CetaRAT is a Remote Access Trojan (RAT) threat written using the C# programming language. Its main function is to carry out espionage activities where it harvests and then exfiltrates sensitive data from the compromised machines. The threat was first noticed by the infosec community when it was deployed in the still-ongoing Operation SideCopy, an attack campaign targeting Indian defense forces and armed forces personnel. Since then, CetaRAT has been expanding its reach and being leveraged in additional attacks against Indian government agencies.

Attack Chain

CetaRAT's infection chain begins with the distribution of spear-phishing emails carrying a weaponized attachment. The corrupted attachments can take the form of a ZIP archive that fetches an HTA file from a remote URL. Executing the HTA file delivers the CetaRAT's threat onto the victim's machine. SO far two different methods have been observed.

In the first one, after the HTA file is initiated, it proceeds to create and execute a JavaScript file placed in the 'C:\ProgramData' location. The script is responsible for showing a decoy document to the unsuspecting victim to distract them from the fact that the CetaRAT payload is being dropped at the system's Startup location. The decoy documents usually carry information about a relevant topic concerning the region and India in particular.

The second method sees the creation and execution of batch files dropped in a randomly named folder on the C drive of the compromised device. The next step is to add a Registry entry at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pointing to CetaRAT's payload. In this case, the threat's executable file is located in the '%AppData/Roaming%' folder.

Collected Data

Before CetaRAT activates its main functionality, the threat performs a scan for all running AV solutions and sends the acquired details to its Command-an-Control (C2, C&C) server. After that, it starts collecting various system details, including computer name, IP address, memory details, processor information, OS data and more.

When the initial information about the compromised device has been transmitted, CetaRAT will wait for additional commands. The threat actor can instruct the RAT to fetch additional payloads and execute them, manipulate the victim's file system, take arbitrary screenshots, execute arbitrary commands and other intrusive actions. All harvested data is encrypted with the RC4 algorithm before being transmitted to the C2 server.


Most Viewed