Skip to content


RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. 1

Item Value
ID S0055
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1083 File and Directory Discovery RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.2
enterprise T1105 Ingress Tool Transfer RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.1
enterprise T1095 Non-Application Layer Protocol RARSTONE uses SSL to encrypt its communication with its C2 server.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system.2

Groups That Use This Software

ID Name References
G0019 Naikon 34