Cybercrime is increasingly being commoditized, significantly lowering the bar for hackers and making things tougher for defenders.
Researchers at Varonis have discovered a turnkey plug-and-play toolkit, dubbed Atroposia, that even the least experienced threat actor can effectively use for just $200 a month.
The remote access trojan (RAT) uses near-invisible tools and encrypted command channels to penetrate systems, scan them for more vulnerabilities to exploit, steal credentials, monitor user activity, and take over machines at will.
“What’s novel here is the sheer breadth of capabilities of Atroposia and how it’s been designed for low code/low skill cybercriminals,” said David Shipley of Beauceron Security. “These kinds of tools used to require more knowledge and experience and were much more elite in nature, if not also in expense.”
How Atroposia works
Atroposia is being promoted on underground forums as offering “a full complement of offensive capabilities.” These include hidden remote desktop takeover; vulnerability scanning; full remote system shutdown, restart and sleep capabilities; credential theft and privilege bypass; domain name service (DNS) hijacking; and error, report, and action outputs (among others).
Its control panel and plugin builder make it “surprisingly easy” to operate, according to Varonis researchers, and it is low-cost: $200 per month, $500 for three months, or $900 for six months.
All command-and-control (C2) server communications are encrypted, and the malware can escalate privileges via user account control (UAC) bypass to gain admin rights and install mechanisms that survive system reboots. The package’s hidden remote desktop, “HRDP Connect,” invisibly establishes sessions so users have no indication they’ve been taken over.
“Atroposia spawns a covert desktop session in the background, essentially an invisible shadow login, that attackers can use to interact with the system fully,” the researchers write in a blog post. “An intruder can surveil the users’ activities or piggyback on their authenticated sessions without detection.”
Hackers can open apps, view sensitive documents and emails, download or delete data, and manipulate workflows, becoming a “silent man-in-the-desktop.”
Atroposia’s built-in vulnerability scanner audits and identifies missing software patches, unsafe settings, bugs, and outdated VPN clients. The results are provided as a score or report, essentially giving the attacker a portrait of the system’s vulnerabilities.
Atroposia is designed to operate directly in memory and to bulk exfiltrate information. It does this with a grabber module that hunts for files by extension or keyword (such as all PDF or CSV files), then compresses them into a password-protected ZIP file for exfiltration, the Varonis researchers explain. This tactic leaves few traces.
The package also allows threat actors to monitor victim clipboards in real time and capture and log any cut-and-pasted information. Further, attackers can perform DNS hijacking to redirect traffic, inject ads or malware, deploy fake software updates, and create openings for phishing and man-in-the-middle campaigns.
“Attackers gain an initial foothold, strive for persistence, then attempt horizontal and vertical escalation, gaining more access on the compromised system and additional systems,” noted Martin Jartelius, AI product director at Outpost24.
RAT toolkits proliferating
Atroposia is one of a growing number of RAT tools targeting enterprises; Varonis has also recently discovered SpamGPT and MatrixPDF, a spam-as-a-service platform and malicious PDF builder, respectively.
Shipley noted that these types of packages which identify additional avenues to maintain persistence have been around for some time; Mirai, which goes back to 2016, is probably the most successful example.
However, Atroposia marks a “significant step” in the evolution of remote‑access toolkits, said Ensar Seker, CISO at threat intel company SOCRadar, as it blends several advanced features into a single plug‑and‑play package. Notably, the inclusion of built-in vulnerability scanning before an attacker even moves laterally is a “noteworthy escalation.”
“That’s a level of reconnaissance automation we typically see in sophisticated APT toolsets, not bundled RAT‑as‑a‑service kits,” said Seker.
An expansion of the threat landscape
Atroposia expands the threat landscape, Seker noted. Traditional defenses often assume a distinct chain: compromise, escalation, lateral movement, exfiltration. But this package compresses that chain and automates most of it.
The hidden remote desktop feature allows attackers to operate in the guise of a legitimate user session, he said. DNS hijacking at the host level means even HTTPS traffic may be routed to rogue infrastructure beneath the radar of many monitoring tools. And, because it lowers the bar and gives high-end toolkits to low‑skill actors, “asset containment and rapid detection become far more critical.”
Detecting this kind of malware is challenging but not impossible, Seker pointed out. Because Atroposia uses encrypted command channels and often hides its user interface (UI), defenders should hunt for anomalies such as unexplained shadow remote desktop protocol (RDP) sessions, unexpected DNS record changes, local vulnerability scans, and unusual clipboard activity.
Seker also advised validating asset inventory, checking for unknown remote desktop listeners or services, correlating abnormal user behavior (especially around privilege escalation or credential use) and integrating data‑access telemetry (such as file searching, compressing, and exfiltration) into alerting logic. Multi-factor authentication (MFA) is also critical, as are restricting admin accounts and isolating endpoints.
“Regular patch management remains essential,” said Seker, “but now must be paired with behavioral monitoring and network‑layer anomalies because toolkits like Atroposia are built to thrive in environments where known vulnerabilities still exist.”
Beauceron’s Shipley agreed. “The fundamentals still matter,” he emphasized. Good defense in depth means good perimeter security tools (e-mail filters, DNS and next-gen firewalls), endpoint protection, quick reaction protocols, and continued education.
But it’s not all doom and gloom; there is a potential upside, Shipley asserted. This trend of malware consumerization indicates that criminals are just as challenged as defenders in their search for talent. As a result, they must build new tools to overcome the lack of fundamental enterprise security knowledge.
Ultimately, “this is part of the consumerization of cybercrime,” said Shipley. “Pair this up with recruitment and radicalization efforts like The Comm and you have the perfect witch’s brew to conjure up more digital crime scalability.”
No Responses