An In-Depth Analysis of Novel KarstoRAT Malware
Essential information
- Published
- 30/04/2026 16:20
- Modified
- 04/05/2026 11:29
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- discord token stealer fodhelper exploit gaming lure pages karstorat webcam surveillance
- Tags
- 2026-04-30 discord token stealer fodhelper exploit gaming lure pages karstorat webcam surveillance
- Related entities
- 6 indicators, 6 observables, 25 techniques (mitre), 1 malware, 1 others
Description
KarstoRAT is a newly identified remote access trojan that emerged in early 2026, combining surveillance, credential theft, and remote command execution capabilities. The malware supports extensive post-compromise operations including system reconnaissance, screenshot and audio capture, webcam monitoring, keylogging, and token theft. It communicates with a C2 server at 212.227.65[.]132 using HTTP protocols with the user agent 'SecurityNotifier'. Distribution occurs through gaming-themed lure pages targeting Roblox players and FPS/GTA modders via fake cheat loaders. KarstoRAT employs multiple persistence mechanisms through registry keys, scheduled tasks, and startup folders, while featuring a UAC bypass using the fodhelper.exe technique. The malware has not been publicly advertised on cybercrime forums, suggesting private development and limited operator use rather than commodity distribution.