Inside Different Generations of RATs
Introduction
This page is the central hub for my series “Inside Different Generations of RATs”, documenting and analyzing the evolution of remote access tools (RATs) across different time periods.
The series aims to:
- Understand how RAT architectures evolved
- Analyze implementation details through reverse engineering
- Identify design patterns, limitations, and security implications
This page will be continuously updated as new research is added.
Terminology
As mentioned in the articles, some RAT authors use the term “server” to refer to the payload, even though from a network architecture perspective it behaves as a client.
This is because the term “server” is sometimes used to describe the component that provides services to the operator, rather than its actual role in the network communication model.
A similar ambiguity can be observed in everyday terms such as “upload” and “download”, which depend on perspective.
To avoid confusion, this series uses the following terminology:
- Controller: the attacker-side application
- Payload: the executable deployed on the victim machine
This distinction is important when analyzing communication flows and understanding the underlying architecture of RATs.
Families
Articles
The table below lists all articles in this series analyzing various remote access tools.
It will be updated continuously as new research is published.
Roadmap
Planned analysis in this series includes:
- Gh0st RAT Family
- Quasar RAT
- AsyncRAT
- Remcos RAT
- Agent Tesla
Future articles will focus on more modern RATs and their advanced techniques.
Supplement
Tutorials for Malware Analysis
- How to Setup Your Experimental Environment for Malware Analysis
- Installing VMware Tools on Windows XP and Windows 95 with VMware WorkStation 17
Underlying Mechanism
THANKS FOR READING
