Phishing is widely recognized as a prevalent method of executing social engineering attacks. Defenders have recently identified a highly targeted phishing campaign that delivers the MostereRAT to infiltrate Windows devices. Adversaries take advantage of advanced detection evasion techniques and social engineering, as well as abuse legitimate remote access software, like AnyDesk and TightVNC, enabling them to sustain covert, long-term control over compromised systems.
Detect MostereRAT Attacks
In 2024, phishing accounted for roughly 25% of all cyberattacks detected across organizations worldwide, most of them spread through malicious links or file attachments. The financial impact continues to rise each year, with the average phishing breach costing around $4.88 million. A recent campaign targeting Windows users with the MostereRAT malware highlights how phishing remains a reliable weapon for attackers, underscoring the urgent need for defenders to respond with speed and proactive security measures.
Sign up for the SOC Prime Platform to detect potential attacks against your organization at the earliest stages. The Platform offers a dedicated set of Sigma rules addressing TTPs associated with MostereRAT infections. Hit the Explore Detections button below to access the rules, which are enriched with actionable CTI and backed by a complete product suite for advanced threat detection and hunting.
All the rules in the SOC Prime Platform are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, each rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.
On top of it, security experts might streamline threat investigation using Uncoder, a private IDE & AI co-pilot for detection engineering. The latest Uncoder AI update introduces a new AI Chat Bot mode and MCP tools to help cyber defenders manage detection engineering tasks end-to-end. Enter a custom prompt in any language or choose from pre-built tasks in a dialogue-based, user-friendly interface while keeping AI grounded in your environment and threat landscape. For instance, cyber defenders can use Fortinet’s latest report on MostereRAT to generate Attack Flow in a single click.
MostereRAT Analysis
Adversaries frequently abuse legitimate software to support their malicious activities. For instance, the widely used remote access program AnyDesk has become a common target for exploitation in attacker operations.
FortiGuard Labs researchers have recently uncovered a sophisticated phishing operation that incorporates a range of advanced evasion tactics to deploy MostereRAT and maintain long-term stealthy access on Windows systems. The campaign uses Easy Programming Language (EPL) to craft a staged payload designed to obscure malicious activity, disable security defenses to avoid detection, secure C2 traffic through mutual TLS, and enable multiple techniques for delivering additional payloads. To ensure full control over compromised machines, adversaries also weaponize widely used remote access utilities, including AnyDesk and TightVNC.
The infection flow begins with phishing emails targeting Japanese users, disguised as legitimate business inquiries to trick recipients into clicking on malicious links. Visiting the infected site triggers an automatic or manual download of a Word file containing an embedded archive. Victims are instructed to open the archive and run a single executable, adapted from a wxWidgets GitHub sample. This file unpacks encrypted resources, including RMM tools and images, into C:ProgramDataWindows, decrypted via a simple SUB operation.
The malware then establishes persistence by creating SYSTEM-level services through a custom RPC client (CreateSvcRpc) that bypasses standard Windows APIs. One service, WpnCoreSvc, ensures automatic execution at startup, while WinSvc_ launches attacker-provided payloads on demand. Before exiting, the malware displays a fake Simplified Chinese error message to further propagate via social engineering.
The next stage relies on an EPK launcher with malicious files (svchost.exe and svchost.db) to determine which modules to load. It escalates privileges by enabling SeDebugPrivilege, duplicating SYSTEM tokens, and leveraging the TrustedInstaller account to launch processes with full administrative rights. The malware also includes hardcoded lists of AV and EDR products with their installation paths, enabling it to systematically identify and disable them. Furthermore, MostereRAT leverages Windows Filtering Platform filters to block these security tools from sending detection data, logs, or alerts—a technique reportedly adapted from the red-teaming utility EDRSilencer.
To maintain control, the malware disables Windows updates and security by terminating key processes, stopping update services, and deleting system files. It deploys remote access and proxy tools, such as AnyDesk, Xray, and TigerVNC, directly from its configuration. The toolkit also integrates RDP Wrapper, enabling attackers to modify or restore RDP settings (e.g., multi-session logins) via registry changes.
The latest campaign spreading MostereRAT employs social engineering to spread the infection and relies on advanced adversary tactics to remain under the radar and legitimate remote access tools to gain system control. Such methods greatly hinder detection and analysis, making regular solution updates and ongoing user awareness of social engineering risks critical. Rely on SOC Prime’s complete product suite backed by AI, automation, and real-time threat intel to proactively defend against phishing attacks and other emerging threats of any sophistication while maintaining a robust cybersecurity posture.
The post MostereRAT Detection: Attackers Abuse AnyDesk and TightVNC for Persistent Access on Windows Systems appeared first on SOC Prime.
