MostereRAT Exploits AnyDesk and TightVNC for Remote Access on Windows Systems

Cybersecurity researchers at FortiGuard Labs have uncovered a sophisticated phishing campaign that deploys the MostereRAT remote access trojan to compromise Windows systems.

The malware leverages advanced evasion techniques and installs legitimate remote access tools like AnyDesk and TightVNC to maintain persistent, covert access to infected machines.

The attack begins with carefully crafted phishing emails targeting Japanese users, designed to appear as legitimate business inquiries.

Victims are directed to malicious websites that automatically download a weaponized Word document containing an embedded ZIP archive. The document displays a single instruction in English: “OpenTheDocument,” directing users to extract and execute the contained file.

Although part of the attack flow and its C2 domains were mentioned in a 2020 public report as being associated with a banking trojan.

It contains encrypted components bundled within its resources, including images of famous people used as decoys.

MostereRAT employs CreateSvcRpc, a custom ...