A newly identified two-component Remote Access Trojan (RAT) toolkit built in Rust, dubbed SpankRAT, is being used by threat actors to abuse legitimate Windows processes, bypass reputation-based security controls, and maintain persistent access to compromised environments while largely evading detection on VirusTotal.
Because malicious network activity originates from legitimate Windows binaries, the toolkit can evade reputation-based detection controls and be deprioritized during triage, drastically reducing SOC visibility and increasing the risk of missed compromise.
The SpankLoader: First Stage of Attack
The attack chain begins with SpankLoader, a lightweight first-stage loader that retrieves the primary payload from a command-and-control (C2) server over unencrypted HTTP.
Upon execution, SpankLoader escalates privileges using SeDebugPrivilege and drops a malicious DLL (rmm_agent.dll) to C:\ProgramData\ before injecting it into the legitimate explorer.exe process using classic DLL injection techniques.
To ensure persistent access across reboots, SpankLoader creates a Scheduled Task named RmmAgentCore configured with a logon trigger and highest privilege execution.
This technique of injecting into explorer.exe is especially dangerous because it allows malware-generated network traffic to appear as originating from a trusted, built-in Windows process, effectively masking the true nature of the activity from traditional endpoint and network detection solutions.
SpankRAT: Full-Featured Remote Access Capability
Once installed within explorer.exe, SpankRAT establishes a WebSocket-based connection to the C2 server (ws://<C2>:9000/ws/agent) using a JSON-based communication protocol.
The full-featured variant supports 18 distinct server commands, giving attackers comprehensive remote control over infected systems.
The command set spans the following operational capabilities:
- Session management: Registration, heartbeat telemetry (CPU, RAM, disk, uptime)
- Remote execution: Arbitrary command execution returning stdout and exit code; UAC elevation via
Start-Process -Verb RunAs - File operations: List, read, upload, delete, rename files, and create directories
- Process control: Enumerate running processes (PID, name, memory, user, CPU); kill processes
- Windows services: List services; start, stop, or restart services
- Registry manipulation: Full CRUD — read keys/values, set, create, and delete registry entries
- Scheduled task control: List, run, and toggle scheduled tasks
- Software inventory: Enumerate installed software
All system interactions are executed through PowerShell using -NoProfile -NonInteractive -ExecutionPolicy Bypass flags, and OS fingerprinting retrieves the build number and product name directly from the registry.
At the time of analysis, most SpankRAT samples remained undetected on VirusTotal, underscoring a critical gap in signature-based and reputation-reliant detection approaches.
Indicators of Compromise (IOCs)
Security teams should hunt for the following indicators across their environments:
- C2 Servers:
45.131.214[.]132:9000(HTTP staging + WebSocket C2),166.1.144(alternate WebSocket C2 variant)[.]109:9000 - Agent Hash:
f0afbbb3c80e5347191452f2f3b147627e9d1ae4d60b61d6da900a60b35eec95 - Malicious Files:
RmmAgentCore.exe(loader),rmm_agent.dll(payload),arc_agent.exe(standalone variant) - Drop Path:
C:\ProgramData\ - Persistence Mechanism: Scheduled Task
RmmAgentCore, logon trigger, highest privileges - Injection Target:
explorer.exe - Build Environment: Rust (Cargo); Windows MSVC + Linux cross-compile; dev paths indicate
C:\Users\spank\.cargo\and/root/.cargo\
Mitigations
Security operations teams should prioritize behavioral detection rules that flag DLL injections into explorer.exe, unauthorized Scheduled Task creation with elevated privileges, and outbound WebSocket connections from non-browser system processes.
Hunting for HTTP GET requests to paths matching */download/rmm_agent.dll* Within SIEM or EDR telemetry, SpankLoader staging activity can be identified within the environment.
Organizations relying solely on antivirus or reputation-based tools are strongly advised to incorporate dynamic sandbox analysis into their triage workflows to reduce dwell time for threats like SpankRAT.
