<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Remote-Access-Trojan - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/remote-access-trojan/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 14:03:51 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/remote-access-trojan/feed.xml" rel="self" type="application/rss+xml"/><item><title>Detection of Malicious Remote Access Tools by Antivirus</title><link>https://feed.craftedsignal.io/briefs/2026-07-av-remote-access-tools/</link><pubDate>Fri, 03 Jul 2026 14:03:51 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-av-remote-access-tools/</guid><description>This brief details a Sigma rule designed to detect Antivirus alerts flagging various malicious Remote Access Tools (RATs) such as AgentTesla, AsyncRAT, and NanoCore, highlighting the critical need for investigation into the initial infection vector even when the AV blocks the threat.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of numerous malicious Remote Access Tools (RATs) via Antivirus (AV) solutions, as identified by a SigmaHQ rule published on 2026-07-01. The rule targets a wide array of commonly abused RATs, including well-known malware families like AgentTesla, AsyncRAT, NanoCore, Quasar, and Remcos, among others. The presence of these tools on an endpoint, even if immediately blocked by AV, is a critical security event that demands immediate and thorough investigation. Such an alert signifies that an attacker has likely achieved initial access and attempted to establish persistent remote control, making it imperative to understand the delivery mechanism and scope of compromise beyond the simple AV remediation. This detection is crucial for identifying early stages of compromise and preventing further malicious activity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>(The provided source focuses on a detection signature for post-compromise activity, rather than detailing a specific attack chain. Therefore, a generic attack chain cannot be accurately described without speculative information.)</p>
<h2 id="impact">Impact</h2>
<p>If Remote Access Tools successfully bypass antivirus defenses and become fully operational, they grant attackers comprehensive control over compromised systems. This can lead to severe consequences including, but not limited to, extensive data exfiltration, installation of additional malware such as ransomware or credential stealers, persistent unauthorized access, lateral movement across the network, and complete disruption of organizational operations. Even when an antivirus successfully blocks a RAT, the initial alert indicates a successful delivery attempt that must be investigated to determine the initial access vector and prevent future attacks. The impact of such successful compromise can range from significant financial losses due to data breaches or ransomware, to reputational damage and regulatory penalties.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the <code>Antivirus - Remote Access Tools Signature</code> Sigma rule to your SIEM/EDR to ensure immediate visibility into AV alerts flagging known malicious RATs.</li>
<li>Investigate all alerts generated by the <code>Antivirus - Remote Access Tools Signature</code> rule. Focus on identifying the initial access vector that led to the RAT's presence on the system.</li>
<li>Review network logs for suspicious outbound connections from systems where <code>Signature</code> events related to tools like <code>AgentTesla</code> or <code>AsyncRAT</code> were detected.</li>
<li>Ensure endpoint protection solutions are up-to-date and configured to report <code>antivirus</code> category events to your centralized logging platform.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>remote-access-trojan</category><category>rat</category><category>antivirus</category><category>detection</category><category>malware</category><category>windows</category></item></channel></rss>