The modern-day cyber threat landscape is marked by the rise in malware variants that give attackers the green light to gain complete remote control over targeted systems, such as a nefarious Remcos RAT spread via a phishing attack vector. At the turn of January 2025, defenders unveiled an emerging stealthy malware dubbed NonEuclid RAT, which is enriched with sophisticated offensive capabilities, like advanced detection evasion techniques, privilege escalation, and ransomware encryption.
Detect NonEuclid RAT Attacks
In the past year, cybersecurity researchers recorded a 30% rise in global malware volume compared to 2023, highlighting a persistent escalation in malicious activity worldwide. This surge underscores the growing sophistication of cyber threats and the increasing challenges faced by security teams.
To effectively counter emerging threats, cyber defenders need access to CTI-enriched detection rules that provide real-time insights into evolving attack patterns. Rely on SOC Prime Platform for collective cyber defense to equip your team with curated detection content on emerging threats, like NonEuclid RAT, backed by a complete product suite for advanced threat detection and hunting.
Hit the Explore Detections button below and immediately drill down to a set of Sigma rules addressing NonEuclid RAT attacks. All the rules are mapped to the MITRE ATT&CK framework and compatible with 30+ SIEM, EDR, and Data Lake solutions. Additionally, the rules are enriched with extensive metadata, including threat intel references, media links, attack timelines and more.
NonEuclid RAT Analysis
CYFIRMA researchers have recently shed light on an emerging threat, which showcases a new level of malware complexity. NonEuclid RAT, a new stealthy C#-based malware built for .NET Framework 4.8, is designed to avoid detection while providing unauthorized remote access to the victim’s environment via advanced features, such as ransomware encryption, privilege escalation, and enhanced detection evasion capabilities.
The malware is widely promoted on hacking forums and social media, drawing attention for its stealth capabilities, dynamic DLL loading, anti-VM checks, and AES encryption. The malware’s developer, known under the moniker “NAZZED,” has been promoting NonEuclid since October 2021. CYFIRMA noted that the RAT was widely advertised, sold, and discussed across several russian forums and Discord channels, highlighting its popularity in cybercriminal circles and its use in advanced attacks.
The malware code initializes a client application with diverse security, anti-detection, and persistence features. It starts by delaying execution and loading settings. If settings fail, it exits. The app ensures administrative privileges, performs anti-detection scans, and prevents duplicate instances using a mutex. Anti-process blocking and logging are activated, while a client socket handles server communication with continuous reconnection if the link drops.
A TCP socket starts the connection, adjusting buffer sizes and attempting to reach a specified IP and port. Once successful, it wraps the socket in a NetworkStream, sets timers for keep-alive and pong packets, and begins asynchronous data reading. Connection properties like headers, offsets, and intervals are configured, while a failed connection sets the status to false.
NonEuclid RAT applies a wide range of offensive tools to bypass detection, elevate privileges, and establish persistence on the affected computer. The malware’s AntiScan method bypasses Windows Defender by adding exclusions to the registry, preventing files like the malware’s server and executables from being scanned. The Block method monitors and terminates processes like “Taskmgr.exe” and “ProcessHacker.exe” using Windows API calls. The malware also creates a scheduled task to run a command at set intervals, hiding the command window. The Bypass method modifies the Windows registry to bypass restrictions, executing a secondary executable if administrative privileges are granted. The HKCU method updates a registry key under HKEY_CURRENT_USER with a given value.
As for ransomware encryption tools, attackers encrypt file types like “.csv”, “.txt”, and “.php” using AES and rename them with the extension “.NonEuclid.” Upon execution, NonEuclid drops two executable files in separate folders, which are set to run automatically through the Task Scheduler. This ensures persistence, allowing the malware to continue operating even after the system reboots or attempts to terminate the process.
The rising popularity of NonEuclid RAT, driven by malware-focused discussions across various popular platforms, indicates a coordinated effort to expand its offensive use, demanding heightened vigilance from cybersecurity experts. Defending against such threats demands proactive strategies, ongoing monitoring, and awareness of evolving cybercriminal tactics. SOC Prime Platform for collective cyber defense provides global organizations with cutting-edge technologies for advanced detection engineering, proactive threat detection, and automated threat hunting to outscale cyber threats. By leveraging the Emerging Threats feed, security teams can instantly access a centralized source of actionable threat intel, relevant detection rules, and AI-enriched context to always stay in the know and outpace adversaries.
The post NonEuclid RAT Detection: Malware Enables Adversaries to Gain Unauthorized Remote Access and Control Over a Targeted System appeared first on SOC Prime.
