In the fast‑moving world of cyber‑threats, a new remote‑access trojan (RAT) has been identified that flies under the radar of conventional signature‑based defenses. The RAT, dubbed Moonrise, was first documented in a 2026 AlienVault threat report published on 24 February. Built in Go, Moonrise is engineered to operate without generating any early static detection signals, allowing attackers to establish a foothold and expand lateral movement before defenders notice.

Key TTPs and Attack Chain

Moonrise follows a classic “execution‑to‑control” model, but with several stealth enhancements:

• Initial Compromise – The malware is typically delivered via spear‑phishing attachments, malicious download links, or software supply‑chain compromise. Once the payload is executed, the process spawns a lightweight WebSocket client that immediately contacts a command‑and‑control (C2) server.
• C2 Establishment – A minimal handshake (client_hello, connected, ping/pong) keeps the session alive. This handshake is intentionally benign, avoiding obvious indicators that would trigger static scanners.
• Reconnaissance – The operator requests system metadata: process_list, file_list, webcam_list, monitors_list, screenshot. Even if a screenshot fails in a headless environment, the request itself signals active remote control.
• Command Execution – The RAT can run arbitrary shell commands (cmd), kill or spawn processes (process_kill, file_run), upload or download files (file_upload, file_download), and manipulate the filesystem (mkdir, file_delete).
• Credential Harvesting – Stealer, steam, keylogger_logs, clipboard_history extract passwords, session tokens, and keystrokes. Clipboard monitoring can capture credentials copied between applications.
• User Surveillance – Keylogging (keylogger_start/stop), clipboard monitoring, screen streaming, webcam capture, and microphone recording give the attacker a live view of user activity.
• Privilege Escalation & Persistence – uac_bypass, rootkit_enable/disable, watchdog_status, and protection_config allow the malware to elevate privileges and maintain persistence even after system restarts.
• Disruption & Cleanup – update, uninstall, and a suite of user‑facing commands (fun_restart, fun_shutdown, fun_bsod) enable the operator to manipulate the victim environment or clear forensic evidence.

Indicators of Compromise (IOCs)

Below are the most actionable IOCs for Moonrise:

193.23.199.88
c7fd265b23b2255729eed688a211f8c3bd2192834c00e4959d1f17a0b697cd5e
8a422b8c4c6f9a183848f8d3d95ace69abb870549b593c080946eaed9e5457ad
7609c7ab10f9ecc08824db6e3c3fa5cbdd0dff2555276e216abe9eebfb80f59b
Ed5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551
082fdd964976afa6f9c5d8239f74990b24df3dfa0c95329c6e9f75d33681b9f4
8d7c1bbdb6a8bf074db7fc1185ffd59af0faffb08e0eb46a373c948147787268

Why Moonrise Is Dangerous

The RAT’s stealthy signature‑free approach gives attackers an extended dwell time. While static reputation checks remain silent, the malware can:

• Steal credentials and session tokens before MFA or other controls detect anomalous activity.
• Deploy additional payloads such as ransomware or bespoke stealers.
• Manipulate business applications, leading to operational disruptions.
• Capture sensitive visual and audio data from finance workflows and internal communications.
• Establish persistence mechanisms that survive system reboots and standard cleanup procedures.

Consequently, a single compromised endpoint can translate into significant financial loss, reputational damage, and compliance violations.

Mitigation and Detection Recommendations

1. Behavior‑Based Monitoring – Deploy endpoint detection and response (EDR) solutions that flag WebSocket connections to unknown IPs, sudden execution of system commands, or abnormal privilege escalation events.
2. Real‑Time Threat Hunting – Use the IOC list to search for outbound traffic to 193.23.199.88, hash matches in sandbox reports, and unusual file creation patterns.
3. Accelerated Triage Workflow – Once a suspicious connection is detected, immediately enrich the event with threat intelligence, run a sandbox analysis, and confirm malicious behavior before escalating.
4. Infrastructure‑Level Controls – Block outbound connections to known malicious IP ranges, enforce least‑privilege principles, and harden UAC to prevent silent privilege escalation.
5. Endpoint Hardening – Disable unnecessary services such as SMB or RDP where possible, enforce MFA for privileged accounts, and regularly patch all systems.
6. Security Awareness Training – Educate users about phishing vectors and the importance of not copying sensitive credentials into the clipboard or untrusted applications.

Operational Playbook for SOC Analysts

1. Monitoring – Continuously scan for new outbound WebSocket connections, especially those initiating with client_hello or ping/pong patterns.

2. Triage – Enrich alerts with threat intelligence. If the destination IP or domain matches the IOC list, prioritize the case and trigger a sandbox run.

3. Hunting – Once confirmed, pivot to related infrastructure: look for sibling domains, similar IP blocks, or alternate C2 endpoints. Use the “update” and “uninstall” commands as indicators of lifecycle management.

4. Containment – Isolate the infected host, block the C2 IP, and remove persistence mechanisms. Deploy rootkits or privilege escalators identified in the IOC list.

5. Recovery – Restore from clean backups, verify integrity, and monitor for re‑infection.

Conclusion

Moonrise demonstrates that the most damaging attacks may arrive without a signature. By prioritizing behavioral indicators over static reputation, organizations can reduce detection times from hours to minutes, limiting the window for credential theft, data exfiltration, and operational sabotage. Rapid clarity, supported by a continuous monitoring, triage, and hunting loop, is the most effective defense against stealthy RATs like Moonrise.