SpankRAT Exploits Windows Explorer for Stealth Processes Delayed

A new threat, dubbed SpankRAT, is actively exploiting Windows Explorer to establish stealthy processes, significantly delaying detection efforts. This sophisticated malware leverages a critical system component, making its presence difficult to spot through conventional means. Given its evasive tactics and the potential for prolonged compromise, security teams should hunt for the following indicators across their environments.

• C2 Servers: 45.131.214[.]132:9000 (HTTP staging + WebSocket C2), 166.1.144[.]109:9000 (alternate WebSocket C2 variant)
• Agent Hash: f0afbbb3c80e5347191452f2f3b147627e9d1ae4d60b61d6da900a60b35eec95
• Malicious Files: RmmAgentCore.exe (loader), rmm_agent.dll (payload), arc_agent.exe (standalone variant)
• Drop Path: C:ProgramData
• Persistence Mechanism: Scheduled Task RmmAgentCore, logon trigger, highest privileges
• Injection Target: explorer.exe
• Build Environment: Rust (Cargo); Windows MSVC + Linux cross-compile; dev paths indicate C:Usersspank.cargo and /root/.cargo

Mitigations

Security operations teams should prioritize behavioral detection rules that flag DLL injections into explorer.exe, unauthorized Scheduled Task creation with elevated privileges, and outbound WebSocket connections from non-browser system processes.

Hunting for HTTP GET requests to paths matching */download/rmm_agent.dll* Within SIEM or EDR telemetry, SpankLoader staging activity can be identified within the environment.

Organizations relying solely on antivirus or reputation-based tools are strongly advised to incorporate dynamic sandbox analysis into their triage workflows to reduce dwell time for threats like SpankRAT.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.