A newly identified remote access trojan called KarstoRAT has been found in sandbox analyses and malware repositories since early 2026. <\/p>\n
The malware gives attackers a broad set of remote-control capabilities over compromised Windows machines, including webcam capture<\/a>, audio recording, keylogging, screenshot theft, and the ability to fetch and run additional payloads on demand.<\/a><\/p>\n KarstoRAT is built to give its operators full control over an infected system from the moment it first runs. <\/p>\n The analyzed sample is a 64-bit Windows executable compiled with Microsoft Visual Studio 2022, with a debug build timestamp of February 16, 2026. <\/p>\n It communicates with a hardcoded command-and-control (C2) server at 212.227.65[.]132 over port 15144, using the Windows Internet<\/a> API (WinINet) for all outbound traffic. <\/p>\n Once running, it sends heartbeat notifications every two seconds, maintaining a constant link to the attacker\u2019s server.<\/a><\/p>\n LevelBlue analysts identified KarstoRAT<\/a> during a threat investigation and noted that the malware has not been publicly listed or sold on underground forums or cybercrime marketplaces. <\/p>\n This suggests it may be a privately developed tool used by a small group of operators, rather than a widely circulated commodity RAT. <\/p>\n The presence of multiple samples in public analysis environments gives researchers a rare window into a private threat that has only recently surfaced in real-world activity.<\/a><\/p>\n What makes KarstoRAT especially concerning is its social engineering approach to distribution. Researchers found that the C2 infrastructure hosts a fake Roblox trading website called \u201cBlox Stocks\u201d and a cheat download panel called \u201cVenom Files.<\/p>\n The Blox Stocks page targets younger Roblox players with promises of cheap in-game items, while the Venom Files panel lures FPS and GTA modders with so-called premium game cheats. Both pages are designed to trick users into downloading and running the malware.<\/p>\n The C2 server runs a layered infrastructure across multiple open ports and services, including SSH tunnels, Node.js APIs, and a VMess proxy routed through Cloudflare Argo WebSocket on port 443 with TLS fingerprinting set to Firefox. <\/p>\n This obfuscated setup helps the malware blend into normal traffic and maintain access inside restricted network environments.<\/a><\/p>\n Once KarstoRAT is running on a victim\u2019s machine, it enters an infinite two-second polling loop and waits for commands from the C2 server. <\/p>\n The sample overview in PEStudio shows the executable has moderate entropy with no packing applied. <\/p>\n The webcam module, triggered by the WEBCAM command, creates an invisible capture window, connects to the default webcam driver, grabs a single still frame, saves it as a temporary BMP file (webcap.bmp), and uploads it to the \/upload-webcam endpoint before removing the file from disk. <\/p>\n No window appears on screen and no visible alert is shown to the victim throughout the process.<\/a><\/p>\n The audio recording feature uses the Windows Multimedia Command Interface (MCI) to silently open the victim\u2019s microphone, record for a duration set by the attacker, save the result as a temporary WAV file, and upload it to the \/upload-audio endpoint. <\/p>\n The recording process runs in a dedicated background thread, keeping the main process fully responsive. <\/p>\n The keylogger installs<\/a> a low-level keyboard hook using SetWindowsHookExA and captures every keystroke across all active applications, sending the data to the \/upload-keylog endpoint via HTTP POST. <\/p>\n For persistence, KarstoRAT uses three distinct methods: a Windows Registry Run key named \u201cSecurityService\u201d, a Scheduled Task<\/a> called \u201cSystemCheck\u201d, and a copy of itself placed in the Windows Startup folder. <\/p>\n A UAC bypass using fodhelper.exe allows the malware to gain elevated privileges without showing the victim any security prompt.<\/a><\/p>\n Organizations should immediately block the C2 IP address 212.227.65[.]132 and monitor for connections on ports 15144 and 13614. <\/p>\n Security teams<\/a> should scan network logs for the user agent string \u201cSecurityNotifier\u201d and check for registry entries under HKCUSoftwareMicrosoftWindowsCurrentVersionRunSecurityService and Scheduled Tasks named \u201cSystemCheck\u201d. <\/p>\n Endpoint detection<\/a> tools should be configured to flag any instance of fodhelper.exe combined with HKCU registry modifications. <\/p>\n All users should avoid downloading game cheats or trading tools from unverified third-party sources.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Novel KarstoRAT RAT Enables Webcam Monitoring, Audio Recording, and Remote Payload Execution<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Venom](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgPpY52LoodYgbRoiLRnqI72anGerVcmB-0rkanK2oS_X9yeJYWkcViLsnyivf7GHxPQaU-xN3O_fXlNxJov-FLDX3c5-OhG5ryK6pUlglcpGwW25TEpNJJyBbVI2AWBQoDYt2v6Wk9Or9gvADvPhfPRXTcueXtYVyrrr5nZG1B9eIQ5OOhK7hh9rgtlyE\/s16000\/Venom%2520Files%2520cheat%2520download%2520panel%2520%28Source%2520-%2520LeverBlue%29.webp?ssl=1\")
![\"Decoded](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh7ElQv6op0pqFThkNzIKmWV-OmzAnny2DRWHXxJ08hPJOdf_jx1OjJbUHMsvhjwqS2g0Dmhn8odDNmL_mqUyYM91-CoVNVkJC7NDdOKqF_MpuGeZ1NdDb5gwyl78c1vA1_PsyP9z-eArPR-WTwYJm2z7eWkZsN0eh8FynEijJzxh8Q7lRdS9gND5FcXPA\/s16000\/Decoded%2520valid%2520VMess%2520with%2520Base64-encoded%2520proxy%2520configuration%2520%28Source%2520-%2520LeverBlue%29.webp?ssl=1\")
![\"Decoded](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj8_0AtGwksA2opTNUTdE8ayldxty0eqQfa-jBW2sokcnB4DIa8BWgqUetrPpmInGBvF9WUfBy25QFg1ekFzXkx6QkdzQQ87x-k8KKnHD9wPc3JA6msLIaQt6lvn6e3UbdJwIfyKZg0EODbTcUqYZkk6T1NGqcPF85eoICSyRmcm7sZliVhHLVE1vXJSPU\/s16000\/Decoded%2520JSON%2520proxy%2520configuration%2520%28Source%2520-%2520LeverBlue%29.webp?ssl=1\")
Surveillance and Payload Execution Capabilities<\/strong><\/h2>\n
![\"Sample](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhaa9EDffrwoehBAskOoMjAXVLH5kdJbkP2kRU3JQVfCEX252u7CYv1m6gXept67xQzxgroaPY9KtTNrqOid0D2IiTbVU4Hj91k2on-W99NNp73btFuCBFuVKKdAvMexI18uyNVEi7u-J0nHm6hKbh7Nf7yCidflAhxpOK678iz-dbw3r2btIjzyYu51mo\/s16000\/Sample%2520overview%2520of%2520PEStudio%2520%28Source%2520-%2520LeverBlue%29.webp?ssl=1\")