A newly identified two-component Remote Access Trojan (RAT) toolkit built in Rust, dubbed SpankRAT, is being used by threat actors to abuse legitimate Windows processes, bypass reputation-based security controls, and maintain persistent access to compromised environments while largely evading detection on VirusTotal.
Researchers at ANY.RUN has identified and analyzed the SpankRAT toolkit, flagging it as a significant stealth threat due to its ability to route C2 traffic through trusted system processes.
Because malicious network activity originates from legitimate Windows binaries, the toolkit can evade reputation-based detection controls and be deprioritized during triage, drastically reducing SOC visibility and increasing the risk of missed compromise.
The SpankLoader: First Stage of Attack
The attack chain begins with SpankLoader, a lightweight first-stage loader that retrieves the primary payload from a command-and-control (C2) server over unencrypted HTTP.
Upon execution, SpankLoader escalates privileges using SeDebugPrivilege and drops a malicious DLL (rmm_agent.dll) to C:ProgramData before injecting it into the legitimate explorer.exe process using classic DLL injection techniques.
To ensure persistent access across reboots, SpankLoader creates a Scheduled Task named RmmAgentCore configured with a logon trigger and highest privilege execution.
This technique of injecting into explorer.exe is especially dangerous because it allows malware-generated network traffic to appear as originating from a trusted, built-in Windows process, effectively masking the true nature of the activity from traditional endpoint and network detection solutions.
Boost detection rate and increase the alert handling in your Tier 1 by adding ANY.RUN’s Threat Intelligence to your SOC workflows
SpankRAT: Full-Featured Remote Access Capability
Once installed within explorer.exe, SpankRAT establishes a WebSocket-based connection to the C2 server (ws://) using a JSON-based communication protocol.
The full-featured variant supports 18 distinct server commands, giving attackers comprehensive remote control over infected systems.
The command set spans the following operational capabilities:
- Session management: Registration, heartbeat telemetry (CPU, RAM, disk, uptime)
- Remote execution: Arbitrary command execution returning stdout and exit code; UAC elevation via
Start-Process -Verb RunAs - File operations: List, read, upload, delete, rename files, and create directories
- Process control: Enumerate running processes (PID, name, memory, user, CPU); kill processes
- Windows services: List services; start, stop, or restart services
- Registry manipulation: Full CRUD — read keys/values, set, create, and delete registry entries
- Scheduled task control: List, run, and toggle scheduled tasks
- Software inventory: Enumerate installed software
All system interactions are executed through PowerShell using -NoProfile -NonInteractive -ExecutionPolicy Bypass flags, and OS fingerprinting retrieves the build number and product name directly from the registry.
This piece is highly exclusive, as the samples are unavailable anywhere else.
At the time of analysis, most SpankRAT samples remained undetected on VirusTotal, underscoring a critical gap in signature-based and reputation-reliant detection approaches.
This reinforces the necessity of behavioral analysis platforms such as ANY.RUN Sandbox, which can surface the full execution chain, injection activity, C2 communication patterns, and privilege escalation behaviors in real time — even when traditional detection fails.
Indicators of Compromise (IOCs)
Security teams should hunt for the following indicators across their environments:
- C2 Servers:
45.131.214[.]132:9000(HTTP staging + WebSocket C2),166.1.144(alternate WebSocket C2 variant)[.]109:9000 - Agent Hash:
f0afbbb3c80e5347191452f2f3b147627e9d1ae4d60b61d6da900a60b35eec95 - Malicious Files:
RmmAgentCore.exe(loader),rmm_agent.dll(payload),arc_agent.exe(standalone variant) - Drop Path:
C:ProgramData - Persistence Mechanism: Scheduled Task
RmmAgentCore, logon trigger, highest privileges - Injection Target:
explorer.exe - Build Environment: Rust (Cargo); Windows MSVC + Linux cross-compile; dev paths indicate
C:Usersspank.cargoand/root/.cargo
Mitigations
Security operations teams should prioritize behavioral detection rules that flag DLL injections into explorer.exe, unauthorized Scheduled Task creation with elevated privileges, and outbound WebSocket connections from non-browser system processes.
Hunting for HTTP GET requests to paths matching */download/rmm_agent.dll* Within SIEM or EDR telemetry, SpankLoader staging activity can be identified within the environment.
Organizations relying solely on antivirus or reputation-based tools are strongly advised to incorporate dynamic sandbox analysis into their triage workflows to reduce dwell time for threats like SpankRAT.
This is a particularly valuable piece, as the samples mentioned are not publicly available anywhere else, so it’s quite exclusive.
