JelusRAT

JelusRAT is a remote access trojan (RAT) that grants cybercriminals covert control over compromised computers. Developed in C++, it relies on a specialized loader to decrypt and release its main payload. Instead of installing itself as a traditional file, the malware executes directly in memory, significantly reducing its footprint on disk and making detection more difficult. If JelusRAT is identified on a system, immediate removal is critical to prevent further compromise.

The Disguised Loader and Fileless Execution

The infection chain begins with a loader that masquerades as a legitimate application. This component hides two encrypted segments: one containing the core malware and the other storing configuration data. Once activated, the loader decrypts the main payload and launches it directly into system memory, after which the loader deletes itself to erase evidence. This 'fileless' technique is specifically designed to bypass traditional security defenses and forensic analysis.

Configuration Handling and Stealth Tactics

After execution, the main payload accesses a configuration file named Info.ini to retrieve operational instructions. Immediately after reading the file, it deletes it to minimize traces of the intrusion. The data inside this file is obfuscated, and a small embedded value, located in the first byte, is used by the malware to decode the instructions before they are carried out.

Remote Control Capabilities and Command Handling

JelusRAT is built to accept a range of commands from an attacker's server. It can declare itself a critical system process, meaning any attempt to forcibly terminate it can trigger a Windows blue screen, effectively discouraging manual removal. The malware is also able to disable this function, alter how it communicates with its command-and-control infrastructure, or shut itself down when instructed.

A Modular Platform Powered by Plugins

Rather than containing all malicious functions internally, JelusRAT operates primarily as a framework. It can download additional add-ons in the form of DLL plugins from the attacker's server, expanding its functionality on demand. Most of its capabilities are delivered through these modules, allowing threat actors to adapt the malware to different objectives without redeploying the entire payload.

JelusRAT can be leveraged to introduce other types of malware, including:

• Ransomware, cryptocurrency miners, and information-stealing tools
• Additional malicious programs that deepen or broaden system compromise

Why JelusRAT Represents a Serious Risk

JelusRAT stands out as a stealthy and highly flexible threat. Its in-memory execution, self-deleting behavior, and plugin-based design allow it to evade detection while maintaining persistent, adaptable control over infected systems. These traits make it particularly dangerous, as it can easily serve as a launch platform for more destructive malware and large-scale cybercriminal operations.

Common Infection Vectors and Distribution Methods

Malware such as JelusRAT is most often spread through social engineering and deceptive online practices. Attackers typically lure victims into running malicious files disguised as legitimate content, including executables, scripts, and document formats such as Word, Excel, PDF, or ISO images. Infection campaigns frequently rely on phishing emails, fake advertisements, tech support scams, pirated software, and compromised websites to deliver these payloads.

Other established distribution channels include infected USB drives, peer-to-peer networks, third-party download utilities, and the exploitation of unpatched software vulnerabilities. In most cases, successful infections occur because users are tricked into performing an action that unknowingly grants the malware a foothold.