Currently viewing ATT&CK v14.1 which was live between October 31, 2023 and April 22, 2024. Learn more about the versioning system or see the live site.
Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.
  1. Home
  2. Software
  3. CrossRAT

CrossRAT

CrossRAT is a cross platform RAT.

ID: S0235
Type: MALWARE
Platforms: Linux, Windows, macOS
Version: 1.2
Created: 17 October 2018
Last Modified: 28 September 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

CrossRAT uses run keys for persistence on Windows.[1]
.013 Boot or Logon Autostart Execution: XDG Autostart Entries

CrossRAT can use an XDG Autostart to establish persistence.[2]
Enterprise T1543 .001 Create or Modify System Process: Launch Agent

CrossRAT creates a Launch Agent on macOS.[1]
Enterprise T1083 File and Directory Discovery

CrossRAT can list all files on a system.[1]
Enterprise T1113 Screen Capture

CrossRAT is capable of taking screen captures.[1]

Groups That Use This Software

ID Name References
G0070 Dark Caracal

[1]

References

  1. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  1. TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.