A sophisticated remote access Trojan (RAT) has been discovered operating within a legitimate Windows process, using advanced evasion techniques. The malware's PE and DOS headers were deliberately corrupted, making traditional analysis difficult. Fortinet's FortiGuard Incident Response Team analyzed the malware using a full memory dump, recreating the compromised environment. The RAT's features include screenshot capture, remote server mode, and service control. It uses over 250 Windows APIs, encrypts C2 communications, and employs custom XOR-based encryption. The analysis highlights the need for enhanced security measures, including monitoring of legitimate processes, memory analysis tools, and network traffic analysis to defend against such sophisticated threats.