This potent malware variant can hijack your Windows PC, steal passwords, and more: Neptune RAT is spreading on GitHub, Telegram, and even YouTube – and experts warn 'anyone could use it to launch attacks'

Neptune RAT can hijack Windows PCs and steal passwords – and it's spreading fast

Emma Woollacott's avatar
By
published
in News
Neptune RAT malware concept image showing a skull and crossbones in binary code against a red colored backdrop.
(Image credit: Getty Images)

A new version of the Neptune RAT malware has emerged, security researchers have warned, and is spreading on GitHub, Telegram, and even YouTube.

The remote access trojan is 'an extremely serious threat' being offered on the ransomware-as-a-service model, according to researchers at Cyfirma.

Affecting Windows devices, it hijacks Chromium-based browsers including Chrome, Brave, and Opera using a Chromium.dll attack that decrypts stored login data and installs itself as a scheduled Windows task.

It includes a crypto clipper and a password stealer with the ability to exfiltrate the credentials of more than 270 different applications, along with ransomware capabilities and live desktop monitoring.

Advanced anti-analysis techniques and persistence methods, such as modifying the Windows Registry and adding tasks to the Task Scheduler, mean it can maintain its presence on the victim’s system for extended periods of time.

"The analysis of the latest version of Neptune RAT reveals a sophisticated and highly dangerous piece of malware designed for persistent, covert operations on Windows systems," Cyfirma researchers said.

"Its ability to generate direct PowerShell commands (using irm and iex) enables seamless delivery and execution, effectively bypassing traditional security measures. It also has the capability to destroy Windows OS and features advanced password-grabbing functionalities."

Neptune RAT lowers the bar for cyber criminals

The new version has been made available without the source code, making analysis more challenging. Notably, it's being offered via an unusual model, with the developer claiming that while it's free to use, there's a more advanced version behind a paywall.

Chris Hauk, consumer privacy advocate at Pixel Privacy, said the emergence of the new Neptune RAT variant shows the “try it before you buy it era of malware has arrived”.

“Neptune RAT is available as a download from GitHub, making it available to a wider variety of internet users than usual," he said.

"As antivirus and anti-malware apps have not yet been able to detect and remove Neptune RAT, internet users will need to stay alert and practice safe computing by not clicking on links or opening attachments that are shared by unknown users."

Paul Bischoff, consumer privacy advocate at Comparitech, echoed Hauk’s comments, noting that the accessibility of the variant will have wide-reaching implications for consumers and enterprises alike and lower the barrier of entry for cyber criminals.

"The maker of Neptune RAT is giving their malware out for free, so it's not just one hacker group we need to worry about," he said.

"Anyone could use it to launch attacks through email, text, ads, or download links. Once the malware has infected a system, it is extremely destructive, dangerous, and hard to remove."

Given its anti-detection features, the new Neptune RAT version is hard to avoid, Cyfirma researchers said, adding that this poses a “significant risk to both individuals and organizations”.

"Continuous monitoring, robust endpoint protection, and proactive threat detection strategies are crucial to mitigating the impact of this malware."

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸