Lone Russian RAT operator rivals large gangs with £5 "passion project"

Russian hacking on a laptop mockup with code sprawling over the screen
(Image credit: Getty Images)

A lone Russian cyber criminal is achieving similar levels of success as massive organised cyber crime groups by selling a custom commercial remote access Trojan (RAT) for relative pennies.

Tracking the lone actor since 2018, the BlackBerry ThreatVector team has revelead this individual appears to have built and maintained the DarkCrystal RAT (DCRat) by themselves. They operate under the known aliases boldenis44, crystalcoder, and Кодер (‘Coder’).

DCRat is mainly sold on underground Russian forums, and researchers note that due to the dramtically low price of the tool – £5 for a two-month subscription, a fraction of the price of commercial rivals – that it could feasibly be a simple “passion project” for the actor.

“Unlike the well-funded, massive Russian threat groups crafting custom malware to attack universities, hospitals, small businesses and more, this RAT appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget,” said BlackBerry ThreatVector in a blog post.

Given the price of DCRat, which is one of the cheapest commercial RATs researchers have ever encountered, the tool has proven popular with both professional threat actors as well as inexperienced “script kiddies”.

Researchers also noted that DCRat appears to be under active development. New features and bug fixes are regularly pushed to the administrator tool, which is one of the three key components, joining a stealer/client executable and a single PHP page serving as C2 endpoint.

Among the main capabilities of the RAT were surveillance, reconnaissance, information theft, DDoS attacks, and code execution.

“Niche” development

Coder's choice of language was a focal point of BlackBerry ThreatVector’s report since its administrator tool was written in JPHP – an “obscure” implementation of PHP that runs on a Java virtual machine (VM).

Researchers said the threat actor could have used the unpopular language as a way to evade detection, or they simply didn't have expertise in more modern frameworks.

JPHP is primarily used to build cross-platform desktop games, and its cross-platform nature lends itself well to malware.

Other corners of the cyber security industry have noted a rise in threat actors using Google’s cross-platform Go language to design ransomware for maximum impact.


Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs


Coder also used a “niche” Russian integrated developer environment (IDE) in order to write the RAT. Its GitHub page indicates that the IDE is still in its beta stage of development but has been used to build a small number of other malware strains in years gone by.

Researchers also noted that the language choice used, coupled with a “bizarrely non-functional” infection counter built into the RAT’s user interface, which displays inaccurate data to make it appear more popular, points to a novice actor.

“While the author’s apparent inexperience might make this malicious tool seem less appealing, some could view it as an opportunity,” said the researchers. “More experienced threat actors might see this inexperience as a selling point, as the author seems to be putting in a lot of time and effort to please their customers.”

Marketing and distribution

The RAT is officially hosted only on the lolz[.]guru Russian hacking forum, researchers said, where there is a dedicated section of the site for DCRat including support topics reserved only for registered users. Pre-sales queries are also handled on the forum.

Like many malware strains, the distribution is also common on Discord and Telegram channels. The RAT has a dedicated Telegram channel, too, with more than 2,000 subscribers keeping up-to-date on new builds and general news related to the tool.

Researchers also spotted two dedicated Telegram bots designed to handle sales of the RAT – one for processing sales and another to deal with technical support.

Coder occasionally offers limited-time discounts for DCRat but beyond the £5 two-month license, other prices are £17 for a year-long license and around £32 for lifetime access.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.