S1182 MagicRAT
MagicRAT is a remote access tool developed in C++ and exclusively used by the Lazarus Group threat actor in operations. MagicRAT allows for arbitrary command execution on victim machines and provides basic remote access functionality.1
| Item | Value |
|---|---|
| ID | S1182 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 30 December 2024 |
| Last Modified | 10 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | MagicRAT uses HTTP POST communication for command and control.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | MagicRAT can persist using malicious LNK objects in the victim machine Startup folder.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | MagicRAT allows for the execution of arbitrary commands on the victim system.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | MagicRAT stores command and control URLs using base64 encoding in the malware’s configuration file.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | MagicRAT exfiltrates data via HTTP over existing command and control channels.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | MagicRAT can delete files on victim systems, including itself.1 |
| enterprise | T1105 | Ingress Tool Transfer | MagicRAT can import and execute additional payloads.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | MagicRAT stores configuration data in files and file paths mimicking legitimate operating system resources.1 |
| enterprise | T1036.008 | Masquerade File Type | MagicRAT can download additional executable payloads that masquerade as GIF files.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | MagicRAT stores base64 encoded command and contorl URLs in a configuraiton file, with each URL prefixed with the value LR02DPt22R.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | MagicRAT can persist via scheduled tasks.1 |
| enterprise | T1082 | System Information Discovery | MagicRAT collects basic system information from victim machines.1 |
| enterprise | T1016 | System Network Configuration Discovery | MagicRAT collects system network information using commands such as ipconfig /all.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | MagicRAT is exclusively associated with Lazarus Group operations in 2022.1 |