S1241 RatMilad
RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server.
| Item |
Value |
| ID |
S1241 |
| Associated Names |
|
| Type |
MALWARE |
| Version |
1.0 |
| Created |
18 September 2025 |
| Last Modified |
24 October 2025 |
| Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
| Domain |
ID |
Name |
Use |
| mobile |
T1437 |
Application Layer Protocol |
- |
| mobile |
T1437.001 |
Web Protocols |
RatMilad has used HTTP POST requests for communicating with its C2 server. |
| mobile |
T1429 |
Audio Capture |
RatMilad has captured audio from the device. |
| mobile |
T1414 |
Clipboard Data |
RatMilad has collected clipboard content. |
| mobile |
T1662 |
Data Destruction |
RatMilad has deleted files on the device. |
| mobile |
T1533 |
Data from Local System |
RatMilad has listed files and pictures on the device starting from /mnt/sdcard/. |
| mobile |
T1407 |
Download New Code at Runtime |
RatMilad has used a fake application to request permissions and to download itself. |
| mobile |
T1646 |
Exfiltration Over C2 Channel |
RatMilad has exfiltrated collected data to the C2. |
| mobile |
T1420 |
File and Directory Discovery |
RatMilad has listed files and pictures on the device starting from /mnt/sdcard/. |
| mobile |
T1430 |
Location Tracking |
RatMilad has collected the device’s last known location. |
| mobile |
T1660 |
Phishing |
RatMilad has concealed itself behind variants of a phone number spoofing application, which was distributed through links on social media and communication platforms. |
| mobile |
T1636 |
Protected User Data |
- |
| mobile |
T1636.002 |
Call Log |
RatMilad has accessed the device’s call log. |
| mobile |
T1636.003 |
Contact List |
RatMilad has accessed the device’s contact list. |
| mobile |
T1636.004 |
SMS Messages |
RatMilad has accessed the device’s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued. |
| mobile |
T1636.005 |
Accounts |
RatMilad has collected account names and their types from the compromised device. |
| mobile |
T1418 |
Software Discovery |
RatMilad has collected package names. |
| mobile |
T1426 |
System Information Discovery |
RatMilad has collected device information such as model, brand, buildId, Android version and manufacturer. |
| mobile |
T1422 |
System Network Configuration Discovery |
RatMilad has collected device information such as MAC address, IMEI and phone number. |
| mobile |
T1512 |
Video Capture |
RatMilad has taken photos and videos using the device’s camera. |
References