with-recorded-future-to-detect-botnets-and-rats.html)
- 2017.04 [alienvault] [The Felismus RAT: Powerful Threat, Mysterious Purpose](https://www.alienvault.com/blogs/security-essentials/the-felismus-rat-powerful-threat-mysterious-purpose)
- 2017.04 [4hou] [二十余款Linksys路由器曝出安全漏洞,或可被远程控制](http://www.4hou.com/info/news/4449.html)
- 2017.04 [freebuf] [当心,安卓远控(spynote)升级了……](http://www.freebuf.com/sectool/132023.html)
- 2017.04 [paloaltonetworks] [Cardinal RAT Active for Over](https://unit42.paloaltonetworks.com/unit42-cardinal-rat-active-two-years/)
- 2017.04 [jpcert] [RedLeaves - Malware Based on Open Source RAT](https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html)
- 2017.03 [TechnoHacker] [What's the difference between http botnets and RATs?](https://www.youtube.com/watch?v=G1J1xsZAASg)
- 2017.03 [paloaltonetworks] [Trochilus and New MoonWind RATs Used In Attack Against Thai Orga](https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/)
- 2017.03 [fireeye] [WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell](https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html)
- 2017.03 [4hou] [CIA事件余波:300多种思科交换机深受其毒,一个0day即可远程控制](http://www.4hou.com/info/news/3930.html)
- 2017.03 [secist] [基于Python的远程管理工具(RAT) – Stitch](http://www.secist.com/archives/2965.html)
- 2017.03 [trendmicro] [MajikPOS简介:PoS恶意软件和RAT的结合体。](https://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/)
- 2017.03 [4hou] [Proton RAT利用0day漏洞升级新变种,最低1200美元可出售](http://www.4hou.com/info/news/3846.html)
- 2017.02 [UltraHacks] [SilentBytes RAT [beta] Windows 10 || PROMOTION ||](https://www.youtube.com/watch?v=JOvtLWFPaeY)
- 2017.02 [UltraHacks] [SilentBytes RAT Linux Ubuntu || PROMOTION ||](https://www.youtube.com/watch?v=X0slzydICEg)
- 2017.02 [UltraHacks] [SilentBytes RAT 1.1 [BETA] Mac OS X || PROMOTION ||](https://www.youtube.com/watch?v=GVdDkNrD0hU)
- 2017.02 [lookout] [ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar](https://blog.lookout.com/viperrat-mobile-apt)
- 2017.02 [talosintelligence] [Go RAT, Go! AthenaGo points “TorWords” Portugal](https://blog.talosintelligence.com/2017/02/athena-go.html)
- 2017.02 [netskope] [Decoys, RATs, and the Cloud: The growing trend](https://www.netskope.com/blog/decoys-rats-cloud-the-growing-trend/)
- 2017.01 [malwarebytes] [Mobile Menace Monday: AndroRAT Evolved](https://blog.malwarebytes.com/cybercrime/2017/01/mobile-menace-monday-androrat-evolved/)
- 2017.01 [malwarebytes] [From a fake wallet to a Java RAT](https://blog.malwarebytes.com/cybercrime/2017/01/from-a-fake-wallet-to-a-java-rat/)
- 2016.12 [TechnoHacker] [How to remotely execute a RAT on someone's PC](https://www.youtube.com/watch?v=5X9su6U8wyo)
- 2016.12 [cyber] [The Kings In Your Castle Part 4 – Packers, Crypters and a Pack of RATs](https://cyber.wtf/2016/12/05/the-kings-in-your-castle-part-4-packers-crypters-and-a-pack-of-rats/)
- 2016.11 [] [Linux远控分析](http://blogs.360.cn/360safe/2016/11/18/linuxremotecontrol/)
- 2016.11 [] [Linux远控分析](http://blogs.360.cn/blog/linuxremotecontrol/)
- 2016.11 [f] [A RAT For The US Presidential Elections](https://labsblog.f-secure.com/2016/11/10/a-rat-for-the-us-presidential-elections/)
- 2016.11 [fidelissecurity] [Down the H-W0rm Hole with Houdini's RAT](https://www.fidelissecurity.com/threatgeek/2016/11/down-h-w0rm-hole-houdinis-rat)
- 2016.11 [4hou] [托管在Pastebin上的RAT木马会导致系统蓝屏](http://www.4hou.com/info/news/1250.html)
- 2016.10 [malwarebytes] [Get your RAT on Pastebin](https://blog.malwarebytes.com/cybercrime/2016/10/get-your-rat-on-pastebin/)
- 2016.10 [8090] [华为P9手机指纹锁遭破解,远程控制插座发微博,智能产品的安全问题堪忧](http://www.8090-sec.com/archives/4475)
- 2016.10 [sentinelone] [GovRAT is Not New](https://www.sentinelone.com/blog/govrat-remote-administration-tool-targets-us-government-employees/)
- 2016.10 [UltraHacks] [[$25] Imment Monitor RAT setup](https://www.youtube.com/watch?v=TCDxayI8e2U)
- 2016.09 [securelist] [TeamXRat: Brazilian cybercrime meets ransomware](https://securelist.com/teamxrat-brazilian-cybercrime-meets-ransomware/76153/)
- 2016.09 [freebuf] [远控盗号木马伪装成850Game作恶](http://www.freebuf.com/articles/system/115194.html)
- 2016.09 [jimwilbur] [DroidJack – A Quick Look at an Android RAT](https://www.wilbursecurity.com/2016/09/droidjack/)
- 2016.09 [360] [远控盗号木马伪装成850Game作恶](https://www.anquanke.com/post/id/84619/)
- 2016.09 [countercept] [Do you smell a rat?](https://countercept.com/blog/do-you-smell-a-rat/)
- 2016.09 [countercept] [Do you smell a rat?](https://countercept.com/our-thinking/do-you-smell-a-rat/)
- 2016.09 [freebuf] [You dirty RAT:地下网络犯罪世界的“黑吃黑”](http://www.freebuf.com/articles/system/113906.html)
- 2016.08 [fortinet] [German Speakers Targeted by SPAM Leading to Ozone RAT](https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html)
- 2016.08 [freebuf] [微信曝远程任意代码执行漏洞,可被远程控制](http://www.freebuf.com/news/112613.html)
- 2016.08 [trustlook] [Trustlook Discovers a Remote Administration Tool (RAT) Android Malware](https://blog.trustlook.com/2016/08/22/trustlook-discovers-a-remote-administration-tool-rat-android-malware/)
- 2016.08 [id] [XRat, Team, Corporacao](http://id-ransomware.blogspot.com/2016/08/team-xrat-ransomware.html)
- 2016.08 [f] [NanHaiShu: RATing the South China Sea](https://labsblog.f-secure.com/2016/08/04/nanhaishu-rating-the-south-china-sea/)
- 2016.07 [malwarenailed] [Luminosity RAT - Re-purposed](http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html)
- 2016.07 [360] [披合法外衣的远控木马——Game564深入分析](https://www.anquanke.com/post/id/84267/)
- 2016.07 [fidelissecurity] [Chasing Down RATs with Barncat](https://www.fidelissecurity.com/threatgeek/2016/07/chasing-down-rats-barncat)
- 2016.07 [n0where] [Python Remote Access Tool: Ares](https://n0where.net/python-remote-access-tool-ares)
- 2016.07 [360] [H-WORM:简单而活跃的远控木马](https://www.anquanke.com/post/id/84132/)
- 2016.06 [duo] [Protecting Remote Access to Your Computer: RDP Attacks and Server Credentials for Sale](https://duo.com/blog/protecting-remote-access-to-your-computer-rdp-attacks-and-server-credentials-for-sale)
- 2016.06 [cybereason] [Permission to Execute: The Incident of the Signed and Verified RAT](https://www.cybereason.com/blog/permission-to-execute-the-incident-of-the-signed-and-verified-rat)
- 2016.06 [8090] [一款用于定向攻击的JavaScript远控木马分析](http://www.8090-sec.com/archives/2682)
- 2016.06 [hackingarticles] [HTTP RAT Tutorial for Beginners](http://www.hackingarticles.in/http-rat-tutorial-beginners/)
- 2016.06 [avlsec] [假借知名应用植入恶意模块,披着羊皮的“狼”来了!WarThunder远程控制木马预警](http://blog.avlsec.com/2016/06/3298/warthundermalicewolf/)
- 2016.06 [cysinfo] [Hunting APT RAT 9002 In Memory Using Volatility Plugin](https://cysinfo.com/hunting-apt-rat-9002-in-memory-using-volatility-plugin/)
- 2016.06 [f] [Qarallax RAT: Spying On US Visa Applicants](https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/)
- 2016.06 [qq] [远控木马利用Windows系统文件漏洞展开攻击](https://tav.qq.com/index/newsDetail/246.html)
- 2016.06 [samvartaka] [Dead RATs: Exploiting malware C2 servers](http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware)
- 2016.05 [freebuf] [深度:远控木马Posion Ivy开始肆虐缅甸和其它亚洲国家](http://www.freebuf.com/articles/paper/104819.html)
- 2016.05 [trendmicro] [Lost Door RAT: Accessible, Customizable Attack Tool](https://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/)
- 2016.04 [pentestpartners] [RATing through the Steam Workshop](https://www.pentestpartners.com/security-blog/rating-through-the-steam-workshop/)
- 2016.04 [freebuf] [DameWare迷你远程遥控漏洞(CVE-2016-2345):让你玩转远程控制器](http://www.freebuf.com/articles/terminal/102204.html)
- 2016.04 [paloaltonetworks] [New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy](https://unit42.paloaltonetworks.com/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/)
- 2016.04 [sentinelone] [Teaching an old RAT new tricks](https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/)
- 2016.04 [itsjack] [RAT Threat Intelligence – A Very Simple Manual Technique](https://itsjack.cc/blog/2016/04/rat-threat-intelligence-a-very-simple-manual-technique/)
- 2016.03 [TechnoHacker] [How to port forward for any program and how to setup a DNS for RATs](https://www.youtube.com/watch?v=4KMmuq0UuLQ)
- 2016.03 [malwarebytes] [Latest Steam Malware Shows Signs of RAT Activity](https://blog.malwarebytes.com/cybercrime/2016/03/latest-steam-malware-shows-sign-of-rat-activity/)
- 2016.03 [freebuf] [如何远程控制别人的无线鼠标:深度揭露mouseJack内幕](http://www.freebuf.com/vuls/100501.html)
- 2016.03 [malwarebytes] [This Steam Scam is a Rat Race](https://blog.malwarebytes.com/cybercrime/2016/03/this-steam-scam-is-a-rat-race/)
- 2016.03 [itsjack] [Imminent Monitor 4 RAT Analysis – Further Into The RAT](https://itsjack.cc/blog/2016/03/imminent-monitor-4-rat-analysis-further-into-the-rat/)
- 2016.02 [TechnoHacker] [How to get rid of a RAT [Very in depth]](https://www.youtube.com/watch?v=dqnPIXc1JPQ)
- 2016.02 [brindi] [Advanced Techniques for Detecting RAT Screen Control](http://brindi.si/g/elsewhere/advanced-techniques-for-detecting-rat-screen-control.html)
- 2016.02 [mindedsecurity] [RAT WARS 2.0: Advanced Techniques for Detecting RAT Screen Control](http://blog.mindedsecurity.com/2016/02/rat-wars-20-advanced-techniques-for.html)
- 2016.01 [fidelissecurity] [Introducing Hi-Zor RAT](https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat)
- 2016.01 [alienvault] [Trochilus RAT: Invading your Sandbox](https://www.alienvault.com/blogs/security-essentials/trochilus-rat-invading-your-sandbox)
- 2016.01 [itsjack] [Imminent Monitor 4 RAT Analysis – A Glance](https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/)
- 2016.01 [freebuf] [“暗影大盗”远控木马分析报告](http://www.freebuf.com/articles/database/94054.html)
- 2016.01 [] [Linux远控分析](http://blogs.360.cn/post/linuxremotecontrol.html)
- 2016.01 [ensilo] [Cyber-Security in 120 Secs: 0-days, and a new RAT targeting APJ](https://blog.ensilo.com/cyber-security-in-120-secs-0-days-and-a-new-rat-targeting-apj)
- 2016.01 [TechnoHacker] [How to use all of Xtreme RAT's features](https://www.youtube.com/watch?v=9eejCZQCmZo)
- 2016.01 [freebuf] [一次对JSocket远控的分析](http://www.freebuf.com/articles/terminal/92108.html)
- 2015.12 [paloaltonetworks] [BBSRAT Attacks Targeting Russian Organizations Linked to Roam](https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/)
- 2015.12 [welivesecurity] [Europol makes 12 arrests in Remote Access Trojan crackdown](https://www.welivesecurity.com/2015/12/15/europol-makes-12-arrests-remote-access-trojan-crackdown/)
- 2015.11 [360] [“大灰狼”远控木马幕后真凶深入挖掘](https://www.anquanke.com/post/id/83006/)
- 2015.11 [cylance] [Cylance vs. GlassRAT](https://www.cylance.com/en_us/blog/cylanceprotect-vs-glassrat.html)
- 2015.11 [rsa] [Detecting GlassRAT using Security Analytics and ECAT](https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat)
- 2015.11 [freebuf] [KillerRat:埃及黑客开发针对Windows平台的新型RAT](http://www.freebuf.com/sectool/86094.html)
- 2015.11 [freebuf] [BT天堂网站挂马事件后续:“大灰狼”远控木马分析及幕后真凶调查](http://www.freebuf.com/articles/web/84374.html)
- 2015.11 [360] [“大灰狼”远控木马分析及幕后真凶调查](https://www.anquanke.com/post/id/82865/)
- 2015.11 [freebuf] [黑市热卖杀器GovRAT:恶意软件数字签名平台](http://www.freebuf.com/news/84126.html)
- 2015.11 [duo] [Criminals Leverage Remote Access to Patient Data Applications](https://duo.com/blog/criminals-leverage-remote-access-to-patient-data-applications)
- 2015.11 [fidelissecurity] [A Stalker’s Best Friend: Inside JSocket’s Android Remote Access Tool Builder](https://www.fidelissecurity.com/threatgeek/2015/11/stalker%E2%80%99s-best-friend-inside-jsocket%E2%80%99s-android-remote-access-tool-builder)
- 2015.10 [threatmetrix] [How Contextual Fraud Prevention Can Turn Banks into RAT (Remote Access Trojan) Catchers](https://www.threatmetrix.com/digital-identity-blog/fraud-prevention/remote-access-trojan-rat-catchers/)
- 2015.10 [deepsec] [DeepSec Talk: Got RATs? Enter Barn Cat (OSint)](http://blog.deepsec.net/deepsec-talk-got-rats-enter-barn-cat-osint/)
- 2015.10 [360] [另类远控:木马借道商业级远控软件的隐藏运行实现](https://www.anquanke.com/post/id/82748/)
- 2015.10 [freebuf] [另类远控:木马借道商业级远控软件的隐藏运行实现](http://www.freebuf.com/articles/82240.html)
- 2015.10 [hackingarticles] [Hack Android Devices using Omni RAT](http://www.hackingarticles.in/hack-android-devices-using-omni-rat/)
- 2015.10 [duo] [Remote Access Trojan (RAT) Targets Windows Environments](https://duo.com/blog/remote-access-trojan-rat-targets-windows-environments)
- 2015.09 [trustwave] [Quaverse RAT: Remote-Access-as-a-Service](https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/)
- 2015.09 [freebuf] [远程控制工具VNC拒绝服务漏洞分析](http://www.freebuf.com/sectool/79223.html)
- 2015.09 [freebuf] [老式后门之美:五种复古远程控制工具(含下载)](http://www.freebuf.com/sectool/77740.html)
- 2015.09 [kaspersky] [A layman’s dictionary: RAT](https://www.kaspersky.com/blog/a-laymans-dictionary-rat/4487/)
- 2015.08 [sentinelone] [The 7 ‘Most Common’ RATS In Use Today](https://www.sentinelone.com/blog/the-7-most-common-rats-in-use-today/)
- 2015.08 [rsa] [Detecting XtremeRAT variants using Security Analytics](https://community.rsa.com/community/products/netwitness/blog/2015/08/26/detecting-xtremerat-using-security-analytics)
- 2015.08 [paloaltonetworks] [RTF Exploit Installs Italian RAT:](https://unit42.paloaltonetworks.com/rtf-exploit-installs-italian-rat-uwarrior/)
- 2015.08 [fortinet] [The Curious Case Of The Document Exploiting An Unknown Vulnerability – Part 2: RATs, Hackers and Rihanna](https://www.fortinet.com/blog/threat-research/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-2-rats-hackers-and-rihanna.html)
- 2015.08 [duo] [You Built a Better Mousetrap? They Built Better RATs](https://duo.com/blog/you-built-a-better-mousetrap-they-built-better-rats)
- 2015.08 [alienvault] [FF-RAT Uses Stealth Tactics to Evade Endpoint Detection](https://www.alienvault.com/blogs/security-essentials/ff-rat-uses-stealth-tactics-to-evade-endpoint-detection)
- 2015.08 [freebuf] [全程回放:黑客是如何远程控制切诺基汽车的?【FreeBuf视频】](http://www.freebuf.com/articles/terminal/73814.html)
- 2015.08 [securityfuse] [Omni RAT which can turn your android phone into a hacking machine](http://blog.securityfuse.com/2015/08/omni-rat-which-can-turn-your-android.html)
- 2015.07 [redcanary] [Red Canary vs. PoshRAT: Detection in the Absence of Malware](https://redcanary.com/blog/poshrat-detection/)
- 2015.07 [freebuf] [格盘也没用:Hacking Team使用UEFI BIOS Rootkit将远控长驻操作系统](http://www.freebuf.com/news/72482.html)
- 2015.07 [freebuf] [揭秘:Hacking Team远控窃听程序(RCS)的全球热销之路](http://www.freebuf.com/news/72423.html)
- 2015.07 [] [简要分析Hacking Team远程控制系统](http://www.91ri.org/13463.html)
- 2015.07 [freebuf] [简要分析Hacking Team远程控制系统](http://www.freebuf.com/articles/system/72138.html)
- 2015.07 [bromium] [Government Grade Malware: a Look at HackingTeam’s RAT](https://blogs.bromium.com/government-grade-malware-a-look-at-hackingteams-rat/)
- 2015.07 [nsfocus] [简要分析Hacking Team 远程控制系统](http://blog.nsfocus.net/hacking-team-rcs-report/)
- 2015.07 [talosintelligence] [Ding! Your RAT has been delivered](https://blog.talosintelligence.com/2015/07/ding-your-rat-has-been-delivered.html)
- 2015.06 [guidancesoftware] [The OPM Hack: I Smell a RAT](https://www.guidancesoftware.com/blog/security/2015/06/09/the-opm-hack-i-smell-rat)
- 2015.05 [freebuf] [移花接木大法:新型“白利用”华晨远控木马分析](http://www.freebuf.com/articles/system/68469.html)
- 2015.05 [securelist] [Grabit and the RATs](https://securelist.com/grabit-and-the-rats/70087/)
- 2015.05 [] [移花接木大法:新型“白利用”华晨远控木马分析](http://blogs.360.cn/360safe/2015/05/27/white-used/)
- 2015.05 [] [移花接木大法:新型“白利用”华晨远控木马分析](http://blogs.360.cn/blog/white-used/)
- 2015.04 [freebuf] [控制指令高达二十多种:远控木马Dendoroid.B分析报告](http://www.freebuf.com/articles/terminal/65611.html)
- 2015.04 [freebuf] [Adobe Flash播放器最新漏洞(CVE-2015-3044):摄像头和麦克风可被远程控制(含视频)](http://www.freebuf.com/news/65294.html)
- 2015.03 [freebuf] [剖析Smack技术远控木马](http://www.freebuf.com/articles/terminal/60840.html)
- 2015.03 [avlsec] [Smack技术远控木马](http://blog.avlsec.com/2015/03/2193/smack-remote-control/)
- 2015.03 [] [Smack技术远控木马工作分析文](http://www.91ri.org/12517.html)
- 2015.02 [mcafee] [What is a Remote Administration Tool (RAT)?](https://securingtomorrow.mcafee.com/consumer/identity-protection/what-is-rat/)
- 2015.01 [] [移花接木大法:新型“白利用”华晨远控木马分析](http://blogs.360.cn/post/white-used.html)
- 2015.01 [trendmicro] [New RATs Emerge from Leaked Njw0rm Source Code](https://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/)
- 2015.01 [freebuf] [CVE-2014-8272漏洞分析:戴尔(Dell)远程控制卡脆弱的Session-ID机制](http://www.freebuf.com/vuls/56770.html)
- 2015.01 [] [远控木马Dendoroid.B分析报告](http://blogs.360.cn/post/analysis_of_dendoroid_b.html)
- 2014.12 [sans] [Flushing out the Crypto Rats - Finding "Bad Encryption" on your Network](https://isc.sans.edu/forums/diary/Flushing+out+the+Crypto+Rats+Finding+Bad+Encryption+on+your+Network/19009/)
- 2014.11 [checkpoint] [Mobile Security Weekly: Android mRATs, Paid Apps Hacked, Whatsapp Talks Privacy | Check Point Software Blog](https://blog.checkpoint.com/2014/11/21/mobile-security-weekly-android-mrats-paid-apps-hacked-whatsapp-talks-privacy/)
- 2014.10 [freebuf] [对手机远程控制软件穿透硬件防火墙的分析和研究](http://www.freebuf.com/articles/network/49271.html)
- 2014.10 [freebuf] [针对VBS远控木马的技术分析](http://www.freebuf.com/articles/web/48706.html)
- 2014.10 [] [VBS远控木马](http://blogs.360.cn/360safe/2014/10/24/vbs_cc_trojan/)
- 2014.10 [] [VBS远控木马](http://blogs.360.cn/blog/vbs_cc_trojan-2/)
- 2014.10 [airbuscybersecurity] [LeoUncia and OrcaRat](http://blog.airbuscybersecurity.com/post/2014/10/LeoUncia-and-OrcaRat)
- 2014.10 [] [“Xsser mRAT”首个X国高级IOS木马](http://www.91ri.org/11000.html)
- 2014.10 [checkpoint] [Mobile Security Weekly - Lacoon Discovers the Xsser mRAT | Check Point Software Blog](https://blog.checkpoint.com/2014/10/03/mobile-security-weekly-lacoon-discovers-xsser-mrat/)
- 2014.10 [lookout] [Just the facts: Xsser mRAT iOS malware](https://blog.lookout.com/xsser-mrat-ios)
- 2014.09 [checkpoint] [Lacoon Discovers Xsser mRAT, the First Advanced iOS Trojan](https://blog.checkpoint.com/2014/09/30/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/)
- 2014.09 [checkpoint] [Chinese Android mRAT Spyware Targets Hong Kong Protest](https://blog.checkpoint.com/2014/09/30/chinese-government-targets-hong-kong-protesters-android-mrat-spyware/)
- 2014.09 [qq] [新型白利用(暴风)远控木马分析](https://tav.qq.com/index/newsDetail/162.html)
- 2014.09 [comodo] [Warning! RATS Attacking Mobile Devices](https://blog.comodo.com/mobile-security/warning-rats-attacking-mobile-devices/)
- 2014.09 [comodo] [Warning! RATS Attacking Mobile Devices](https://blog.comodo.com/warning-rats-attacking-mobile-devices/)
- 2014.08 [] [远控木马伪造通信协议一例](http://blogs.360.cn/360safe/2014/08/29/cnc_trojan_and_fake_proto/)
- 2014.08 [] [远控木马伪造通信协议一例](http://blogs.360.cn/blog/cnc_trojan_and_fake_proto/)
- 2014.08 [freebuf] [下一代远程控制木马的思路探讨](http://www.freebuf.com/articles/system/41241.html)
- 2014.08 [] [播放器暗藏远控木马 360独家提供查杀方案](http://blogs.360.cn/360safe/2014/08/15/trojan_in_media_player/)
- 2014.08 [cert] [Android RAT malware spreading via torrents](https://www.cert.pl/en/news/single/android-rat-malware-spreading-via-torrents/)
- 2014.08 [rsa] [Finding & Eradicating RATs](https://community.rsa.com/community/products/netwitness/blog/2014/08/07/finding-eradicating-rats)
- 2014.08 [mcafee] [Android App SandroRAT Targets Polish Banking Users via Phishing Email](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sandrorat-android-rat-targeting-polish-banking-users-via-e-mail-phishing/)
- 2014.08 [mcafee] [Android App SandroRAT Targets Polish Banking Users via Phishing Email](https://securingtomorrow.mcafee.com/mcafee-labs/sandrorat-android-rat-targeting-polish-banking-users-via-e-mail-phishing/)
- 2014.07 [bhconsulting] [Advanced Fee Fraud Now Plagued By RATs](http://bhconsulting.ie/advanced-fee-fraud-now-plagued-by-rats/)
- 2014.07 [sans] [Keeping the RATs out: the trap is sprung - Part 3](https://isc.sans.edu/forums/diary/Keeping+the+RATs+out+the+trap+is+sprung+Part+3/18415/)
- 2014.07 [sans] [Keeping the RATs out: **it happens - Part 2](https://isc.sans.edu/forums/diary/Keeping+the+RATs+out+it+happens+Part+2/18411/)
- 2014.07 [sans] [Keeping the RATs out: an exercise in building IOCs - Part 1](https://isc.sans.edu/forums/diary/Keeping+the+RATs+out+an+exercise+in+building+IOCs+Part+1/18401/)
- 2014.07 [freebuf] [揭秘:独特的技术手段,远程控制你的手机](http://www.freebuf.com/articles/terminal/38086.html)
- 2014.06 [plcscan] [Havex Rat又一个针对ICS/SCADA系统的恶意软件](http://plcscan.org/blog/2014/06/havex-rat-malware-strikes-ics-scada/)
- 2014.05 [malwarebytes] [A RAT in Bird’s clothing](https://blog.malwarebytes.com/cybercrime/2014/05/a-rat-in-birds-clothing/)
- 2014.05 [avlsec] [捆绑包形式远控木马分析报告](http://blog.avlsec.com/2014/05/730/%e6%8d%86%e7%bb%91%e5%8c%85%e5%bd%a2%e5%bc%8f%e8%bf%9c%e6%8e%a7%e6%9c%a8%e9%a9%ac%e5%88%86%e6%9e%90%e6%8a%a5%e5%91%8a/)
- 2014.04 [trendmicro] [Old Java RAT Updates, Includes Litecoin Plugin](https://blog.trendmicro.com/trendlabs-security-intelligence/old-java-rat-updates-includes-litecoin-plugin/)
- 2014.04 [avlsec] [Android短信指令远控木马Herta木马分析报告](http://blog.avlsec.com/2014/04/471/herta%e6%9c%a8%e9%a9%ac%e5%88%86%e6%9e%90%e6%8a%a5%e5%91%8a/)
- 2014.02 [checkpoint] [The Spy in Your Pocket, Part 1: An Overview of Mobile Remote Access Trojans (mRATs) | Check Point Software Blog](https://blog.checkpoint.com/2014/02/10/the-spy-in-your-pocket-part-1-an-overview-of-mobile-remote-access-trojans-mrats/)
- 2014.01 [] [远控木马伪造通信协议一例](http://blogs.360.cn/post/cnc_trojan_and_fake_proto.html)
- 2014.01 [] [假冒淘宝远控木马](http://blogs.360.cn/post/fake-taobao-rat.html)
- 2014.01 [] [VBS远控木马](http://blogs.360.cn/post/vbs_cc_trojan-2.html)
- 2014.01 [] [Oldboot鬼影又现,另一例山寨手机中运用云端远控技术的木马](http://blogs.360.cn/post/analysis_of_oldboot_c.html)
- 2014.01 [] [播放器暗藏远控木马 360独家提供查杀方案](http://blogs.360.cn/post/trojan_in_media_player.html)
- 2014.01 [] [安卓远控木马黑色产业链渐成气候,谨防手机变“肉鸡”](http://blogs.360.cn/post/rat-trojan.html)
- 2014.01 [] [国内首个利用JavaScript脚本远控木马的技术分析报告](http://blogs.360.cn/post/android-huigezi-trojan.html)
- 2013.12 [pediy] [[原创]逆向笔记--某远控的隐藏技术](https://bbs.pediy.com/thread-182543.htm)
- 2013.11 [sensepost] [RAT-a-tat-tat](https://sensepost.com/blog/2013/rat-a-tat-tat/)
- 2013.11 [freebuf] [黑客可远程控制你的手机 – Android 4.4惊爆漏洞(含EXP)](http://www.freebuf.com/articles/wireless/16423.html)
- 2013.10 [freebuf] [RAT终结者在APT中的演变复杂化](http://www.freebuf.com/articles/web/15791.html)
- 2013.10 [trendmicro] [Dutch TorRAT Threat Actors Arrested](https://blog.trendmicro.com/trendlabs-security-intelligence/dutch-torrat-threat-actors-arrested/)
- 2013.10 [privacy] [CuteCats.exe and the Arab Spring 2: Social Engineering and Remote Access Toolkits](http://privacy-pc.com/articles/cutecats-exe-and-the-arab-spring-2-social-engineering-and-remote-access-toolkits.html)
- 2013.09 [comodo] [Super RATS? Comodo has Built a Better Mousetrap!](https://blog.comodo.com/malware/njrat-is-a-mobile-trojan-threatening-internet-security/)
- 2013.09 [comodo] [Super RATS? Comodo has Built a Better Mousetrap!](https://blog.comodo.com/njrat-is-a-mobile-trojan-threatening-internet-security/)
- 2013.09 [freebuf] [苹果新技术允许政府远程控制你的iPhone](http://www.freebuf.com/news/12194.html)
- 2013.08 [pediy] [[开源兼求职]Web远程控制软件](https://bbs.pediy.com/thread-176838.htm)
- 2013.07 [trendmicro] [Compromised Sites Conceal StealRat Botnet Operations](https://blog.trendmicro.com/trendlabs-security-intelligence/compromised-sites-conceal-stealrat-botnet-operations/)
- 2013.07 [talosintelligence] [Androrat - Android Remote Access Tool](https://blog.talosintelligence.com/2013/07/androrat-android-remote-access-tool.html)
- 2013.06 [freebuf] [Android远程控制工具——AndroRat](http://www.freebuf.com/sectool/10179.html)
- 2013.04 [webroot] [A peek inside a (cracked) commercially available RAT (Remote Access Tool)](https://www.webroot.com/blog/2013/04/17/a-peek-inside-a-cracked-commercially-available-rat-remote-access-tool/)
- 2013.04 [rapid7] [Weekly Update: Minecraft RAT Attacks, PHP Shell Games, and MongoDB](https://blog.rapid7.com/2013/04/04/weekly-update-24/)
- 2013.04 [quequero] [McRat Malware Analysis – Part1](https://quequero.org/2013/04/mcrat-malware-analysis-part1/)
- 2013.04 [webroot] [DIY Java-based RAT (Remote Access Tool) spotted in the wild](https://www.webroot.com/blog/2013/04/01/diy-java-based-rat-remote-access-tool-spotted-in-the-wild/)
- 2013.02 [trendmicro] [BKDR_RARSTONE: New RAT to Watch Out For](https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/)
- 2013.01 [trendmicro] [Hiding in Plain Sight: The FAKEM Remote Access Trojan](https://blog.trendmicro.com/trendlabs-security-intelligence/hiding-in-plain-sight-the-fakem-remote-access-trojan/)
- 2012.11 [trendmicro] [Tsunami Warning Leads to Arcom RAT](https://blog.trendmicro.com/trendlabs-security-intelligence/tsunami-warning-leads-to-arcom-rat/)
- 2012.11 [trendmicro] [New Xtreme RAT Attacks US, Israel, and Other Foreign Governments](https://blog.trendmicro.com/trendlabs-security-intelligence/new-xtreme-rat-attacks-on-usisrael-and-other-foreign-governments/)
- 2012.10 [forcepoint] [Iranian Firefighters' Website Compromised to Serve VertexNet RAT](https://www.forcepoint.com/blog/security-labs/iranian-firefighters-website-compromised-serve-vertexnet-rat)
- 2012.10 [mcafee] [Tool Talk: Cracking the Code on XtremeRAT](https://securingtomorrow.mcafee.com/executive-perspectives/tool-talk-unleashing-validedge-on-xtremerat/)
- 2012.10 [trendmicro] [Xtreme RAT Targets Israeli Government](https://blog.trendmicro.com/trendlabs-security-intelligence/xtreme-rat-targets-israeli-government/)
- 2012.08 [forcepoint] [Nepalese government websites compromised to serve Zegost RAT](https://www.forcepoint.com/blog/security-labs/nepalese-government-websites-compromised-serve-zegost-rat)
- 2012.08 [sans] [Digital Forensics Case Leads: Multi-plat RAT, No US Cybersecurity bill, Dropbox drops a doozie, Volatility everywhere](https://digital-forensics.sans.org/blog/2012/08/03/digital-forensics-case-leads-multi-plat-rat-no-us-cybersecurity-bill-dropbox-drops-a-doozie-volatility-everywhere)
- 2012.07 [freebuf] [远程控制工具—RAIORemote](http://www.freebuf.com/sectool/5032.html)
- 2012.07 [freebuf] [用Nmap脚本检测Poison Ivy Rat控制端](http://www.freebuf.com/sectool/4940.html)
- 2012.07 [freebuf] [[原创]PoisonIvy Rat 远程溢出实战](http://www.freebuf.com/articles/4921.html)
- 2012.06 [alienvault] [Capfire4 malware, RAT software and C&C service together](https://www.alienvault.com/blogs/labs-research/capfire4-malware-rat-software-and-cc-service-together)
- 2012.06 [malwarebytes] [RATs of Unusual Sizes](https://blog.malwarebytes.com/threat-analysis/2012/06/rats-of-unusual-sizes/)
- 2012.05 [welivesecurity] [Malware RATs can steal your data and your money, your privacy too](https://www.welivesecurity.com/2012/05/23/malware-rats-can-steal-your-data-and-your-money-your-privacy-too/)
- 2012.05 [freebuf] [开源linux远程控制工具 – n00bRAT](http://www.freebuf.com/sectool/687.html)
- 2012.03 [alienvault] [MS Office exploit that targets MacOS X seen in the wild - delivers "Mac Control" RAT](https://www.alienvault.com/blogs/labs-research/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-contro)
- 2012.03 [trustwave] [Dirty RAT Eats Nate's Banana](https://www.trustwave.com/Resources/SpiderLabs-Blog/Dirty-RAT-Eats-Nate-s-Banana/)
- 2011.09 [securitythinkingcap] [RAT Hacking Evidence fresh from the source](https://securitythinkingcap.com/rat-hacking-evidence-fresh-from-the-source/)
- 2011.09 [trendmicro] [Online Storage—A Godsend for Sentimental Pack Rats (like me)](http://blog.trendmicro.com/online-storage-a-godsend-for-sentimental-pack-rats-like-me/)
- 2011.09 [hackerhurricane] [(W)(I) Your GM OnStar enabled car will rat you out starting Dec 2011](http://hackerhurricane.blogspot.com/2011/09/wi-your-gm-onstar-enabled-car-will-rat.html)
- 2011.08 [microsoft] [Weekly Roundup : Aug 12, 2011 : Dissecting a Shady Rat](https://cloudblogs.microsoft.com/microsoftsecure/2011/08/12/weekly-roundup-aug-12-2011-dissecting-a-shady-rat/)
- 2011.08 [microsoft] [Weekly Roundup : Aug 12, 2011 : Dissecting a Shady Rat](https://www.microsoft.com/security/blog/2011/08/12/weekly-roundup-aug-12-2011-dissecting-a-shady-rat/)
- 2011.08 [bhconsulting] [Operation Shady RAT Claims Widespread Espionage](http://bhconsulting.ie/operation-shady-rat-claims-widespread-espionage/)
- 2011.05 [krebsonsecurity] [Something Old is New Again: Mac RATs, CrimePacks, Sunspots & ZeuS Leaks](https://krebsonsecurity.com/2011/05/something-old-is-new-again-mac-rats-crimepacks-sunspots-zeus-leaks/)
- 2011.05 [mcafee] [I Smell a RAT: Java Botnet Found in the Wild](https://securingtomorrow.mcafee.com/mcafee-labs/i-smell-a-rat-java-botnet-found-in-the-wild/)
- 2011.04 [pediy] [[原创]解决远控重复上线的源码](https://bbs.pediy.com/thread-132080.htm)
- 2011.01 [cleanbytes] [AdSocks RAT — about the new Java trojan computer viruses](http://cleanbytes.net/java-trojan-horses-the-new-trojan-viruses-generation)
- 2010.10 [sans] [Cyber Security Awareness Month - Day 19 - Remote Access Tools](https://isc.sans.edu/forums/diary/Cyber+Security+Awareness+Month+Day+19+Remote+Access+Tools/9763/)
- 2010.09 [pediy] [[翻译]Windows操作系统木马远程控制技术](https://bbs.pediy.com/thread-121388.htm)
- 2010.09 [pediy] [[原创]利用qq2010聊天信息获取,打造自己的远程控制](https://bbs.pediy.com/thread-121037.htm)
- 2008.09 [sans] [The Lab Rat - Testing Digital Forensics Tools and Gear](https://digital-forensics.sans.org/blog/2008/09/26/the-lab-rat-testing-digital-forensics-tools-and-gear)
- 2008.01 [trendmicro] [Will 2008 Really Be The ‘Year of The Rat’?](https://blog.trendmicro.com/trendlabs-security-intelligence/will-2008-really-be-the-year-of-the-rat/)
- 2006.11 [trendmicro] [TROJ_STRAT Spams Again](https://blog.trendmicro.com/trendlabs-security-intelligence/troj-strat-spams-again/)
- 2005.06 [infosecblog] [Rats!](https://www.infosecblog.org/2005/06/rats/)

# 利用公开服务

***

## Telegram

### 工具

- [**648**星][1y] [Py] [mehulj94/braindamage](https://github.com/mehulj94/braindamage) 使用Telegram做C&C服务器的远控
- [**330**星][8m] [Py] [mvrozanti/rat-via-telegram](https://github.com/mvrozanti/rat-via-telegram) Windows Remote Administration Tool via Telegram
- [**160**星][4y] [Py] [blazeinfosec/bt2](https://github.com/blazeinfosec/bt2) 使用Telegram 基础设施做C&C 服务器

### 文章

- 2018.06 [hispasec] [HeroRat, otro RAT para Android que utiliza Telegram como C&C](https://unaaldia.hispasec.com/2018/06/herorat-otro-rat-para-android-que.html)
- 2016.05 [360] [将Telegram打造成C&C平台](https://www.anquanke.com/post/id/83949/)

***

## Twitter

### 工具

- [**658**星][4y] [Py] [paulsec/twittor](https://github.com/paulsec/twittor) A fully featured backdoor that uses Twitter as a C&C server
- [**186**星][3y] [Go] [petercunha/goat](https://github.com/petercunha/goat) a trojan created in Go, using Twitter as a the C&C server

### 文章

- 2017.10 [freebuf] [如何使用Twitter构建C&C服务器](http://www.freebuf.com/sectool/149381.html)
- 2017.09 [pentestlab] [Command and Control – Twitter](https://pentestlab.blog/2017/09/26/command-and-control-twitter/)
- 2016.08 [welivesecurity] [First Twitter-controlled Android botnet discovered](https://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/)
- 2015.12 [] [俄罗斯黑客是如何滥用twitter作为Hammertoss C&C服务器的?](http://www.91ri.org/14743.html)
- 2015.10 [freebuf] [当Twitter成为一个功能齐全的后门C&C服务器](http://www.freebuf.com/news/81914.html)
- 2012.03 [sans] [Flashback Malware now with Twitter C&C](https://isc.sans.edu/forums/diary/Flashback+Malware+now+with+Twitter+CC/12709/)

***

## GMail

### 工具

- [**1117**星][1y] [Py] [byt3bl33d3r/gcat](https://github.com/byt3bl33d3r/gcat) A PoC backdoor that uses Gmail as a C&C server
- [**353**星][3y] [Py] [maldevel/gdog](https://github.com/maldevel/gdog) Python 编写的后门,使用 Gmail 做 C&C
- [**22**星][1y] [Py] [pure-l0g1c/keylogger](https://github.com/pure-l0g1c/keylogger) A simple keylogger that uses Gmail as a C&C

### 文章

- 2017.08 [securityriskadvisors] [The Macro Evolution: Bypassing Gmail’s Virus Filter and Reliably Establishing C2 Channels with Office Macros](http://securityriskadvisors.com/blog/post/the-macro-evolution-bypassing-gmail-s-virus-filter-and-reliably-establishing-c2-channels-with-office-macros/)
- 2017.08 [securityriskadvisors] [The Macro Evolution: Bypassing Gmail’s Virus Filter and Reliably Establishing C2 Channels with Office Macros](http://securityriskadvisors.com/blog/the-macro-evolution-bypassing-gmails-virus-filter-and-reliably-establishing-c2-channels-with-office-macros/)
- 2017.08 [pentestlab] [Command and Control – Gmail](https://pentestlab.blog/2017/08/03/command-and-control-gmail/)
- 2016.05 [n0where] [Python Based Windows Backdoor with Gmail C&C: gDog](https://n0where.net/python-based-windows-backdoor-gmail-cc-gdog)
- 2015.07 [blackhillsinfosec] [Command & Control via Gmail](https://www.blackhillsinfosec.com/command-control-via-gmail/)
- 2015.06 [freebuf] [巧用Gmail做你的C&C服务器](http://www.freebuf.com/sectool/71246.html)
- 2014.10 [virusbulletin] [New IcoScript variant uses Gmail drafts for C&C communication](https://www.virusbulletin.com/blog/2014/10/new-icoscript-variant-uses-gmail-drafts-c-amp-c-communication/)
- 2014.07 [byt3bl33d3r] [Pyexfil - Using Python to make Gmail a C&C server](https://byt3bl33d3r.github.io/pyexfil-using-python-to-make-gmail-a-cc-server.html)

***

## Github

### 工具

- [**179**星][3y] [Py] [maldevel/canisrufus](https://github.com/maldevel/canisrufus) Python 编写的后门,使用 Github 做 C&C

### 文章

- 2018.06 [freebuf] [针对使用Github作为C&C服务的JavaScript后门分析](http://www.freebuf.com/articles/system/173901.html)
- 2018.06 [360] [使用 Github 作为 C&C 服务的 JavaScript 后门分析](https://www.anquanke.com/post/id/147103/)
- 2017.08 [securityblog] [A stealthy Python based Windows backdoor that uses Github as a C&C server](http://securityblog.gr/4434/a-stealthy-python-based-windows-backdoor-that-uses-github-as-a-cc-server/)
- 2017.03 [trendmicro] [使用Github做C&C服务器](https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/)
- 2016.09 [openanalysis] [The case of getlook23: Using GitHub Issues as a C2](https://oalabs.openanalysis.net/2016/09/18/the-case-of-getlook23-using-github-issues-as-a-c2/)

***

## DropBox

### 工具

- [**134**星][1y] [Py] [0x09al/dropboxc2c](https://github.com/0x09al/dropboxc2c) DropboxC2C is a post-exploitation agent which uses Dropbox Infrastructure for command and control operations.

### 文章

- 2019.04 [hackingarticles] [Command and Control with DropboxC2](https://www.hackingarticles.in/command-and-control-with-dropboxc2/)
- 2017.09 [freebuf] [使用DropBox功能将其作为C&C服务器](http://www.freebuf.com/sectool/146116.html)
- 2017.08 [pentestlab] [Command and Control – DropBox](https://pentestlab.blog/2017/08/29/command-and-control-dropbox/)

***

## 区块链

### 工具

- [**46**星][1y] [Go] [xpn/blockchainc2](https://github.com/xpn/blockchainc2) A POC C2 server and agent to explore just if/how the Ethereum blockchain can be used for C2
- [**35**星][3m] [Py] [geek-repo/c2-blockchain](https://github.com/geek-repo/c2-blockchain) This is a concept poc of command and control server implemented over blockchain

### 文章

- 2019.12 [freebuf] [分析隐藏在比特币区块链中的Pony C&C服务器](https://www.freebuf.com/articles/blockchain-articles/221822.html)

***

## 其他

### 工具

- [**513**星][1y] [Go] [mthbernardes/gtrs](https://github.com/mthbernardes/gtrs) 使用Google翻译器作为代理将任意命令发送到受感染的计算机
- [**102**星][4m] [Py] [nccgroup/gitpwnd](https://github.com/nccgroup/gitpwnd) 网络渗透测试工具,可使攻击者向被攻击机器发送命令,并使用 git repo 作为 C&C 传输层接收结果
- [**97**星][2y] [Py] [arno0x/webdavc2](https://github.com/arno0x/webdavc2) A WebDAV PROPFIND C2 tool
- [**93**星][2y] [PS] [bkup/slackshell](https://github.com/bkup/slackshell) PowerShell to Slack C2
- [**84**星][2y] [Go] [0x09al/browser-c2](https://github.com/0x09al/browser-c2) Post Exploitation agent which uses a browser to do C2 operations.
- [**69**星][13d] [Py] [itskindred/redviper](https://github.com/itskindred/redviper) redViper is a proof of concept Command & Control framework that utilizes Reddit for communications.
- [**66**星][2y] [Py] [lukebaggett/google_socks](https://github.com/lukebaggett/google_socks) A proof of concept demonstrating the use of Google Drive for command and control.
- [**29**星][2y] [Py] [ajinabraham/xenotix-xbot](https://github.com/ajinabraham/xenotix-xbot) Xenotix xBOT is a Cross Platform PoC Bot that abuse certain Google Services to implement it's C&C
- [**26**星][3y] [Py] [dsnezhkov/octohook](https://github.com/dsnezhkov/octohook) Git Web Hook Tunnel for C2
- [**23**星][10d] [PS] [netspi/sqlc2](https://github.com/netspi/sqlc2) SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent.
- [**22**星][2y] [Py] [woj-ciech/social-media-c2](https://github.com/woj-ciech/social-media-c2) Script is a proof of concept how to control your machine by using social media sites.
- [**16**星][10d] [Py] [securemode/trelloc2](https://github.com/securemode/trelloc2) Simple C2 over the Trello API
- [**14**星][1y] [Py] [j3ssie/c2s](https://github.com/j3ssie/c2s) Command and Control server on Slack
- [**8**星][2y] [Py] [maldevel/dicerosbicornis](https://github.com/maldevel/dicerosbicornis) A fully featured Windows backdoor that uses email as a C&C server
- [**7**星][3y] [Py] [killswitch-gui/flask_appengine_redirector](https://github.com/killswitch-gui/flask_appengine_redirector) Google App Engine Flask C2 redirector

### 文章

- 2019.01 [paloaltonetworks] [DarkHydrus delivers new Trojan that can use Google Drive for C2 commu](https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/)
- 2017.01 [forcepoint] [Carbanak Group uses Google for malware command-and-control](https://www.forcepoint.com/blog/security-labs/carbanak-group-uses-google-malware-command-and-control)
- 2016.08 [blackhillsinfosec] [Google Docs becomes Google SOCKS: C2 Over Google Drive](https://www.blackhillsinfosec.com/google-docs-becomes-google-socks-c2-over-google-drive/)
- 2014.08 [paloaltonetworks] [Pivot on Google Code C2 Reveals Additiona](https://unit42.paloaltonetworks.com/pivot-google-code-c2-reveals-additional-malware/)
- 2013.04 [rsa] [Zeus C&C Server Poses as Google to Evade Detection](https://community.rsa.com/community/products/netwitness/blog/2013/04/17/zeus-cc-server-poses-as-google-to-evade-detection)

# 通信协议

***

## DNS协议

### Domain Generation Algorithm(DGA)

#### 工具

- [**318**星][1m] [Py] [baderj/domain_generation_algorithms](https://github.com/baderj/domain_generation_algorithms) 域名生成算法
- [**220**星][17d] [Scala] [sotera/spark-distributed-louvain-modularity](https://github.com/sotera/spark-distributed-louvain-modularity) Spark / graphX implementation of the distributed louvain modularity algorithm
- [**209**星][3y] [Py] [endgameinc/dga_predict](https://github.com/endgameinc/dga_predict) Predicting Domain Generation Algorithms using LSTMs
- [**132**星][2m] [Py] [andrewaeva/dga](https://github.com/andrewaeva/dga) The repository that contains the algorithms for generating domain names, dictionaries of malicious domain names. Developed to research the possibility of applying machine learning and neural networks to detect and classify malicious domains.
- [**117**星][6m] [Py] [360netlab/dga](https://github.com/360netlab/dga) Suspicious DGA from PDNS and Sandbox.
- [**49**星][2y] [java] [toufikairane/andromalware](https://github.com/tfairane/andromalware) Android Malware for educational purpose
- [**40**星][4y] [Py] [pchaigno/dga-collection](https://github.com/pchaigno/dga-collection) A collection of known Domain Generation Algorithms
- [**31**星][4y] [Py] [endgameinc/sans_thir16](https://github.com/endgameinc/sans_thir16) SANS Hunting on the Cheap
- [**31**星][3y] [Py] [staaldraad/fastfluxanalysis](https://github.com/staaldraad/fastfluxanalysis) Scripts to detect Fast-Flux and DGA using DNS query responses
- [**28**星][2y] [Py] [philarkwright/dga-detection](https://github.com/philarkwright/dga-detection) DGA Domain Detection using Bigram Frequency Analysis
- [**13**星][3y] [Py] [cisco-talos/goznym](https://github.com/Cisco-Talos/goznym)
- [**6**星][1y] [Py] [matthoffman/degas](https://github.com/matthoffman/degas) DGA-generated domain detection using deep learning models
- [**4**星][3m] [PHP] [navytitanium/eitest-tools-scripts-iocs](https://github.com/navytitanium/eitest-tools-scripts-iocs)
- [**1**星][2m] [Py] [bkcs-hust/lstm-mi](https://github.com/bkcs-hust/lstm-mi) A LSTM based framework for handling multiclass imbalance in DGA botnet detection

#### 文章

- 2019.10 [Cooper] [DGA-Detect: Using Machine Learning For Collaborative DGA Detection - Tammo Krueger](https://www.youtube.com/watch?v=p17EZa-CTZ0)
- 2019.07 [covert] [Auxiliary Loss Optimization for Hypothesis Augmentation for DGA Domain Detection](http://www.covert.io/auxiliary-loss-optimization-for-hypothesis-augmentation-for-dga-domain-detection/)
- 2019.07 [covert] [Getting started with DGA Domain Detection Research](http://www.covert.io/getting-started-with-dga-research/)
- 2019.05 [arxiv] [[1905.01078] CharBot: A Simple and Effective Method for Evading DGA Classifiers](https://arxiv.org/abs/1905.01078)
- 2019.02 [arxiv] [[1902.08909] MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses](https://arxiv.org/abs/1902.08909)
- 2018.12 [hitbsecconf] [#HITB2018DXB: Enhancing DL DGA Detection Models Using Separate Character Embedding - Vikash Yadav](https://www.youtube.com/watch?v=jm7wH2G0h6c)
- 2018.12 [KacperSzurek] [[PODCAST] Jak działają dynamicznie generowane domeny - DGA?](https://www.youtube.com/watch?v=2iDwVGaxvEA)
- 2018.12 [cmu] [DGA Domains with SSL Certificates? Why?](https://insights.sei.cmu.edu/cert/2018/12/dga-domains-with-ssl-certificates-but-why.html)
- 2018.11 [arxiv] [[1811.08705] Inline Detection of Domain Generation Algorithms with Context-Sensitive Word Embeddings](https://arxiv.org/abs/1811.08705)
- 2018.10 [arxiv] [[1810.02023] Detecting DGA domains with recurrent neural networks and side information](https://arxiv.org/abs/1810.02023)
- 2018.01 [akamai] [域名生成算法(DGA)详解: 是什么、为何存在、使用示例、如何检测及阻止](https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html)
- 2017.11 [OALabs] [Reverse Engineering a DGA (Domain Generation Algorithm)](https://www.youtube.com/watch?v=wX1ZGt_dWdI)
- 2017.08 [cyber] [自动恶意软件分析之 DGA 分类和检测。(DGA:Domain Generation Algorithms,域名生成算法)](https://cyber.wtf/2017/08/30/dga-classification-and-detection-for-automated-malware-analysis/)
- 2017.05 [akamai] [DNS 域名生成算法解析,包括:何时出现,恶意代码如何使用,防御者面临的挑战,如何使用机器学习和行为算法进行反击。](https://blogs.akamai.com/2017/05/spotlight-on-malware-dga-communication-technique.html)
- 2017.05 [akamai] [What Are Domain Generation Algorithms (DGAs) And Why You Should Care?](https://blogs.akamai.com/2017/05/what-are-domain-generation-algorithms-dgas-and-why-you-should-care.html)
- 2017.02 [rsa] [DGA Detection](https://community.rsa.com/community/products/netwitness/blog/2017/02/01/dga-detection)
- 2016.12 [govcert] [Tofsee Spambot features .ch DGA - Reversal and Countermesaures](https://www.govcert.admin.ch/blog/26/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures)
- 2016.12 [govcert] [Tofsee Spambot features .ch DGA - Reversal and Countermesaures](https://www.govcert.ch/blog/26/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures)
- 2016.12 [360] [New Mirai DGA Seed 0x91 Brute Forced](http://blog.netlab.360.com/new-mirai-dga-seed-0x91-brute-forced/)
- 2016.12 [360] [Now Mirai Has DGA Feature Built in](http://blog.netlab.360.com/new-mirai-variant-with-dga/)
- 2016.12 [sans] [Mirai - now with DGA](https://isc.sans.edu/forums/diary/Mirai+now+with+DGA/21799/)
- 2016.11 [fidelissecurity] [Vawtrak DGA Round 2](https://www.fidelissecurity.com/threatgeek/2016/11/vawtrak-dga-round-2)
- 2016.11 [endgame] [Endgame Research @ AISec: Deep DGA](https://www.endgame.com/blog/technical-blog/endgame-research-aisec-deep-dga)
- 2016.11 [arxiv] [[1611.00791] Predicting Domain Generation Algorithms with Long Short-Term Memory Networks](https://arxiv.org/abs/1611.00791)
- 2016.05 [cybereason] [Dissecting Domain Generation Algorithms](https://www.cybereason.com/blog/cybereason-labs-dissecting-domain-generation-algorithms)
- 2016.02 [forcepoint] [Locky's New DGA - Seeding the New Domains [RUSSIA UPDATE: 26/FEB/16]](https://www.forcepoint.com/blog/security-labs/lockys-new-dga-seeding-new-domains-russia-update-26feb16)
- 2015.10 [cert] [How non-existent domain names can unveil DGA botnets](https://www.cert.pl/en/news/single/lang_pljak-nieistniejace-nazwy-domenowe-moga-pomoc-w-wykryciu-botnetow-dgalang_pllang_enhow-non-existent-domain-names-can-unveil-dga-botnets-lang_en/)
- 2015.07 [cybereason] [Detecting the Unknown: Protecting Against DGA-Based Malware](https://www.cybereason.com/blog/detecting-the-unknown-protecting-against-dga-based-malware)
- 2015.07 [sans] [Detecting Random - Finding Algorithmically chosen DNS names (DGA)](https://isc.sans.edu/forums/diary/Detecting+Random+Finding+Algorithmically+chosen+DNS+names+DGA/19893/)
- 2015.07 [cybereason] [The FBI vs. GameOver Zeus: Why The DGA-Based Botnet Wins](https://www.cybereason.com/blog/the-fbi-vs-gameover-zeus-why-the-dga-based-botnet-wins)
- 2015.05 [cert] [DGA botnet domains: malicious usage of pseudo random domains](https://www.cert.pl/en/news/single/dga-botnet-domains-malicious-usage-of-pseudo-random-domains/)
- 2015.04 [cert] [DGA botnet domains: on false alarms in detection](https://www.cert.pl/en/news/single/dga-botnet-domains-false-alarms-in-detection/)
- 2015.03 [securelist] [Sinkholing Volatile Cedar DGA Infrastructure](https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/)
- 2015.03 [talosintelligence] [Threat Spotlight: Dyre/Dyreza: An Analysis to Discover the DGA](https://blog.talosintelligence.com/2015/03/threat-spotlight-dyredyreza-analysis-to.html)
- 2014.11 [tetrane] [Meet us at "Forum Innovation DGA 2014"](http://blog.tetrane.com/2014/11/meet-us-at-forum-innovation-dga-2014.html)
- 2014.10 [f5] [Tinba Malware: Domain Generation Algorithm Means New, Improved, and Persistent](https://f5.com/labs/articles/threat-intelligence/malware/tinba-malware-domain-generation-algorithm-means-new-improved-and-persistent-22440)
- 2014.08 [trendmicro] [Gameover Increases Use of Domain Generation Algorithms](https://blog.trendmicro.com/trendlabs-security-intelligence/gameover-increases-use-of-domain-generation-algorithms/)
- 2014.06 [bruteforcelab] [Shadowserver Gameover Zeus DGA HTTP](https://bruteforcelab.com/shadowserver-gameover-zeus-dga-http.html)
- 2014.03 [talosintelligence] [Decoding Domain Generation Algorithms (DGAs) Part III - ZeusBot DGA Reproduction](https://blog.talosintelligence.com/2014/03/decoding-domain-generation-algorithms.html)
- 2014.02 [talosintelligence] [Decoding Domain Generation Algorithms (DGAs) Part II - Catching ZeusBot Injection into Explorer.exe](https://blog.talosintelligence.com/2014/02/decoding-domain-generation-algorithms_20.html)
- 2014.02 [talosintelligence] [Decoding Domain Generation Algorithms (DGAs) - Part I](https://blog.talosintelligence.com/2014/02/decoding-domain-generation-algorithms.html)
- 2012.01 [cert] [ZeuS – P2P+DGA variant – mapping out and understanding the threat](https://www.cert.pl/en/news/single/zeus-p2pdga-variant-mapping-out-and-understanding-the-threat/)

### 工具

- [**1855**星][8m] [C++] [iagox86/dnscat2](https://github.com/iagox86/dnscat2) 在 DNS 协议上创建加密的 C&C channel
- [**832**星][6d] [Go] [bishopfox/sliver](https://github.com/bishopfox/sliver) 一个通用的跨平台植入程序框架,该框架C3支持Mutual-TLS,HTTP(S)和DNS
- [**386**星][4y] [Py] [ahhh/reverse_dns_shell](https://github.com/ahhh/reverse_dns_shell) 使用DNS作为c2通道的python反向shell
- [**277**星][1y] [Py] [trycatchhcf/packetwhisper](https://github.com/trycatchhcf/packetwhisper) Stealthily exfiltrate data and defeat attribution using DNS queries and text-based steganography. Avoid the problems associated with typical DNS exfiltration methods. Transfer data between systems without the communicating devices directly connecting to each other or to a common endpoint. No need to control a DNS Name Server.
- [**276**星][4m] [Go] [sensepost/godoh](https://github.com/sensepost/godoh) A DNS-over-HTTPS Command & Control Proof of Concept
- [**225**星][2y] [PS] [lukebaggett/dnscat2-powershell](https://github.com/lukebaggett/dnscat2-powershell) A Powershell client for dnscat2, an encrypted DNS command and control tool.
- [**176**星][2y] [C++] [0x09al/dns-persist](https://github.com/0x09al/dns-persist) DNS-Persist is a post-exploitation agent which uses DNS for command and control.
- [**41**星][2m] [Erlang] [homas/ioc2rpz](https://github.com/homas/ioc2rpz) ioc2rpz is a place where threat intelligence meets DNS.
- [**38**星][2m] [JS] [inquest/threatkb](https://github.com/inquest/threatkb) Knowledge base workflow management for YARA rules and C2 artifacts (IP, DNS, SSL) (ALPHA STATE AT THE MOMENT)

### 文章

- 2019.10 [freebuf] [goDoH:一款使用了DNS-over-HTTPS作为传输端口的C2框架](https://www.freebuf.com/articles/network/214268.html)
- 2019.08 [trustfoundry] [Using Iodine for DNS Tunneling C2 to Bypass Egress Filtering](https://trustfoundry.net/using-iodine-for-dns-tunneling-c2-to-bypass-egress-filtering/)
- 2019.07 [freebuf] [利用DNS隧道构建隐蔽C&C信道](https://www.freebuf.com/articles/network/208242.html)
- 2019.04 [4hou] [DNScat2工具:通过DNS进行C&C通信](https://www.4hou.com/tools/17226.html)
- 2019.04 [hackingarticles] [dnscat2: Command and Control over the DNS](https://www.hackingarticles.in/dnscat2-command-and-control-over-the-dns/)
- 2018.10 [aliyun] [使用DNS over HTTPS(DoH)构建弹性C2基础架构](https://xz.aliyun.com/t/3068)
- 2017.09 [pentestlab] [Command and Control – DNS](https://pentestlab.blog/2017/09/06/command-and-control-dns/)
- 2017.04 [securelist] [Use of DNS Tunneling for C&C Communications](https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/)
- 2017.01 [blackhillsinfosec] [PowerShell DNS Command & Control with dnscat2-powershell](https://www.blackhillsinfosec.com/powershell-dns-command-control-with-dnscat2-powershell/)
- 2016.10 [deepsec] [DeepSec2016 Talk: Behavioral Analysis from DNS and Network Traffic – Josh Pyorre](http://blog.deepsec.net/deepsec2016-talk-behavioral-analysis-dns-network-traffic-josh-pyorre/)
- 2016.07 [sans] [Command and Control Channels Using "AAAA" DNS Records](https://isc.sans.edu/forums/diary/Command+and+Control+Channels+Using+AAAA+DNS+Records/21301/)
- 2016.06 [freebuf] [技术报告:APT组织Wekby利用DNS请求作为C&C设施,攻击美国秘密机构](http://www.freebuf.com/articles/network/107914.html)
- 2016.05 [paloaltonetworks] [New Wekby Attacks Use DNS Requests As Command and Control](https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/)
- 2015.07 [n0where] [Tunneling C&C Over DNS: dnscat2](https://n0where.net/tunneling-cc-over-dns-dnscat2)
- 2014.04 [sans] [Be on the Lookout: Odd DNS Traffic, Possible C&C Traffic](https://isc.sans.edu/forums/diary/Be+on+the+Lookout+Odd+DNS+Traffic+Possible+CC+Traffic/18047/)
- 2013.07 [rsa] [Zeus Command and Controls Hiding in DNS TXT Record Responses](https://community.rsa.com/community/products/netwitness/blog/2013/07/02/zeus-command-and-controls-hiding-in-dns-txt-record-responses)
- 2011.11 [sans] [Digital Forensics Case Leads: PFIC 2011 Report, DNS forensics, Massive Flaws in Amazon EC2?](https://digital-forensics.sans.org/blog/2011/11/11/digital-forensics-case-leads-pfic-2011-report-dns-forensics-massive-flaws-in-amazon-ec2)
- 2011.08 [christian] [Report - Paper 'On Botnets that use DNS for Command and Control' accepted at EC2ND 2011](https://christian-rossow.de/articles/Botnets_Using_DNS_based_Command_and_Control_Channels.php)

***

## ICMP

### 文章

- 2019.07 [hackingarticles] [Command and Control & Tunnelling via ICMP](https://www.hackingarticles.in/command-and-control-tunnelling-via-icmp/)
- 2019.04 [ghostlulzhacks] [C2 — ICMP Backdoor](https://medium.com/p/fb4842019806)
- 2018.11 [blackhillsinfosec] [How To: C2 Over ICMP](https://www.blackhillsinfosec.com/how-to-c2-over-icmp/)
- 2017.07 [pentestlab] [使用 ICMP 协议实现C&C](https://pentestlab.blog/2017/07/28/command-and-control-icmp/)
- 2017.03 [blackhillsinfosec] [Bypassing Cylance: Part 3 – Netcat & Nishang ICMP C2 Channel](https://www.blackhillsinfosec.com/bypassing-cylance-part-3-netcat-nishang-icmp-c2-channel/)

***

## WebSocket

### 工具

- [**245**星][2y] [Py] [arno0x/wsc2](https://github.com/arno0x/wsc2) A WebSocket C2 Tool
- [**131**星][9d] [C++] [xorrior/raven](https://github.com/xorrior/raven) CobaltStrike External C2 for Websockets

### 文章

- 2019.04 [hackingarticles] [Command & Control: WebSocket C2](https://www.hackingarticles.in/command-control-websocketc2/)
- 2018.07 [blackhillsinfosec] [Command and Control with WebSockets WSC2](https://www.blackhillsinfosec.com/command-and-control-with-websockets-wsc2/)
- 2017.12 [pentestlab] [Command and Control – WebSocket](https://pentestlab.blog/2017/12/06/command-and-control-websocket/)
- 2017.12 [n0where] [WebSocket C2 Communication Channel: WSC2](https://n0where.net/websocket-c2-communication-channel-wsc2)
- 2017.11 [arno0x0x] [Using WebSockets and IE/Edge for C2 communications](https://arno0x0x.wordpress.com/2017/11/10/using-websockets-and-ie-edge-for-c2-communications/)

# C&C

***

## Cobalt Strike

### 工具

- [**462**星][2y] [rsmudge/malleable-c2-profiles](https://github.com/rsmudge/malleable-c2-profiles) Malleable C2 is a domain specific language to redefine indicators in Beacon's communication. This repository is a collection of Malleable C2 profiles that you may use. These profiles work with Cobalt Strike 3.x.
- [**217**星][2y] [Py] [bluscreenofjeff/malleable-c2-randomizer](https://github.com/bluscreenofjeff/malleable-c2-randomizer) A script to randomize Cobalt Strike Malleable C2 profiles and reduce the chances of flagging signature-based detection controls
- [**195**星][1y] [PS] [qax-a-team/cobaltstrike-toolset](https://github.com/QAX-A-Team/CobaltStrike-Toolset) Aggressor Script, Kits, Malleable C2 Profiles, External C2 and so on
- [**188**星][2y] [C#] [ryhanson/externalc2](https://github.com/ryhanson/externalc2) A library for integrating communication channels with the Cobalt Strike External C2 server
- [**165**星][6m] [threatexpress/malleable-c2](https://github.com/threatexpress/malleable-c2) Cobalt Strike Malleable C2 Design and Reference Guide
- [**160**星][11d] [Py] [threatexpress/cs2modrewrite](https://github.com/threatexpress/cs2modrewrite) Convert Cobalt Strike profiles to modrewrite scripts
- [**146**星][2y] [Py] [und3rf10w/external_c2_framework](https://github.com/und3rf10w/external_c2_framework) Python api for usage with cobalt strike's External C2 specification
- [**105**星][5m] [xx0hcd/malleable-c2-profiles](https://github.com/xx0hcd/malleable-c2-profiles) Cobalt Strike - Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike
- [**67**星][2y] [C] [outflanknl/external_c2](https://github.com/outflanknl/external_c2) POC for Cobalt Strike external C2
- [**56**星][24d] [1135/1135-cobaltstrike-toolkit](https://github.com/1135/1135-cobaltstrike-toolkit) about CobaltStrike
- [**55**星][1y] [Py] [truneski/external_c2_framework](https://github.com/truneski/external_c2_framework) Python api for usage with cobalt strike's External C2 specification
- [**41**星][3y] [bluscreenofjeff/malleablec2profiles](https://github.com/bluscreenofjeff/malleablec2profiles) Malleable C2 profiles for Cobalt Strike
- [**41**星][2y] [Go] [empty-nest/emptynest](https://github.com/empty-nest/emptynest) 基于插件的 C2 服务器框架。其目标不是取代某些强大的工具(例如 Empire、Metasploit、CobaltStrike),而是创建一个支持框架,以便为自定义 agents 快速创建小型、专用的 handlers
- [**12**星][5m] [TS] [hattmo/c2profilejs](https://github.com/hattmo/c2profilejs) Web UI for creating C2 profiles for Cobalt Strike

### 文章

- 2018.12 [freebuf] [关于Cobalt Strike的Malleable-C2-Profiles浅析](https://www.freebuf.com/articles/rookie/189948.html)
- 2018.09 [specterops] [A Deep Dive into Cobalt Strike Malleable C2](https://medium.com/p/6660e33b0e0b)
- 2018.09 [threatexpress] [A Deep Dive into Cobalt Strike Malleable C2](http://threatexpress.com/2018/09/a-deep-dive-into-cobalt-strike-malleable-c2/)
- 2018.09 [threatexpress] [A Deep Dive into Cobalt Strike Malleable C2](http://threatexpress.com/blogs/2018/a-deep-dive-into-cobalt-strike-malleable-c2/)
- 2018.01 [threatexpress] [Automating Apache mod_rewrite and Cobalt Strike Malleable C2 for Intelligent Redirection](http://threatexpress.com/2018/02/automating-cobalt-strike-profiles-apache-mod_rewrite-htaccess-files-intelligent-c2-redirection/)
- 2017.09 [mwrinfosecurity] [“Tasking” Office 365 for Cobalt Strike C2](https://labs.mwrinfosecurity.com/blog/tasking-office-365-for-cobalt-strike-c2/)
- 2017.01 [bluescreenofjeff] [How to Write Malleable C2 Profiles for Cobalt Strike](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/)
- 2016.06 [bluescreenofjeff] [Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite](https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/)

***

## 工具

### 新添加

- [**1135**星][13d] [Boo] [byt3bl33d3r/silenttrinity](https://github.com/byt3bl33d3r/silenttrinity) An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
- [**614**星][12d] [Py] [trustedsec/trevorc2](https://github.com/trustedsec/trevorc2) 通过正常的可浏览的网站隐藏 C&C 指令的客户端/服务器模型,因为时间间隔不同,检测变得更加困难,并且获取主机数据时不会使用 POST 请求
- [**575**星][3m] [PS] [nettitude/poshc2_old](https://github.com/nettitude/poshc2_old) Powershell C2 Server and Implants
- [**478**星][5m] [C++] [fsecurelabs/c3](https://github.com/FSecureLABS/C3) 一个用于快速定制C2通道原型的框架,同时仍提供与现有攻击性工具包的集成。
- [**442**星][3y] [CSS] [graniet/chromebackdoor](https://github.com/graniet/chromebackdoor) 一个渗透测试工具PoC,使用MITB技术在启动后生成Windows可执行文件“ .exe”,并在大多数流行的浏览器上运行恶意扩展或脚本,并通过C&C发送所有DOM数据。
- [**336**星][12d] [PS] [nettitude/poshc2](https://github.com/nettitude/poshc2) Python Server for PoshC2
- [**325**星][1y] [C#] [spiderlabs/dohc2](https://github.com/spiderlabs/dohc2) DoHC2 allows the ExternalC2 library from Ryan Hanson (
- [**273**星][4m] [Py] [felixweyne/imaginaryc2](https://github.com/felixweyne/imaginaryc2) 辅助对恶意软件进行行为(网络)分析,python
- [**205**星][3y] [Py] [countercept/doublepulsar-c2-traffic-decryptor](https://github.com/countercept/doublepulsar-c2-traffic-decryptor) 处理PCAP文件,解密发送到DOUBLEPULSAR implant的C2流量
- [**186**星][2y] [Py] [woj-ciech/daily-dose-of-malware](https://github.com/woj-ciech/daily-dose-of-malware) Script lets you gather malicious software and c&c servers from open source platforms like Malshare, Malcode, Google, Cymon - vxvault, cybercrime tracker and c2 for Pony.
- [**155**星][7d] [Py] [chrispetrou/hrshell](https://github.com/chrispetrou/hrshell) HRShell is an HTTPS/HTTP reverse shell built with flask. It is an advanced C2 server with many features & capabilities.
- [**136**星][2y] [Py] [pjlantz/hale](https://github.com/pjlantz/hale) Botnet command & control monitor
- [**132**星][10m] [C] [treehacks/botnet-hackpack](https://github.com/treehacks/botnet-hackpack) Build a basic Command & Control botnet in C
- [**130**星][6d] [Py] [mhaskar/octopus](https://github.com/mhaskar/octopus) Open source pre-operation C2 server based on python and powershell
- [**125**星][7d] [JS] [p3nt4/nuages](https://github.com/p3nt4/nuages) A modular C2 framework
- [**99**星][6d] [Py] [ziconius/fudgec2](https://github.com/ziconius/fudgec2) FudgeC2 - a command and control framework designed for team collaboration and post-exploitation activities.
- [**83**星][5y] [Py] [maldroid/maldrolyzer](https://github.com/maldroid/maldrolyzer) Simple framework to extract "actionable" data from Android malware (C&Cs, phone numbers etc.)
- [**79**星][9m] [C++] [watersalesman/aura-botnet](https://github.com/watersalesman/aura-botnet) A super portable botnet framework with a Django-based C2 server. The client is written in C++, with alternate clients written in Rust, Bash, and Powershell.
- [**70**星][14d] [Py] [angus-y/pyiris-backdoor](https://github.com/angus-y/pyiris-backdoor) a modular, stealthy and flexible remote-access-toolkit written completely in python used to command and control other systems.
- [**68**星][1m] [C#] [maraudershell/marauder](https://github.com/maraudershell/marauder) A .NET agent for the Faction C2 Framework
- [**67**星][5m] [HTML] [project-prismatica/prismatica](https://github.com/project-prismatica/prismatica) Responsive Command and Control System
- [**58**星][1y] [C#] [mdsecactivebreach/browser-externalc2](https://github.com/mdsecactivebreach/browser-externalc2) External C2 Using IE COM Objects
- [**56**星][2y] [Go] [averagesecurityguy/c2](https://github.com/averagesecurityguy/c2) A simple, extensible C&C beaconing system.
- [**48**星][3m] [Shell] [professionallyevil/c4](https://github.com/professionallyevil/c4) Cyberdelia, a Collection of Command and Control frameworks
- [**44**星][30d] [JS] [shadow-workers/shadow-workers](https://github.com/shadow-workers/shadow-workers) C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW)
- [**41**星][2y] [Py] [v1v1/sleight](https://github.com/v1v1/sleight) Empire HTTP(S) C2 redirector setup script
- [**39**星][1y] [PS] [outflanknl/doh_c2_trigger](https://github.com/outflanknl/doh_c2_trigger) Code for blogpost:
- [**38**星][12d] [C#] [sf197/telegra_csharp_c2](https://github.com/sf197/telegra_csharp_c2) Command and Control for C# Writing
- [**37**星][11m] [Go] [prsecurity/golang_c2](https://github.com/prsecurity/golang_c2) Boilerplate C2 written in Go for red teams
- [**31**星][16d] [Py] [qsecure-labs/overlord](https://github.com/qsecure-labs/overlord) Overlord - Red Teaming Infrastructure Automation
- [**30**星][6y] [PS] [enigma0x3/powershell-c2](https://github.com/enigma0x3/powershell-c2)
- [**24**星][1y] [prsecurity/neutrino](https://github.com/prsecurity/neutrino) Neutrino C2 Source Code
- [**23**星][25d] [Go] [audibleblink/bothan](https://github.com/audibleblink/bothan) Is this IP a C2 server?
- [**19**星][1y] [tevora-threat/rt_redirectors](https://github.com/tevora-threat/rt_redirectors) Ansible role to configure redirectors for red team C2
- [**18**星][5y] [PS] [et0x/c2](https://github.com/et0x/c2) Methods of C2
- [**18**星][1m] [Py] [marcorosa/cnc-botnet-in-python](https://github.com/marcorosa/cnc-botnet-in-python) C&C Botnet written in Python with fabric
- [**17**星][1y] [C] [kiwidoggie/oni-framework](https://github.com/kiwidoggie/oni-framework) Embedded systems C2 software written in C/C#
- [**17**星][3y] [Go] [pandipanda69/my-little-honeypot](https://github.com/pandipanda69/my-little-honeypot) This repository aims to show how easy it is to code a telnet honeypot in order to recovering IOT malwares, and thus, active Command & Control.
- [**17**星][4m] [stvemillertime/absolutely-positively-not-hacking-back-with-pcap](https://github.com/stvemillertime/absolutely-positively-not-hacking-back-with-pcap) Streaming Unexpected Network Byte Sequences with High Probability of Blue Screening or Otherwise Crashing Attacker Command-and-Control Nodes
- [**16**星][4y] [Py] [hasherezade/bunitu_tests](https://github.com/hasherezade/bunitu_tests) Scripts for communication with Bunitu Trojan C&Cs
- [**16**星][6m] [C] [blacchat/xzf](https://github.com/blacchat/xzf) EXIF-based command and control PoC
- [**16**星][10m] [Py] [daniel-infosec/wikipedia-c2](https://github.com/daniel-infosec/wikipedia-c2) POC for utilizing wikipedia API for Command and Control
- [**14**星][5y] [Py] [nocow4bob/pix-c2](https://github.com/nocow4bob/pix-c2) Ping Exfiltration Command and Control (PiX-C2)
- [**14**星][3y] [Py] [secarmalabs/indushell](https://github.com/secarmalabs/indushell) PoC C&C for the Industroyer malware
- [**14**星][5m] [C#] [immersive-command-system/immersivedroneinterface](https://github.com/immersive-command-system/ImmersiveDroneInterface) aerial vehicle command and control platform, designed for immersive interfaces (such as the Oculus Rift).
- [**11**星][4m] [Py] [jacobsoo/amtracker](https://github.com/jacobsoo/amtracker) Android Malware Tracker
- [**10**星][12m] [Dockerfile] [d3vzer0/cnc-relay](https://github.com/d3vzer0/cnc-relay) Docker projects to retain beacon source IPs using C2 relaying infra
- [**10**星][9m] [Py] [m8r0wn/transportc2](https://github.com/m8r0wn/transportc2) PoC Command and Control Server. Interact with clients through a private web interface, add new users for team sharing and more.
- [**10**星][3y] [Py] [r3mrum/loki-parse](https://github.com/r3mrum/loki-parse) A python script that can detect and parse loki-bot (malware) related network traffic. This script can be helpful to DFIR analysts and security researchers who want to know what data is being exfiltrated to the C2, bot tracking, etc...
- [**9**星][4m] [Py] [degenerat3/meteor](https://github.com/degenerat3/meteor) Cross-platform C2 with modules for TCP, web, and more soon to come
- [**8**星][2m] [Py] [jacobsoo/malconfig](https://github.com/jacobsoo/malconfig) This is part of a module for the framework that i'm constantly developing. Currently only information of the C2 are disclosed here.
- [**8**星][3y] [Py] [killswitch-gui/flask_heroku_redirector](https://github.com/killswitch-gui/flask_heroku_redirector) flask heroku C2 redirector template
- [**8**星][5m] [Py] [r00k5a58/pyc2](https://github.com/r00k5a58/pyc2) simple c2 written in python to demonstrate security concepts
- [**8**星][11m] [tothi/kali-rpi-luks-crypt](https://github.com/tothi/kali-rpi-luks-crypt) Full disk encryption for Kali on Raspberry using LUKS
- [**8**星][25d] [Go] [xorrior/apfell-chrome-extension-c2server](https://github.com/xorrior/apfell-chrome-extension-c2server) Apfell C2 Server for the Google Chrome Extension Payload
- [**7**星][3y] [PS] [0sm0s1z/invoke-selfsignedwebrequest](https://github.com/0sm0s1z/invoke-selfsignedwebrequest) This repo exists as a quick and dirty arsenal of methods and scripts to subvert .NET SSL/TLS certificate validation in PowerShell and press on with the hack!
- [**6**星][2y] [C#] [jaydcarlson/c2-printf](https://github.com/jaydcarlson/c2-printf) 通过 Silicon Labs C2 调试器连接打印跟踪消息
- [**6**星][5m] [Py] [m507/m-botnet](https://github.com/m507/m-botnet) A C2 project that controls a self-propagating MS17-010 worm.
- [**5**星][3y] [Py] [killswitch-gui/flask_pythonanywhere_redirector](https://github.com/killswitch-gui/flask_pythonanywhere_redirector) flask pythonanywhere C2 redirector template
- [**4**星][3y] [Py] [mellow-hype/c2finder](https://github.com/mellow-hype/c2finder) Look for un-sinkholed C&C IPs in your Bro logs (from Bambanek Consulting C&C master list)
- [**4**星][2y] [PHP] [nao-sec/ramnit_traffic_parser](https://github.com/nao-sec/ramnit_traffic_parser) Parsing Ramnit's traffic
- [**3**星][23d] [C++] [lima-x-coding/win32.-d0t-nix.c2](https://github.com/lima-x-coding/win32.-d0t-nix.c2) A C/C++ recreation off the original Win32.VB.Illerka.C Virus by Michael [APFX]
- [**0**星][2y] [Py] [bizdak/silverboxcc](https://github.com/bizdak/silverboxcc) Reverse engineered android malware, and this is a C&C server for it
- [**0**星][2y] [boaxboax/ctf-quaorar](https://github.com/boaxboax/ctf-quaorar)

***

## 文章

### 新添加

- 2019.12 [prsecurity] [Casual Analysis of Valak C2](https://medium.com/p/3497fdb79bf7)
- 2019.11 [talosintelligence] [C2 With It All: From Ransomware To Carding](https://blog.talosintelligence.com/2019/11/c2-with-it-all.html)
- 2019.10 [activecountermeasures] [MITRE ATT&CK Matrix – Custom C2 Protocol](https://www.activecountermeasures.com/mitre-attck-matrix-custom-c2-protocol/)
- 2019.10 [HackersOnBoard] [Digital Vengeance Exploiting the Most Notorious C&C Toolkits](https://www.youtube.com/watch?v=CmQOfqrRLEI)
- 2019.10 [HackersOnBoard] [Black Hat USA 2017 Infecting the Enterprise Abusing Office365+Powershell for Covert C2](https://www.youtube.com/watch?v=dxGAreWx9Jw)
- 2019.10 [rapid7] [Open-Source Command and Control of the DOUBLEPULSAR Implant](https://blog.rapid7.com/2019/10/02/open-source-command-and-control-of-the-doublepulsar-implant/)
- 2019.09 [carbonblack] [CB TAU Threat Intelligence Notification: Common to Russian Underground Forums, AZORult Aims to Connect to C&C Server, Steal Sensitive Data](https://www.carbonblack.com/2019/09/24/cb-tau-threat-intelligence-notification-common-to-russian-underground-forums-azorult-aims-to-connect-to-cc-server-steal-sensitive-data/)
- 2019.09 [BlackHat] [Flying a False Flag: Advanced C2, Trust Conflicts, and Domain Takeover](https://www.youtube.com/watch?v=2BEwqbCbQuM)
- 2019.09 [lockboxx] [MacOS Red Teaming 209: macOS Frameworks for Command and Control](https://lockboxx.blogspot.com/2019/09/macos-red-teaming-209-macos-frameworks.html)
- 2019.09 [activecountermeasures] [MITRE ATT&CK Matrix – C2 Connection Proxy](https://www.activecountermeasures.com/mitre-attck-matrix-c2-connection-proxy/)
- 2019.09 [freebuf] [摩诃草团伙利用公用平台分发C&C配置攻击活动揭露](https://www.freebuf.com/articles/system/212584.html)
- 2019.09 [trendmicro] [Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions](https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/)
- 2019.08 [deepsec] [DeepSec2019 Talk: Android Malware Adventures – Analyzing Samples and Breaking into C&C – Kürşat Oğuzhan Akıncı & Mert Can Coşkuner](https://blog.deepsec.net/deepsec2019-talk-android-malware-adventures-analyzing-samples-and-breaking-into-cc-kursat-oguzhan-akinci-mert-can-coskuner/)
- 2019.08 [KindredSecurity] [Code/Design Analysis of the redViper C2 Communication Protocol](https://www.youtube.com/watch?v=rk4EMhq30-M)
- 2019.07 [trendmicro] [Keeping a Hidden Identity: Mirai C&Cs in Tor Network](https://blog.trendmicro.com/trendlabs-security-intelligence/keeping-a-hidden-identity-mirai-ccs-in-tor-network/)
- 2019.07 [vishal] [Emotet C2 July2019Wk4](https://medium.com/p/dfc64965087a)
- 2019.07 [freebuf] [Linux平台ibus蠕虫C&C模块源码分析](https://www.freebuf.com/articles/system/208374.html)
- 2019.07 [freebuf] [利用SSH隧道加密、隐蔽C&C通信流量](https://www.freebuf.com/articles/network/207850.html)
- 2019.07 [4hou] [Linux平台ibus蠕虫C&C模块源码分析](https://www.4hou.com/web/19225.html)
- 2019.07 [trendmicro] [New Miori Variant Uses Unique Protocol to Communicate with C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/new-miori-variant-uses-unique-protocol-to-communicate-with-cc/)
- 2019.07 [binaryedge] [Guest Post: Using BinaryEdge to hunt for Panda Banker C2 servers and Android Malware](https://blog.binaryedge.io/2019/07/08/guest-post-panda-banker/)
- 2019.05 [sentinelone] [Emotet: The Story of Disposable C2 Servers](https://www.sentinelone.com/blog/emotet-story-of-disposable-c2-servers/)
- 2019.05 [cobbr] [Designing Peer-To-Peer Command and Control](https://cobbr.io/Designing-Peer-To-Peer-C2.html)
- 2019.04 [specterops] [Designing Peer-To-Peer Command and Control](https://medium.com/p/ad2c61740456)
- 2019.04 [trendmicro] [Emotet Adds New Evasion Technique and Uses Connected Devices as Proxy C&C Servers](https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/)
- 2019.04 [paloaltonetworks] [Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale](https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/)
- 2019.04 [hackingarticles] [Command & Control: Ares](https://www.hackingarticles.in/command-control-ares/)
- 2019.04 [hackingarticles] [Command & Control: WebDav C2](https://www.hackingarticles.in/command-control-webdav-c2/)
- 2019.04 [arxiv] [[1904.05119] Reconstruction of C&C Channel for P2P Botnet](https://arxiv.org/abs/1904.05119)
- 2019.04 [carbonblack] [CB TAU Threat Intelligence Notification: Email VBS Downloader Connects to C2 Server, Downloads Trickbot Payload](https://www.carbonblack.com/2019/04/04/cb-tau-threat-intelligence-notification-email-vbs-downloader-connects-to-c2-server-downloads-trickbot-payload/)
- 2019.04 [TROOPERScon] [TR19: Introducing Faction: A modern, powerful, multiplayer C2 framework](https://www.youtube.com/watch?v=NuAz6cfuEe4)
- 2019.03 [hackingarticles] [Command & Control: Silenttrinity Post-Exploitation Agent](https://www.hackingarticles.in/command-control-silenttrinity-post-exploitation-agent/)
- 2019.03 [0x00sec] [Build C&C architecture](https://0x00sec.org/t/build-c-c-architecture/12169/)
- 2019.03 [sophos] [Emotet 101, stage 4: command and control](https://news.sophos.com/en-us/2019/03/05/emotet-101-stage-4-command-and-control/)
- 2019.02 [inyour] [Apache mod_python C2 Proxy](https://inyour.network/blog/2019/Apache-ModPython-C2-Proxy/)
- 2019.02 [hackingarticles] [TrevorC2 – Command and Control](https://www.hackingarticles.in/trevorc2-command-and-control/)
- 2019.02 [mdsec] [External C2, IE COM Objects and how to use them for Command and Control](https://www.mdsec.co.uk/2019/02/external-c2-ie-com-objects-and-how-to-use-them-for-command-and-control/)
- 2019.02 [welivesecurity] [DanaBot Trojan updated with new C&C communication](https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/)
- 2019.01 [freebuf] [在标准SSH隧道中隐藏C&C流量](https://www.freebuf.com/articles/system/194630.html)
- 2019.01 [hackingarticles] [Koadic – COM Command & Control Framework](https://www.hackingarticles.in/koadic-com-command-control-framework/)
- 2019.01 [blackhillsinfosec] [SSHazam: Hide Your C2 Inside of SSH](https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/)
- 2019.01 [4hou] [C&C浏览器](http://www.4hou.com/web/15389.html)
- 2019.01 [sans] [#TheC2Matrix: Comparing C2 Frameworks](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1574188899.pdf)
- 2019.01 [sans] [Covert Channels & Command and Control Innovation](https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1574176351.pdf)
- 2018.12 [securelayer7] [恶意代码C&C服务器基本解读](http://blog.securelayer7.net/basic-understanding-of-command-and-control-malware-server-part1/)
- 2018.12 [securelayer7] [Basic Understanding of Command and Control Malware Server](https://blog.securelayer7.org/basic-understanding-of-command-and-control-malware-server-part1/)
- 2018.12 [myonlinesecurity] [Lokibot campaigns continue with some changes to C2 urls](https://myonlinesecurity.co.uk/lokibot-campaigns-continue-with-some-changes-to-c2-urls/)
- 2018.11 [360] [使用邮件实现C&C通信:新型木马Cannon分析](https://www.anquanke.com/post/id/164946/)
- 2018.11 [trendmicro] [Perl-Based Shellbot Looks to Target Organizations via C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/perl-based-shellbot-looks-to-target-organizations-via-cc/)
- 2018.10 [cofense] [America’s First: US Leads in Global Malware C2 Distribution](https://cofense.com/americas-first-us-leads-global-malware-c2-distribution/)
- 2018.08 [vanimpe] [How to Leverage Log Services to Analyze C&C Traffic](https://www.vanimpe.eu/2018/08/26/how-to-leverage-log-services-to-analyze-cc-traffic/)
- 2018.08 [nsfocus] [Turla变种针对Microsoft Outlook后门发起C&C攻击](http://blog.nsfocus.net/microsoft-outlook-turla/)
- 2018.08 [nettitude] [Extending C2 Lateral Movement – Invoke-Pbind](https://labs.nettitude.com/blog/extending-c2-lateral-movement-invoke-pbind/)
- 2018.07 [syspanda] [Threat Hunting: Fine Tuning Sysmon & Logstash to find Malware Callbacks C&C](https://www.syspanda.com/index.php/2018/07/30/threat-hunting-fine-tuning-sysmon-logstash-find-malware-callbacks-cc/)
- 2018.07 [freebuf] [蓝宝菇(APT-C-12)最新攻击样本及C&C机制分析](http://www.freebuf.com/articles/system/178422.html)
- 2018.07 [360] [天眼实验室:蓝宝菇(APT-C-12)最新攻击样本及C&C机制分析](https://www.anquanke.com/post/id/152639/)
- 2018.07 [trendmicro] [黑客组织 Blackgear 活动再现: 使用社交网络做C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/)
- 2018.07 [esentire] [Living Off the Land – The Command and Control Phase](https://www.esentire.com/blog/living-off-the-land-the-command-and-control-phase/)
- 2018.06 [whitecatsec] [Lazarus C2 - miło Cię upolować](http://blog.whitecatsec.com/2018/06/lazarus-c2-milo-cie-upolowac_15.html)
- 2018.06 [ironcastle] [SMTP Strangeness – Possible C2, (Fri, Jun 15th)](https://www.ironcastle.net/smtp-strangeness-possible-c2-fri-jun-15th/)
- 2018.06 [sans] [SMTP Strangeness - Possible C2](https://isc.sans.edu/forums/diary/SMTP+Strangeness+Possible+C2/23770/)
- 2018.06 [pentestlab] [Command and Control – Browser](https://pentestlab.blog/2018/06/06/command-and-control-browser/)
- 2018.06 [nanxiao] [Add CC&CXX environment variables in your OpenBSD profile](http://nanxiao.me/en/add-cccxx-environment-variables-in-your-openbsd-profile/)
- 2018.06 [newskysecurity] [Hacker Fail: IoT botnet command and control server accessible via default credentials](https://medium.com/p/2ea7cab36f72)
- 2018.06 [newskysecurity] [Hacker Fail: IoT botnet command and control server accessible via default credentials](https://blog.newskysecurity.com/hacker-fail-iot-botnet-command-and-control-server-accessible-via-default-credentials-2ea7cab36f72)
- 2018.06 [cobaltstrike] [Broken Promises and Malleable C2 Profiles](https://blog.cobaltstrike.com/2018/06/04/broken-promises-and-malleable-c2-profiles/)
- 2018.05 [vanimpe] [Diving into the VPNFilter C2 via EXIF](https://www.vanimpe.eu/2018/05/25/diving-into-the-vpnfilter-c2-via-exif/)
- 2018.05 [netspi] [Databases and Clouds: SQL Server as a C2](https://blog.netspi.com/databases-and-clouds-sql-server-as-a-c2/)
- 2018.05 [securelist] [VPNFilter EXIF to C2 mechanism analysed](https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/)
- 2018.05 [blackhillsinfosec] [C2, C3, Whatever It Takes](https://www.blackhillsinfosec.com/c2-c3-whatever-it-takes/)
- 2018.05 [0x00sec] [Tyrannosaurus reproduced fast and died young: A malicious host/IP/C&C from China, 2016 to present](https://0x00sec.org/t/tyrannosaurus-reproduced-fast-and-died-young-a-malicious-host-ip-c-c-from-china-2016-to-present/6691/)
- 2018.05 [360] [2018全国网络空间安全技术大赛web&misc&crypto题解](https://www.anquanke.com/post/id/144862/)
- 2018.05 [pentestingexperts] [Threat Hunting – Command and Control Center – OFFICE WORK](http://www.pentestingexperts.com/threat-hunting-command-and-control-center-office-work/)
- 2018.05 [ironcastle] [Reversed C2 traffic from China, (Fri, May 11th)](https://www.ironcastle.net/reversed-c2-traffic-from-china-fri-may-11th/)
- 2018.05 [sans] [Reversed C2 traffic from China](https://isc.sans.edu/forums/diary/Reversed+C2+traffic+from+China/23649/)
- 2018.05 [countercept] [Retrieving Meterpreter C2 from Memory](https://countercept.com/blog/retrieving-meterpreter-c2-from-memory/)
- 2018.05 [countercept] [Retrieving Meterpreter C2 from Memory](https://countercept.com/our-thinking/retrieving-meterpreter-c2-from-memory/)
- 2018.04 [360] [用Apache mod_rewrite来保护你的Empire C2](https://www.anquanke.com/post/id/104784/)
- 2018.04 [4hou] [使用Angr将自己伪造成C&C服务器以研究恶意软件的通信协议](http://www.4hou.com/technology/11074.html)
- 2018.04 [bluescreenofjeff] [HTTPS Payload and C2 Redirectors](https://bluescreenofjeff.com/2018-04-12-https-payload-and-c2-redirectors/)
- 2018.03 [findingbad] [C2 Hunting](http://findingbad.blogspot.com/2018/03/c2-hunting.html)
- 2018.03 [blackhillsinfosec] [How to Build a Command & Control Infrastructure with Digital Ocean: C2K Revamped](https://www.blackhillsinfosec.com/how-to-build-a-command-control-infrastructure-with-digital-ocean-c2k-revamped/)
- 2018.03 [akijosberryblog] [使用ActiveDirectory做C&C](https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control/)
- 2018.03 [blackhillsinfosec] [WEBCAST: Tweets, Beats, and Sheets: C2 over Social Media](https://www.blackhillsinfosec.com/webcast-tweets-beats-and-sheets-c2-over-social-media/)
- 2018.03 [infosecinstitute] [Threat Hunting – Command and Control Center - OFFICE WORK](http://resources.infosecinstitute.com/threat-hunting-command-control-center-office-work/)
- 2018.02 [woj] [Command and control server in social media (Twitter, Instagram, Youtube + Telegram)](https://medium.com/p/5206ce763950)
- 2018.02 [xorl] [Multi-stage C&C and Red Teams](https://xorl.wordpress.com/2018/02/11/multi-stage-cc-and-red-teams/)
- 2018.01 [woj] [OSINT : Chasing Malware + C&C Servers](https://medium.com/p/3c893dc1e8cb)
- 2018.01 [pentestlab] [Command and Control – JavaScript](https://pentestlab.blog/2018/01/08/command-and-control-javascript/)
- 2018.01 [f5] [Mirai is Attacking Again, So We’re Outing its Hilarious, Explicit C&C Hostnames](https://f5.com/labs/articles/threat-intelligence/cyber-security/mirai-is-attacking-again-so-were-outing-its-hilarious-explicit-c-c-hostnames)
- 2018.01 [pentestlab] [Command and Control – Web Interface](https://pentestlab.blog/2018/01/03/command-and-control-web-interface/)
- 2018.01 [pentestlab] [Command and Control – Images](https://pentestlab.blog/2018/01/02/command-and-control-images/)
- 2017.12 [invokethreat] [Thoughts on C2 Designs and Tradecraft](http://www.invokethreat.actor/2017/12/thoughts-on-c2-designs-and-tradecraft.html)
- 2017.12 [benkowlab] [Another normal day in cybercrime: from a random Loki sample to 550 C&C](https://benkowlab.blogspot.com/2017/12/another-normal-day-in-cybercrime-from.html)
- 2017.12 [obscuritylabs] [Docker Your Command & Control (C2)](https://obscuritylabs.com/blog/2017/12/24/docker-your-command-control-c2/)
- 2017.12 [4hou] [假借可信的在线服务进行C&C攻击](http://www.4hou.com/web/9380.html)
- 2017.12 [MSbluehat] [BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-Control Traffic](https://www.slideshare.net/MSbluehat/bluehat-v17-dyre-to-trickbot-an-inside-look-at-tlsencrypted-commandandcontrol-traffic)
- 2017.11 [virusbulletin] [VB2017 paper: Offensive malware analysis: dissecting OSX/FruitFly.B via a custom C&C server](https://www.virusbulletin.com/blog/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/)
- 2017.11 [pentestlab] [Command and Control – WMI](https://pentestlab.blog/2017/11/20/command-and-control-wmi/)
- 2017.11 [pentestlab] [Command and Control – Website](https://pentestlab.blog/2017/11/14/command-and-control-website/)
- 2017.11 [malwaretech] [如何识别僵尸软件 Emotet 的C&C 基础设施](https://www.malwaretech.com/2017/11/investigating-command-and-control-infrastructure-emotet.html)
- 2017.11 [virusbulletin] [VB2017 video: Turning Trickbot: decoding an encrypted command-and-control channel](https://www.virusbulletin.com/blog/2017/11/vb2017-video-turning-trickbot-decoding-encrypted-command-and-control-channel/)
- 2017.11 [thevivi] [Securing your Empire C2 with Apache mod_rewrite](https://thevivi.net/2017/11/03/securing-your-empire-c2-with-apache-mod_rewrite/)
- 2017.10 [hackersgrid] [trevorc2介绍](http://hackersgrid.com/2017/10/trevorc2.html)
- 2017.10 [trustedsec] [TrevorC2 – Legitimate Covert C2 over Browser Emulation](https://www.trustedsec.com/2017/10/trevorc2-legitimate-covert-c2-browser-emulation/)
- 2017.10 [Cooper] [Hack.lu 2017 Digital Vengeance: Exploiting Notorious C&C Toolkits by Waylon Grange](https://www.youtube.com/watch?v=dPhwgTXIOOM)
- 2017.10 [4hou] [使用FTP的系统控制后门作为C&C通道](http://www.4hou.com/system/7859.html)
- 2017.10 [trendmicro] [使用 FTP 服务器做 C&C的恶意软件 SYSCON](https://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/)
- 2017.10 [pentestlab] [Command and Control – HTTPS](https://pentestlab.blog/2017/10/04/command-and-control-https/)
- 2017.10 [pentestlab] [Command and Control – Kernel](https://pentestlab.blog/2017/10/02/command-and-control-kernel/)
- 2017.09 [virusbulletin] [VB2017 preview: Offensive malware analysis: dissecting OSX/FruitFly.B via a custom C&C server](https://www.virusbulletin.com/blog/2017/09/vb2017-preview-offensive-malware-analysis-dissecting-osxfruitfly-custom-cc-server/)
- 2017.09 [venus] [新型 Android 银行木马“MoqHao”利用社交网络隐藏 C&C 服务器](https://paper.seebug.org/407/)
- 2017.09 [talosintelligence] [CCleaner Command and Control Causes Concern](https://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html)
- 2017.09 [pentestlab] [Command and Control – Website Keyword](https://pentestlab.blog/2017/09/14/command-and-control-website-keyword/)
- 2017.09 [tevora] [SecSmash: Leveraging Enterprise Tools for command execution, lateral movement and C2](http://threat.tevora.com/secsmash-leveraging-enterprise-tools-for-command-execution/)
- 2017.09 [blackhillsinfosec] [Let’s Go Hunting! How to Hunt Command & Control Channels Using Bro IDS and RITA](https://www.blackhillsinfosec.com/how-to-hunt-command-and-control-channels-using-bro-ids-and-rita/)
- 2017.09 [pentestlab] [Command and Control – WebDAV](https://pentestlab.blog/2017/09/12/command-and-control-webdav/)
- 2017.09 [pentestlab] [Command and Control – Windows COM](https://pentestlab.blog/2017/09/01/command-and-control-windows-com/)
- 2017.08 [bluescreenofjeff] [Randomized Malleable C2 Profiles Made Easy](https://bluescreenofjeff.com/2017-08-30-randomized-malleable-c2-profiles-made-easy/)
- 2017.08 [n0where] [Proxy Aware PowerShell C2 Framework: PoshC2](https://n0where.net/proxy-aware-powershell-c2-framework-poshc2)
- 2017.08 [riskanalytics] [Andromeda command-and-control on SourceForge](https://www.riskanalytics.com/2017/08/24/andromeda-command-and-control-on-sourceforge/)
- 2017.08 [pentestlab] [Command and Control – PowerShell](https://pentestlab.blog/2017/08/19/command-and-control-powershell/)
- 2017.08 [themiddleblue] [CloudFlare Domain Fronting: an easy way to reach (and hide) a malware C&C](https://medium.com/p/786255f0f437)
- 2017.08 [trendmicro] [Hackers Leverage Chat for Command&Control: How You Can Protect Your Business](http://blog.trendmicro.com/hackers-leverage-chat-for-commandcontrol-how-you-can-protect-your-business/)
- 2017.07 [blackhillsinfosec] [How to Build a C2 Infrastructure with Digital Ocean – Part 1](https://www.blackhillsinfosec.com/build-c2-infrastructure-digital-ocean-part-1/)
- 2017.07 [NorthSec] [Dimitry Snezhkov - Abusing Webhooks for Command and Control](https://www.youtube.com/watch?v=1d3QCA2cR8o)
- 2017.07 [xpnsec] [Industroyer C2 Communication](https://blog.xpnsec.com/industroyer-c2-protocol/)
- 2017.06 [mcafee] [How a Hacking Group Used Britney Spears’ Instagram to Operate a Command and Control Server](https://securingtomorrow.mcafee.com/business/hacking-group-used-britney-spears-instagram-operate-command-control-server/)
- 2017.06 [cybersins] [Jump Air-gap, Low Level C&C](https://cybersins.com/malware-wifi-airgap/)
- 2017.06 [trendmicro] [Victim Machine has joined #general: Using Third-Party APIs as C&C Infrastructure](https://blog.trendmicro.com/trendlabs-security-intelligence/using-third-party-apis-cc-infrastructure/)
- 2017.05 [4hou] [新型僵尸网络Rakos:入侵设备后改造为C&C控制端,已感染数万台](http://www.4hou.com/info/news/4776.html)
- 2017.05 [threatexpress] [Empire:修改服务器的 C2Indicators](http://threatexpress.com/2017/05/empire-modifying-server-c2-indicators/)
- 2017.05 [m] [New Shodan Tool Can Find Malware Command and Control (C&C) Servers](https://www.peerlyst.com/posts/new-shodan-tool-can-find-malware-command-and-control-c-and-c-servers-mark-dearlove)
- 2017.04 [freebuf] [利用企业邮件系统构造命令控制(C&C)和数据窃取(Exfiltration)通道的思路探讨](http://www.freebuf.com/articles/network/132962.html)
- 2017.04 [cybersyndicates] [Expand Your Horizon Red Team – Modern SaaS C2](https://cybersyndicates.com/2017/04/expand-your-horizon-red-team/)
- 2017.04 [blackhillsinfosec] [WEBCAST: Two Covert C2 Channels](https://www.blackhillsinfosec.com/webcast-two-covert-c2-channels/)
- 2017.04 [securityartwork] [对于只能使用企业设定的代理服务器访问外网,而且代理服务器经过严格设定和监控的情况,使用企业的网页邮箱,作为企业内网主机的C&C,以及获取数据。](https://www.securityartwork.es/2017/04/20/abusing-corporate-webmail-for-cc-and-exfiltration/)
- 2017.04 [chokepoint] [Hunting Red Team Meterpreter C2 Infrastructure](http://www.chokepoint.net/2017/04/hunting-red-team-meterpreter-c2.html)
- 2017.04 [krypt3ia] [OpISIS C2’s and Malware?](https://krypt3ia.wordpress.com/2017/04/10/opisis-c2s-and-malware/)
- 2017.04 [krypt3ia] [Trump Hotels Dot Com: Malware C2 In 2014](https://krypt3ia.wordpress.com/2017/04/06/trump-hotels-dot-com-malware-c2-in-2014/)
- 2017.03 [360] [ChChes – 使用Cookie头与C&C服务器通信的恶意软件](https://www.anquanke.com/post/id/85676/)
- 2017.03 [malwarebytes] [CryptoBlock ransomware and its C2](https://blog.malwarebytes.com/threat-analysis/2017/03/cryptoblock-and-its-c2/)
- 2017.03 [pediy] [[翻译] TP-Link C2 和 C20i 的多个漏洞](https://bbs.pediy.com/thread-216042.htm)
- 2017.03 [cobbr] [ObfuscatedEmpire - Use an obfuscated, in-memory PowerShell C2 channel to evade AV signatures](https://cobbr.io/ObfuscatedEmpire.html)
- 2017.02 [jpcert] [ChChes – Malware that Communicates with C&C Servers Using Cookie Headers](https://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html)
- 2017.02 [wordfence] [WordPress Used as Command and Control Server in 2016 Election Hack](https://www.wordfence.com/blog/2017/02/russia-election-hack-worpress-used/)
- 2017.02 [pierrekim] [TP-Link C2 and C20i vulnerable to command injection (authenticated root RCE), DoS, improper firewall rules](http://pierrekim.github.io/blog/2017-02-09-tplink-c2-and-c20i-vulnerable.html)
- 2017.02 [arbornetworks] [UC&C: Stay Connected with Service Assurance](https://www.netscout.com/news/blog/unified-communications-service-assurance)
- 2017.01 [securityartwork] [Simple domain fronting PoC with GAE C2 server](https://www.securityartwork.es/2017/01/31/simple-domain-fronting-poc-with-gae-c2-server/)
- 2017.01 [HackersOnBoard] [DEF CON 24 - Malware Command and Control Channels - A journey into darkness](https://www.youtube.com/watch?v=okeXzdAlNpU)
- 2016.12 [DemmSec] [PoshC2 - A fully powershell command and control server](https://www.youtube.com/watch?v=wVHvdUVFQnM)
- 2016.11 [myonlinesecurity] [Locky changed to use .aesir file extension and changed C2 format](https://myonlinesecurity.co.uk/locky-changed-to-use-aesir-file-extension-and-changed-c2-format/)
- 2016.11 [n0where] [osquery Command And Control: Kolide](https://n0where.net/osquery-command-and-control-kolide)
- 2016.10 [securelist] [Inside the Gootkit C&C server](https://securelist.com/inside-the-gootkit-cc-server/76433/)
- 2016.10 [broadanalysis] [Rig Exploit Kit via EITEST delivers Crypt2 ransomware C2 5.39.93.43](http://www.broadanalysis.com/2016/10/17/rig-exploit-kit-via-eitest-delivers-crypt2-ransomware-c2-5-39-93-43/)
- 2016.10 [freebuf] [玩出C&C服务器地址隐身的新花样,看看这个恶意软件怎么做的](http://www.freebuf.com/articles/system/115809.html)
- 2016.09 [freebuf] [隐秘通讯与跳板?C&C服务器究竟是怎么一回事](http://www.freebuf.com/articles/network/114122.html)
- 2016.09 [laanwj] [A few notes on SECONDDATE's C&C protocol](http://laanwj.github.io/2016/09/17/seconddate-cnc.html)
- 2016.09 [laanwj] [BLATSTING C&C transcript](http://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html)
- 2016.09 [360] [New Elknot/Billgates Variant with XOR like C2 Configuration Encryption Scheme](http://blog.netlab.360.com/new-elknot-billgates-variant-with-xor-like-c2-configuration-encryption-scheme/)
- 2016.08 [contextis] [Using SMB named pipes as a C2 channel](https://www.contextis.com/blog/using-smb-named-pipes-c2-channel)
- 2016.08 [endgame] [Instegogram: Leveraging Instagram for C2 via Image Steganography](https://www.endgame.com/blog/technical-blog/instegogram-leveraging-instagram-c2-image-steganography)
- 2016.08 [fidelissecurity] [Vawtrak C2 – Pin it](https://www.fidelissecurity.com/threatgeek/2016/08/vawtrak-c2-%E2%80%93-pin-it)
- 2016.08 [harmj0y] [Command and Control Using Active Directory](http://www.harmj0y.net/blog/powershell/command-and-control-using-active-directory/)
- 2016.08 [broadanalysis] [New C2 – Neutrino Exploit Kit via pseudoDarkleech HOPTO.ORG gate delivers CrypMic Ransomware](http://www.broadanalysis.com/2016/08/08/new-c2-neutrino-exploit-kit-via-pseudodarkleech-hopto-org-gate-delivers-crypmic-ransomware/)
- 2016.08 [CodeColoristX] [利用图片博客做 C&C 配置](https://blog.chichou.me/%E5%88%A9%E7%94%A8%E5%9B%BE%E7%89%87%E5%8D%9A%E5%AE%A2%E5%81%9A-c-c-%E9%85%8D%E7%BD%AE-a00081180769)
- 2016.07 [broadanalysis] [Neutrino Exploit Kit via pseudoDarkleech delivers CryptXXX Ransomware – NEW C2](http://www.broadanalysis.com/2016/07/26/neutrino-exploit-kit-via-pseudodarkleech-delivers-cryptxxx-ransomware-new-c2/)
- 2016.07 [cerbero] [Extracting C&C from Android Malware](http://cerbero-blog.com/?p=1633)
- 2016.07 [blackhillsinfosec] [How to Build a 404 page not found C2](https://www.blackhillsinfosec.com/how-to-build-a-404-page-not-found-c2/)
- 2016.07 [pentestn00b] [PoshC2 – Powershell C2](https://pentestn00b.wordpress.com/2016/07/11/poshc2-powershell-c2/)
- 2016.07 [hackwhackandsmack] [PoshC2 – Powershell C2](https://www.hackwhackandsmack.com/?p=693)
- 2016.05 [rtl] [Using the Airspy on an Odroid C2](https://www.rtl-sdr.com/using-the-airspy-on-an-odroid-c2/)
- 2016.05 [sec] [烽火台威胁情报订阅0529:C2-feed](https://www.sec-un.org/beacon-threat-intelligence-subscription-0529c2-feed/)
- 2016.05 [trustlook] [Fake Adobe Flash App Evades Most Anti Virus Detection, Manipulates Phone by Command & Control Server in Latvia](https://blog.trustlook.com/2016/05/23/fake-adobe-flash-app-evades-most-anti-virus-detection-and-manipulates-phone-by-command-control-server-in-latvia/)
- 2016.04 [broadanalysis] [Angler EK sends Bedep, TelsaCrypt – NEW C2’s](http://www.broadanalysis.com/2016/04/18/angler-ek-sends-bedep-telsacrypt-new-c2s/)
- 2016.04 [akamai] [Akamai's State of the Art Command and Control Center for OTT Broadcasters](https://blogs.akamai.com/2016/04/post.html)
- 2016.04 [broadanalysis] [Angler Flash Exploit Infection Chain – New C&C](http://www.broadanalysis.com/2016/04/05/angler-flash-exploit-infection-chain-new-cc/)
- 2016.03 [broadanalysis] [Angler EK – TeslaCrypt – NEW C2 URI Structure “binarystings.php”](http://www.broadanalysis.com/2016/03/28/angler-ek-teslacrypt-new-c2-uri-structure-binarystings-php/)
- 2016.03 [malwarenailed] [Weaponized Container exploiting MS Office Vulnerability CVE 2012-0158 - Communicating to Dridex C2 Infra](http://malwarenailed.blogspot.com/2016/03/weaponized-container-exploiting-ms.html)
- 2016.03 [broadanalysis] [Angler EK sends TeslaCrypt – New C2 – New Ransom note pattern](http://www.broadanalysis.com/2016/03/18/angler-ek-sends-teslacrypt-new-c2-new-ransom-note-pattern/)
- 2016.03 [dafthack] [Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show True Risk](https://www.slideshare.net/dafthack/beyond-the-pentest-how-c2-internal-pivoting-and-data-exfiltration-show-true-risk-59678824)
- 2016.03 [robert] [Block Ransomware botnet C&C traffic with a Mikrotik router](https://robert.penz.name/1262/block-ransomware-botnet-cc-traffic-with-a-mikrotik-router/)
- 2016.02 [arbornetworks] [Embracing Modern UC&C: A Holistic Approach](https://www.netscout.com/news/blog/embracing-modern-ucc-holistic-approach)
- 2015.12 [blackhillsinfosec] [Can we C2? Yes we can!](https://www.blackhillsinfosec.com/can-we-c2-yes-we-can/)
- 2015.11 [breakpoint] [Detecting and Understanding Emdivi HTTP C2](https://breakpoint-labs.com/blog/detecting-and-understanding-emdivi-http-c2/)
- 2015.11 [alienvault] [Command and Control Server Detection: Methods & Best Practices](https://www.alienvault.com/blogs/security-essentials/command-and-control-server-detection-methods-best-practices)
- 2015.11 [f] [Paper: C&C-As-A-Service](https://labsblog.f-secure.com/2015/11/17/paper-cc-as-a-service/)
- 2015.11 [] [与黑产的博弈-C&C控制服务的设计和侦测方法综述](http://www.91ri.org/14517.html)
- 2015.11 [checkpoint] [Offline Ransomware Encrypts Your Data without C&C Comms](https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/)
- 2015.11 [angelalonso] [Reversing the SMS C&C protocol of Emmental - 2nd part](http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental_3.html)
- 2015.11 [angelalonso] [Reversing the SMS C&C protocol of Emmental (1st part - understanding the code)](http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html)
- 2015.11 [vanimpe] [Hunting for Dridex C2 info](https://www.vanimpe.eu/2015/11/01/hunting-dridex-c2-info/)
- 2015.10 [portcullis] [Locating SAT based C&Cs](https://labs.portcullis.co.uk/blog/locating-sat-based-ccs/)
- 2015.09 [trendmicro] [How Command and Control Servers Remain Resilient](https://blog.trendmicro.com/trendlabs-security-intelligence/adapting-to-change-how-command-and-control-servers-remain-hidden-and-resilient/)
- 2015.09 [securelist] [Satellite Turla: APT Command and Control in the Sky](https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/)
- 2015.09 [samvartaka] [Crypto-trouble in Poison Ivy's C2 protocol](http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation)
- 2015.09 [trendmicro] [Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor](https://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/)
- 2015.07 [trendmicro] [Pawn Storm C&C Redirects to Trend Micro IP Address](https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-cc-redirects-to-trend-micro-ip-address/)
- 2015.06 [virusbulletin] [Vawtrak uses Tor2Web to connect to Tor hidden C&C servers](https://www.virusbulletin.com/blog/2015/06/vawtrak-uses-tor2web-connect-tor-hidden-c-amp-c-servers/)
- 2015.05 [sans] [Possible Wordpress Botnet C&C: errorcontent.com](https://isc.sans.edu/forums/diary/Possible+Wordpress+Botnet+CC+errorcontentcom/19733/)
- 2015.05 [trendmicro] [Joke or Blunder: Carbanak C&C Leads to Russia Federal Security Service](https://blog.trendmicro.com/trendlabs-security-intelligence/joke-or-blunder-carbanak-cc-leads-to-russia-federal-security-service/)
- 2015.05 [trendmicro] [Steganography and Malware: Concealing Code and C&C Traffic](https://blog.trendmicro.com/trendlabs-security-intelligence/steganography-and-malware-concealing-code-and-cc-traffic/)
- 2015.03 [secureallthethings] [Yet Another Reason for HTTPS Everywhere: Internet Node Based Malware Command and Control Channels](http://secureallthethings.blogspot.com/2015/03/yet-another-reason-for-https-everywhere.html)
- 2015.03 [trendmicro] [Investigating and Detecting Command and Control Servers](https://blog.trendmicro.com/trendlabs-security-intelligence/investigating-and-detecting-command-and-control-servers/)
- 2015.02 [zeltser] [When Bots Use Social Media for Command and Control](https://zeltser.com/bots-command-and-control-via-social-media/)
- 2014.12 [malwaretech] [Phase Bot – Exploiting C&C Panel](https://www.malwaretech.com/2014/12/phase-bot-exploiting-c-pane.html)
- 2014.12 [trendmicro] [Banking Trojan Targets South Korean Banks; Uses Pinterest as C&C Channel](https://blog.trendmicro.com/trendlabs-security-intelligence/malware-campaign-targets-south-korean-banks-uses-pinterest-as-cc-channel/)
- 2014.11 [weebly] [malware uses multiple web servers to have a periodic http C&C connection while its netflows are not periodic](http://mcfp.weebly.com/analysis/botnet-uses-multiple-web-servers-to-have-a-periodic-http-cc-connection-while-its-netflows-are-not-periodic)
- 2014.09 [trendmicro] [Shellshock Updates: BASHLITE C&Cs Seen, Shellshock Exploit Attempts in Brazil](https://blog.trendmicro.com/trendlabs-security-intelligence/shellshock-updates-bashlite-ccs-seen-shellshock-exploit-attempts-in-brazil/)
- 2014.08 [crysys] [The Epic Turla Operation: Information on Command and Control Server infrastructure](http://blog.crysys.hu/2014/08/the-epic-turla-operation-information-on-command-and-control-server-infrastructure/)
- 2014.08 [weebly] [Malware started to randomize the request times in relation with their C&C channels](http://mcfp.weebly.com/analysis/malware-started-randomizing-the-request-times-of-their-cc-channels)
- 2014.08 [arxiv] [[1408.1136] Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences](https://arxiv.org/abs/1408.1136)
- 2014.07 [harmj0y] [A Brave New World: Malleable C2](http://www.harmj0y.net/blog/redteaming/a-brave-new-world-malleable-c2/)
- 2014.07 [zairon] [Android Koler trojan: C&C part](https://zairon.wordpress.com/2014/07/01/android-koler-trojan-cc-part/)
- 2014.04 [macnica] [Network Indicators of C2 / C2の兆候を発見するためのCheat Sheet](http://blog.macnica.net/blog/2014/04/network-indicat-c556.html)
- 2014.03 [sans] [The Importance of Command and Control Analysis for Incident Response](https://digital-forensics.sans.org/blog/2014/03/31/the-importance-of-command-and-control-analysis-for-incident-response)
- 2014.03 [webroot] [A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot](https://www.webroot.com/blog/2014/03/20/peek-inside-modular-tor-cc-enabled-bitcoin-mining-malware-bot/)
- 2014.03 [microsoft] [Sefnit’s Tor botnet C&C details](https://cloudblogs.microsoft.com/microsoftsecure/2014/03/05/sefnits-tor-botnet-cc-details/)
- 2014.03 [microsoft] [Sefnit’s Tor botnet C&C details](https://www.microsoft.com/security/blog/2014/03/05/sefnits-tor-botnet-cc-details/)
- 2014.01 [enigma0x3] [Command and Control using Powershell and your favorite website](https://enigma0x3.net/2014/01/17/command-and-control-using-powershell-and-your-favorite-website/)
- 2013.12 [websec] [Drive By ONT Botnet with IRC C&C](https://websec.ca/blog/view/drive-by-ONT-botnet-with-IRC-CC)
- 2013.10 [publicintelligence] [U.S. Army Cyber Command and Control Facility Environmental Assessment](https://publicintelligence.net/army-cyber-command-ea/)
- 2013.09 [virusbulletin] [Malware spoofing HTTP Host header to hide C&C communication](https://www.virusbulletin.com/blog/2013/09/malware-spoofing-http-host-header-hide-c-amp-c-communication/)
- 2013.07 [webroot] [Cybercriminals experiment with Tor-based C&C, ring-3-rootkit empowered, SPDY form grabbing malware bot](https://www.webroot.com/blog/2013/07/02/cybercriminals-experiment-with-tor-based-cc-ring-3-rootkit-empowered-spdy-form-grabbing-malware-bot/)
- 2013.06 [crowdstrike] [Rare Glimpse into a Real-Life Command-and-Control Server](https://www.crowdstrike.com/blog/rare-glimpse-real-life-command-and-control-server/)
- 2013.05 [cylance] [C2 Malware Targets Battle.Net Accounts](https://www.cylance.com/en_us/blog/C2-Malware-Targets-Battle-Net-Accounts.html)
- 2013.05 [dontneedcoffee] [Inside RDPxTerm (panel 5.1 - bot 4.4.2) aka Neshta C&C - Botnet control panel](https://malware.dontneedcoffee.com/2013/05/inside-rdpxterm-bot-442-panel-51-aka.html)
- 2013.03 [trendmicro] [Backdoor Uses Evernote as Command-and-Control Server](https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-uses-evernote-as-command-and-control-server/)
- 2013.02 [cyberarms] [Iranian Military C&C Allegedly Hacked and Launched Rockets at Tehran](https://cyberarms.wordpress.com/2013/02/08/iranian-military-cc-allegedly-hacked-and-launched-rockets-at-tehran/)
- 2013.02 [dontneedcoffee] [Inside Multi-Botnet ver.4 c&c Panel](https://malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html)
- 2013.01 [welivesecurity] [Walking through Win32/Jabberbot.A instant messaging C&C](https://www.welivesecurity.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc/)
- 2012.12 [talosintelligence] [Triggering Miniflame's C&C Communication to Create a Pcap](https://blog.talosintelligence.com/2012/12/triggering-miniflames-c-communication.html)
- 2012.12 [talosintelligence] [Quarian: Reversing the C&C Protocol](https://blog.talosintelligence.com/2012/12/quarian.html)
- 2012.09 [securelist] [Full Analysis of Flame’s Command & Control servers](https://securelist.com/full-analysis-of-flames-command-control-servers-27/34216/)
- 2012.08 [talosintelligence] [SMSZombie: A New Twist on C&C](https://blog.talosintelligence.com/2012/08/smszombie-new-twist-on-c.html)
- 2012.08 [dontneedcoffee] [Inside Upas Kit (1.0.1.1) aka Rombrast C&C - Botnet Control Panel](https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html)
- 2012.07 [dontneedcoffee] [Inside Citadel 1.3.4.5 C&C & Builder - Botnet Control Panel](https://malware.dontneedcoffee.com/2012/07/inside-citadel-1.3.4.5-cncNbuilder.html)
- 2012.07 [virusbulletin] [Grum botnet's command-and-control servers shut down](https://www.virusbulletin.com/blog/2012/07/grum-botnet-s-command-and-control-servers-shut-down/)
- 2012.07 [hackingarticles] [Hack Windows 7 PC with Poison Ivy 2.3.2 C&C Server Buffer Overflow](http://www.hackingarticles.in/hack-windows-7-pc-with-poison-ivy-2-3-2-cc-server-buffer-overflow/)
- 2012.06 [dontneedcoffee] [Inside Pony 1.7 / Fareit C&C - Botnet Control Panel](https://malware.dontneedcoffee.com/2012/06/inside-pony-17.html)
- 2012.06 [trendmicro] [Library File in Certain Android Apps Connects to C&C Servers](https://blog.trendmicro.com/trendlabs-security-intelligence/library-file-in-certain-android-apps-connects-to-cc-servers/)
- 2012.06 [securelist] [The Roof Is on Fire: Tackling Flame’s C&C Servers](https://securelist.com/the-roof-is-on-fire-tackling-flames-cc-servers-6/33033/)
- 2012.04 [publicintelligence] [(U//FOUO) U.S. Army Small Unmanned Aerial Vehicle (SUAV) Airspace Command and Control (A2C2) Handbook](https://publicintelligence.net/usarmy-suav-a2c2/)
- 2012.03 [shadowserver] [Of House Cleaning and Botnet C&C’s](http://blog.shadowserver.org/2012/03/07/of-house-cleaning-and-botnet-ccs/)
- 2012.02 [virusbulletin] [New Zeus/SpyEye botnet does away with command-and-control servers](https://www.virusbulletin.com/blog/2012/02/new-zeus-spyeye-botnet-does-away-command-and-control-servers/)
- 2011.11 [securelist] [The Mystery of Duqu: Part Six (The Command and Control servers)](https://securelist.com/the-mystery-of-duqu-part-six-the-command-and-control-servers-36/31863/)
- 2011.10 [trendmicro] [Android Malware Uses Blog Posts as C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/)
- 2011.09 [forcepoint] [Websense Labs Video: Speaking in Tongues: Malware C&C Encryption](https://www.forcepoint.com/blog/security-labs/websense-labs-video-speaking-tongues-malware-cc-encryption)
- 2011.07 [talosintelligence] [Binary C&C Over HTTP](https://blog.talosintelligence.com/2011/07/binary-c-over-http.html)
- 2011.06 [virusbulletin] [DroidKungFu command and control server may be mobile device](https://www.virusbulletin.com/blog/2011/06/droidkungfu-command-and-control-server-may-be-mobile-device/)
- 2011.03 [trendmicro] [Trend Micro Sinkholes and Eliminates a ZeuS Botnet C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-sinkholes-and-eliminates-a-zeus-botnet-cc/)
- 2010.09 [publicintelligence] [(U//FOUO) Joint Battle Management Command and Control (JBMC2) Roadmap Version 1.0](https://publicintelligence.net/ufouo-joint-battle-management-command-and-control-jbmc2-roadmap-version-1-0/)
- 2010.09 [publicintelligence] [(U//FOUO) Joint Battle Management Command and Control Roadmap 2003 Draft](https://publicintelligence.net/ufouo-joint-battle-management-command-and-control-roadmap-2003-draft/)
- 2010.09 [trendmicro] [Uncovered SpyEye C&C Server Targets Polish Users](https://blog.trendmicro.com/trendlabs-security-intelligence/uncovered-spyeye-cc-server-targets-polish-users/)
- 2010.03 [securelist] [Active Koobface C&C servers hit a record high – 200+ and counting](https://securelist.com/active-koobface-cc-servers-hit-a-record-high-200-and-counting/29530/)
- 2010.03 [securelist] [Koobface C&C servers steadily dropping – new spike coming soon?](https://securelist.com/koobface-cc-servers-steadily-dropping-new-spike-coming-soon/29562/)
- 2006.11 [sans] [Bot C&C Servers on Port 80](https://isc.sans.edu/forums/diary/Bot+CC+Servers+on+Port+80/1865/)
- 2004.01 [daringfireball] [Command and Control](https://daringfireball.net/2004/01/command_and_control)

# 远控

***

## 工具

### 新添加

- [**1615**星][9d] [Py] [zerosum0x0/koadic](https://github.com/zerosum0x0/koadic) 类似于Meterpreter、Powershell Empire 的post-exploitation rootkit,区别在于其大多数操作都是由 Windows 脚本主机 JScript/VBScript 执行
- [**1473**星][3y] [Py] [nathanlopez/stitch](https://github.com/nathanlopez/stitch) 一个跨平台的远控框架,可为Windows,Mac OSX和Linux构建自定义的Payload
- [**789**星][4m] [Py] [kevthehermit/ratdecoders](https://github.com/kevthehermit/ratdecoders) Python Decoders for Common Remote Access Trojans
- [**764**星][7d] [C] [rdesktop/rdesktop](https://github.com/rdesktop/rdesktop) rdesktop is an open source UNIX client for connecting to Windows Remote Desktop Services, capably of natively speaking Remote Desktop Protocol (RDP) in order to present the user's Windows desktop. rdesktop is known to work with Windows server version ranging from NT 4 terminal server to Windows 2012 R2.
- [**706**星][1y] [PS] [arvanaghi/sessiongopher](https://github.com/Arvanaghi/SessionGopher) 使用WMI为远程访问工具(如WinSCP,PuTTY,SuperPuTTY,FileZilla和Microsoft远程桌面)提取保存的会话信息。PowerShell编写
- [**538**星][10d] [JS] [mr-un1k0d3r/thundershell](https://github.com/mr-un1k0d3r/thundershell) 通过HTTP请求进行通信的C#RAT
- [**392**星][5m] [C++] [werkamsus/lilith](https://github.com/werkamsus/lilith) 基于C ++开发的基于控制台的超轻量RAT
- [**297**星][2y] [Py] [0xislamtaha/python-rootkit](https://github.com/0xIslamTaha/Python-Rootkit) Python远控,用于获取Meterpreter会话
- [**238**星][6d] [C#] [b4rtik/redpeanut](https://github.com/b4rtik/redpeanut) RedPeanut is a small RAT developed in .Net Core 2 and its agent in .Net 3.5 / 4.0.
- [**222**星][9d] [C++] [xdnice/pcshare](https://github.com/xdnice/pcshare) 远程控制软件,可以监视目标机器屏幕、注册表、文件系统等。
- [**214**星][2y] [C#] [them4hd1/vayne-rat](https://github.com/them4hd1/vayne-rat) 用C#编码的免费和开源远程管理工具。
- [**205**星][2y] [C++] [ahxr/ghost](https://github.com/ahxr/ghost) a light RAT that gives the server/attacker full remote access to the user's command-line interprete
- [**201**星][10d] [Py] [pure-l0g1c/loki](https://github.com/pure-l0g1c/loki) 远程访问工具, 使用 RSA-2048 + AES-256 保护通信安全
- [**195**星][3m] [PHP] [0blio/caesar](https://github.com/0blio/Caesar) 基于HTTP的RAT,从浏览器远程控制设备
- [**175**星][4y] [C#] [alphadelta/secure-desktop](https://github.com/alphadelta/secure-desktop) Anti-keylogger/anti-rat application for Windows
- [**172**星][3y] [C++] [hussein-aitlahcen/blackhole](https://github.com/hussein-aitlahcen/blackhole) C# RAT (Remote Administration Tool)
- [**157**星][10d] [Visual Basic] [mwsrc/plasmarat](https://github.com/mwsrc/PlasmaRAT) Remote Access Trojan(RAT), Miner, DDoS
- [**140**星][1m] [Py] [anhkgg/pyrat](https://github.com/anhkgg/pyrat) 基于python XmlRPC完成的远控开源项目,包括客户端和服务端(也叫控制端,后统称服务端)
- [**136**星][25d] [C++] [earthquake/universaldvc](https://github.com/earthquake/universaldvc) Universal Dynamic Virtual Channel connector for Remote Desktop Services
- [**129**星][2y] [Py] [dviros/rat-via-telegram](https://github.com/dviros/rat-via-telegram) 使用Telegram控制已经攻克的Windows主机
- [**115**星][4y] [C#] [leurak/trollrat](https://github.com/leurak/trollrat) 远程管理工具(RAT),该工具采用与其他RAT不同的方法,不做数据窃取等,只是为了trolling
- [**98**星][4m] [JS] [securityrat/securityrat](https://github.com/securityrat/securityrat) OWASP SecurityRAT (version 1.x) - Tool for handling security requirements in development
- [**95**星][7y] [C#] [ilikenwf/darkagent](https://github.com/ilikenwf/darkagent) DarkAgent Remote Administration Tool RAT by DragonHunter
- [**95**星][2y] [Pascal] [senjaxus/allakore_remote](https://github.com/senjaxus/allakore_remote) Delphi Seattle编写的远控
- [**80**星][4y] [C++] [rwhitcroft/dnschan](https://github.com/rwhitcroft/dnschan) 使用DNS通信的远程访问木马
- [**77**星][4y] [Py] [ahhh/reverse_https_bot](https://github.com/ahhh/reverse_https_bot) A python based https remote access trojan for penetration testing
- [**66**星][11d] [Visual Basic] [thesph1nx/rt-101](https://github.com/thesph1nx/rt-101) VB.net Remote Administrator Tool (RAT)
- [**65**星][7m] [sh1n0g1/shinobot](https://github.com/sh1n0g1/shinobot) RAT / Botnet Simulator for pentest / education
- [**61**星][28d] [Visual Basic] [thesph1nx/slickermaster-rev4](https://github.com/thesph1nx/slickermaster-rev4) NSA Hacking Tool Recreation UnitedRake
- [**61**星][2m] [C#] [nyan-x-cat/mass-rat](https://github.com/nyan-x-cat/mass-rat) Basic Multiplatform Remote Administration Tool - Xamarin
- [**58**星][3y] [PS] [killswitch-gui/persistence-survivability](https://github.com/killswitch-gui/persistence-survivability) Powershell Persistence Locator
- [**57**星][3y] [Py] [m4sc3r4n0/spyrat](https://github.com/m4sc3r4n0/spyrat) Python Remote Access Trojan
- [**55**星][4y] [Py] [ahhh/ntp_trojan](https://github.com/ahhh/ntp_trojan) Reverse NTP remote access trojan in python, for penetration testers
- [**53**星][8d] [Java] [blackhacker511/blackrat](https://github.com/blackhacker511/blackrat) Java编写的远控
- [**52**星][12d] [Py] [technowlogy-pushpender/technowhorse](https://github.com/technowlogy-pushpender/technowhorse) TechNowHorse is a RAT (Remote Administrator Trojan) Generator for Windows/Linux systems written in Python 3.
- [**50**星][11d] [C#] [brunull/pace](https://github.com/brunull/pace) A Remote Access Tool for Windows.
- [**46**星][1m] [Pascal] [0x48piraj/malwarex](https://github.com/0x48piraj/malwarex) Collection of killers
- [**46**星][1m] [PHP] [davidtavarez/pinky](https://github.com/davidtavarez/pinky) pinky - The PHP mini RAT (Remote Administration Tool)
- [**46**星][20d] [Shell] [infosecn1nja/ycsm](https://github.com/infosecn1nja/ycsm) This is a quick script installation for resilient redirector using nginx reverse proxy and letsencrypt compatible with some popular Post-Ex Tools (Cobalt Strike, Empire, Metasploit, PoshC2).
- [**46**星][18d] [Java] [m301/rdroid](https://github.com/m301/rdroid) [Android RAT] Remotely manage your android phone using PHP Interface
- [**46**星][2y] [pentestpartners/ptp-rat](https://github.com/pentestpartners/ptp-rat) Exfiltrate data over screen interfaces
- [**44**星][2y] [Shell] [taherio/redi](https://github.com/taherio/redi) Automated script for setting up CobaltStrike redirectors (nginx reverse proxy, letsencrypt)
- [**41**星][3y] [C] [killswitch-gui/hotload-driver](https://github.com/killswitch-gui/hotload-driver) C++
- [**40**星][5y] [C++] [lingerhk/0net](https://github.com/lingerhk/0net) 一个简单的Windows远程控制后门
- [**40**星][3y] [Visual Basic .NET] [mwsrc/betterrat](https://github.com/mwsrc/BetterRAT) Better Remote Access Trojan
- [**39**星][1m] [Shell] [samyk/easel-driver](https://github.com/samyk/easel-driver) Easel driver for Linux (and Mac/Windows) + remote access to CNC controller
- [**37**星][11d] [PS] [5alt/zerorat](https://github.com/5alt/zerorat) ZeroRAT是一款windows上的一句话远控
- [**36**星][5m] [C#] [blackvikingpro/aresskit](https://github.com/blackvikingpro/aresskit) Next Generation Remote Administration Tool (RAT)
- [**35**星][3y] [ritiek/rat-via-telegram](https://github.com/ritiek/rat-via-telegram) Removed according to regulations
- [**29**星][1m] [Py] [the404hacking/windows-python-rat](https://github.com/the404hacking/windows-python-rat) A New Microsoft Windows Remote Administrator Tool [RAT] with Python by Sir.4m1R.
- [**26**星][2y] [Py] [thegeekht/loki.rat](https://github.com/thegeekht/loki.rat) Loki.Rat is a fork of the Ares RAT, it integrates new modules, like recording , lockscreen , and locate options. Loki.Rat is a Python Remote Access Tool.
- [**25**星][9m] [D] [alexa-d/alexa-openwebif](https://github.com/alexa-d/alexa-openwebif) alexa skill to control your openwebif device
- [**24**星][2y] [Py] [rootm0s/casper](https://github.com/rootm0s/casper) 👻 Socket based RAT for Windows with evasion techniques and other features for control
- [**22**星][16d] [C#] [rainkin1993/remote-access-trojan-database](https://github.com/rainkin1993/remote-access-trojan-database) A database of RAT collected from Internet
- [**21**星][11d] [Py] [kaiiyer/backnet](https://github.com/kaiiyer/backnet) Backdoor+Botnet or BackNet is a Python Remote Access Tool.
- [**19**星][7d] [Py] [lithium95/controll_remote_access_trojan](https://github.com/lithium95/controll_remote_access_trojan) Created a VERY SIMPLE remote access Trojan that will establish administrative control over any windows machine it compromises.
- [**18**星][10m] [PHP] [eddiejibson/limitrr-php](https://github.com/eddiejibson/limitrr-php) Better PHP rate limiting using Redis.
- [**18**星][3y] [Py] [landonpowell/orwell-rat-and-botnet](https://github.com/landonpowell/orwell-rat-and-botnet) Orwell is a RAT and Botnet designed as a trio of programs by Landon Powell.
- [**17**星][17d] [YARA] [deadbits/yara-rules](https://github.com/deadbits/yara-rules) Collection of YARA signatures from individual research
- [**17**星][2m] [PHP] [rizer0/rat-hunter](https://github.com/rizer0/rat-hunter) detect trojans by easy way
- [**14**星][3y] [Java] [mhelwig/adwind-decryptor](https://github.com/mhelwig/adwind-decryptor) Simple decrypter for Java AdWind, jRAT, jBifrost trojan
- [**14**星][2y] [Py] [mitre/caldera-agent](https://github.com/mitre/caldera-agent)
- [**14**星][1y] [shifa123/maarc](https://github.com/shifa123/maarc) A Python - Remote Administration Tool (RAT)
- [**12**星][2y] [JS] [node-rat/noderat](https://github.com/node-rat/noderat) NodeRat is remote access tool made with NodeJS and python
- [**11**星][3y] [Pascal] [mwsrc/schwarze-sonne-rat](https://github.com/mwsrc/schwarze-sonne-rat) SS-RAT (Schwarze-Sonne-Remote-Access-Trojan)
- [**10**星][7m] [Go] [alanbaumgartner/aurora](https://github.com/alanbaumgartner/aurora) Aurora Remote Administration Tool
- [**10**星][12m] [Py] [user696/mrrat](https://github.com/user696/mrrat)
- [**9**星][2y] [Py] [cisco-talos/remcos-decoder](https://github.com/cisco-talos/remcos-decoder) Talos Decryptor POC for Remcos RAT version 2.0.5 and earlier
- [**9**星][8d] [Py] [federicochieregato/darkfox](https://github.com/federicochieregato/darkfox) Remote access trojan created using WinRar with firefox installer and python Reverse Shell embedded.
- [**8**星][2y] [thejollysin/i-wish-i-were-at-defcon-25-hack-a-thon](https://github.com/thejollysin/i-wish-i-were-at-defcon-25-hack-a-thon) My own "I wish I were at DefCon 25" Hack-a-Thon
- [**8**星][4y] [C++] [xyl2k/black-eye-rsa-attacking-toolkit-v0.1f-compiled](https://github.com/xyl2k/black-eye-rsa-attacking-toolkit-v0.1f-compiled) The great RSA Attacking Toolkit compiled for Windows
- [**7**星][2y] [C#] [advancedhacker101/android-c-sharp-rat-server](https://github.com/advancedhacker101/android-c-sharp-rat-server) This is a plugin for the c# R.A.T server providing extension to android based phone systems
- [**7**星][6m] [Py] [e-rror/hiroo](https://github.com/e-rror/hiroo)
- [**7**星][2y] [C#] [mitre/caldera-crater](https://github.com/mitre/caldera-crater)
- [**7**星][1y] [JS] [roccomuso/netrat](https://github.com/roccomuso/netrat) Damn easy multiplatform Node.js RAT generator.
- [**7**星][2y] [Py] [lukebob-zz/c2-pwn](https://github.com/lukebob-zz/c2-pwn) Uses Shodan API to pull down C2 servers to run known exploits on them.
- [**6**星][18d] [Py] [apacketofsweets/apollo](https://github.com/apacketofsweets/apollo) A simple, lightweight Remote Access Tool written in Python
- [**6**星][1y] [Py] [z4rk/winshell](https://github.com/z4rk/winshell) Python opensource RAT/Botnet
- [**6**星][4y] [Visual Basic .NET] [gaiththewolf/d-rat_vb.net_mysql_php](https://github.com/gaiththewolf/d-rat_vb.net_mysql_php) D-RAT [VB.NET]+[MySQL]+[PHP]
- [**6**星][7d] [PHP] [katsana/remote-control](https://github.com/katsana/remote-control) Grant remote access to user account without sharing credentials
- [**5**星][8m] [Go] [alepacheco/client](https://github.com/alepacheco/Client) Windows, OS X and linux RAT client
- [**5**星][17d] [C++] [melardev/xeytanwin32-rat](https://github.com/melardev/xeytanwin32-rat) WORK IN PROGRESS. RAT written in C++ using Win32 API
- [**4**星][16d] [C++] [izanbf1803/rat-cpp-prototype](https://github.com/izanbf1803/rat-cpp-prototype) A simple RAT.
- [**4**星][3m] [C++] [melardev/xeytanwxcpp-rat](https://github.com/melardev/xeytanwxcpp-rat) Work in Progress. RAT written in C++ using wxWidgets
- [**3**星][2y] [Py] [bedazzlinghex/memory-analysis](https://github.com/bedazzlinghex/memory-analysis) Contains tools to perform malware and forensic analysis in Memory
- [**3**星][1m] [Kotlin] [eskatos/creadur-rat-gradle](https://github.com/eskatos/creadur-rat-gradle) Apache RAT (Release Audit Tool) Gradle Plugin
- [**3**星][1m] [Py] [gbrn1/pirate](https://github.com/gbrn1/pirate) Python Remote Access Tool
- [**2**星][4y] [Py] [dakotanelson/multicat](https://github.com/dakotanelson/multicat) PoC RAT using the sneaky-creeper data exfiltration library
- [**2**星][4y] [Visual Basic .NET] [retrobyte/shadowtech-rat](https://github.com/retrobyte/shadowtech-rat) An example of a remote administration tool.
- [**None**星][socprime/sobaken-rat-detector](https://github.com/socprime/sobaken-rat-detector)

### Windows

- [**610**星][1y] [PS] [fortynorthsecurity/wmimplant](https://github.com/FortyNorthSecurity/WMImplant) This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
- [**518**星][8m] [Visual Basic .NET] [nyan-x-cat/lime-rat](https://github.com/nyan-x-cat/lime-rat) LimeRAT | Simple, yet powerful remote administration tool for Windows (RAT)
- [**493**星][6m] [Py] [viralmaniar/powershell-rat](https://github.com/viralmaniar/powershell-rat) Python based backdoor that uses Gmail to exfiltrate data through attachment. This RAT will help during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends it to an attacker as an e-mail attachment.
- [**360**星][8d] [C#] [nyan-x-cat/asyncrat-c-sharp](https://github.com/nyan-x-cat/asyncrat-c-sharp) Open-Source Remote Administration Tool For Windows C# (RAT)
- [**340**星][3y] [Pascal] [malwares/remote-access-trojan](https://github.com/malwares/remote-access-trojan) Windows Remote-Access-Trojan
- [**229**星][4y] [Py] [hood3drob1n/jsrat-py](https://github.com/hood3drob1n/jsrat-py) This is my implementation of JSRat.ps1 in Python so you can now run the attack server from any OS instead of being limited to a Windows OS with Powershell enabled.
- [**149**星][4m] [Py] [safebreach-labs/sireprat](https://github.com/safebreach-labs/sireprat) Remote Command Execution as SYSTEM on Windows IoT Core
- [**119**星][11d] [C#] [dannythesloth/vanillarat](https://github.com/dannythesloth/vanillarat) VanillaRat is an advanced remote administration tool completely coded in C# for Windows.
- [**117**星][8d] [Py] [thelinuxchoice/pyrat](https://github.com/thelinuxchoice/pyrat) Windows远控
- [**106**星][9m] [C#] [r-smith/splice-admin](https://github.com/r-smith/splice-admin) A remote Windows administration tool. You know you want it.
- [**104**星][2y] [Py] [syss-research/outis](https://github.com/syss-research/outis) a custom Remote Administration Tool (RAT) or something like that. It was build to support various transport methods (like DNS) and platforms (like Powershell).
- [**70**星][3m] [PS] [dsccommunity/certificatedsc](https://github.com/dsccommunity/CertificateDsc) DSC resources to simplify administration of certificates on a Windows Server.
- [**67**星][4y] [C#] [stphivos/rat-shell](https://github.com/stphivos/rat-shell) Windows Remote Access Trojan (RAT)
- [**39**星][2m] [Py] [swordf1sh/moderat](https://github.com/swordf1sh/moderat) Experimental Windows Remote Administration and Spy Tool in Python + GUI
- [**20**星][1y] [Visual Basic] [nyan-x-cat/asyncrat](https://github.com/nyan-x-cat/asyncrat) Remote Administration Tool For Windows
- [**17**星][6m] [Py] [operatorequals/smbrat](https://github.com/operatorequals/smbrat) A Windows Remote Administration Tool in Visual Basic with UNC paths
- [**16**星][6m] [PS] [yschgroup/skyrat](https://github.com/yschgroup/skyrat) SkyRAT - Powershell Remote Administration Tool

### Linux

- [**131**星][8m] [C] [abhishekkr/n00brat](https://github.com/abhishekkr/n00brat) 用于POSiX(Linux / Unix)系统的远程管理工具包(或Trojan),以Web服务方式运行
- [**68**星][10m] [JS] [webxscan/linux_rat](https://github.com/webxscan/linux_rat) LINUX集群控制(LINUX反弹式远控)
- [**51**星][15d] [C] [thibault-69/rat-hodin-v2.9](https://github.com/Thibault-69/RAT-Hodin-v2.9) Remote Administration Tool for Linux
- [**20**星][2m] [C] [lillypad/swamp-rat](https://github.com/lillypad/swamp-rat) A Linux RAT in C
- [**7**星][5m] [C] [ctsecurity/stealth-kid-rat](https://github.com/ctsecurity/Stealth-Kid-RAT) Stealth Kid RAT (SKR) is an open source Linux remote administration tool written in C. Licensed under MIT. The SKR project is fully developed and tested on Debian GNU-Linux (Deb 9.3 "Stretch") platform. The RAT will soon be available on Windows platform by mid 2018.

### Apple

- [**430**星][9d] [ObjC] [sap/macos-enterprise-privileges](https://github.com/sap/macos-enterprise-privileges) For Mac users in an Enterprise environment this app ensures secure environment and yet gives the User control over administration of their machine by elevating their level of access to Administrator privilege on macOS X. Users can set the time frame using Preferences to perform specific tasks such as install or remove an application.
- [**75**星][4y] [Pascal] [xlinshan/coldroot](https://github.com/xlinshan/coldroot) Mac OS Trojan (RAT) made with love <3
- [**74**星][1y] [Py] [kdaoudieh/bella](https://github.com/kdaoudieh/bella) Bella is a pure python post-exploitation data mining tool & remote administration tool for macOS.
- [**21**星][2m] [Py] [cys3c/evilosx](https://github.com/cys3c/evilosx) A pure python, post-exploitation, remote administration tool (RAT) for macOS / OS X.

### Android

- [**1815**星][8m] [Smali] [ahmyth/ahmyth-android-rat](https://github.com/ahmyth/ahmyth-android-rat) Android Remote Administration Tool
- [**939**星][7y] [designativedave/androrat](https://github.com/designativedave/androrat) Remote Administration Tool for Android devices
- [**931**星][6y] [Java] [wszf/androrat](https://github.com/wszf/androrat) Remote Administration Tool for Android
- [**172**星][2y] [Java] [the404hacking/androrat](https://github.com/the404hacking/androrat) AndroRAT | Remote Administrator Tool for Android OS Hacking
- [**138**星][3y] [Java] [mwsrc/betterandrorat](https://github.com/mwsrc/betterandrorat) Android Remote Access Trojan
- [**66**星][7y] [Java] [ibrahimbalic/androidrat](https://github.com/ibrahimbalic/androidrat) Android RAT
- [**64**星][16d] [Java] [globalpolicy/phonemonitor](https://github.com/globalpolicy/phonemonitor) A Remote Administration Tool for Android devices
- [**50**星][3y] [Py] [alessandroz/pupy](https://github.com/alessandroz/pupy) Python编写的远控、后渗透工具,跨平台(Windows, Linux, OSX, Android)
- [**6**星][2y] [rev-code/androidclient](https://github.com/rev-code/androidclient) Android remote administration client

***

## 文章

# 贡献
内容为系统自动导出, 有任何问题请提issue