MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access
Essential information
- Published
- 09/09/2025 04:48
- Modified
- 09/09/2025 12:08
- Tags
- 2025-09-09 anydesk epl evasion techniques mostererat mtls phishing remote access tightvnc
- Related entities
- 12 observables, 14 techniques (mitre), 1 malware, 1 others
Description
A sophisticated phishing campaign targeting Japanese users employs MostereRAT, a Remote Access Trojan that utilizes advanced evasion techniques. The attack chain involves multiple stages, including an Easy Programming Language (EPL) payload, security tool disabling, and mTLS-secured C2 communications. The malware can deploy popular remote access tools like AnyDesk and TightVNC, granting attackers full system control. It employs techniques such as running as TrustedInstaller, blocking AV traffic, and creating hidden administrator accounts. The campaign's complexity and use of legitimate tools make detection and prevention challenging, highlighting the importance of user education and up-to-date security solutions.