The PyXie RAT is a threat that was first uncovered in 2018. In its essence, this threat is a RAT (Remote Access Trojan), which is written in the Python programming language. When malware researchers first spotted the PyXie RAT, the threat was not spread very widely. However, its operators have since made sure to expand their reach, and cybersecurity experts have spotted several variants of the threat lurking the Web. Upon dissecting the PyXie RAT, experts have concluded that its authors are very highly-skilled and experienced as this threat is a very high-end Remote Access Trojan. The creators of the PyXie RAT have borrowed code from a couple of infamous hacking tools and made sure that their creation is difficult to study and analyze.

Packs a Threatening Downloader Module

The operators have a corrupted code to legitimate DLL files from Google and LogMeIn. The authors of the PyXie RAT also have compromised a Tetris application and are using it to launch modules of the toolset called Cobalt Strike. The creators of the PyXie RAT may have been inspired by the authors of the Shifu banking Trojan, as they both appear to use a very similar downloader module. Once the PyXie RAT compromises a host, it will place its files in a few %APPDATA% subfolders. The threat will also make sure it gains persistence by tampering with the Windows Registry. The authors of the PyXie RAT have obfuscated the source code of the threat so that dissecting it is a far more difficult task. The downloader module that we mentioned previously is named ‘Cobalt Mode’ and can plant additional malware on the host by grabbing the load from the attackers’ C&C (Command & Control) server, decrypting it, and executing it.


Apart from its ability to plant additional malware on the infected machine, the PyXie RAT is also capable of:

  • Launch a keylogger and collect keystrokes that are then transferred to the attackers’ C&C server.
  • Record video via the webcam of the user.
  • Initiate a remote desktop connection.
  • Collect files from any removable storage devices that may be plugged in.
  • Collect login credentials from FTP clients, as well as Web browsers.
  • Gather sessions data from Discord, Steam, Telegram, and other applications used for communication.
  • Inject custom websites that may be utilized in phishing operations.

The PyXie RAT is a threat one should be wary of definitely. This high-end hacking tool is capable of wreaking havoc and collecting a lot of information. If you want to protect your data and your system from this pest, make sure to download and install a reputable anti-virus software solution.


Most Viewed