WarzoneRAT Returns With Multi-Stage Attack Post FBI Seizure

Key Takeaways

  • In February, the FBI took down the WarzoneRAT malware operation, seizing its infrastructure and arrested two individuals linked to the cybercrime operation. 
  • Recently, Cyble Research and Intelligence Labs (CRIL) observed few samples of malware campaign possibly distributed via tax-themed spam emails, deploying WarzoneRAT (Avemaria) as the final payload. 
  • In first case, the compressed attachment contains a LNK file that downloads an HTA file, initiating a PowerShell command to download a VBScript file.  
  • This VBScript is further downloading and executing the next-stage PowerShell payload, which then injects the final payload into RegSvcs.exe utilizing Reflective loading technique
  • In another case, the compressed attachment contains an executable file that, upon execution, loads the malicious WarzoneRAT DLL module through DLL sideloading technique
  • Finally, WarzoneRAT initiates malicious activities on the victim’s machine, establishing a connection to the Command-and-Control (C&C) server. 


Cyble Research & Intelligence Labs (CRIL) recently observed a campaign with tax-themed, possibly propagated through spam emails. Upon investigation, it was determined that the campaign spread WarzoneRAT (Avemaria) malware. AveMaria is a Remote Administration Tool (RAT) malware equipped with remote control capabilities, enabling it to receive commands from a Command and Control (C&C) server and execute various malicious actions.

This nefarious RAT was initially detected spreading through a malicious phishing campaign in 2018. In mid-February, the FBI disrupted the WarzoneRAT malware operation, seizing infrastructure and apprehending two individuals linked to the cybercrime scheme. Later in February, ThreatMon shared screenshots of an advertisement for WarZoneRAT v3, showcasing several new features aimed at improving its efficacy.

In the first scenario, the initial infection started with an archive file attached to a spam email with the subject “taxorganizer2023.” After extracting the archive file, a shortcut file disguised as a PNG file named “taxorganizer2023.png.lnk” is found. If a user mistakenly perceives this shortcut as an image and executes it. In that case, the LNK file launches a PowerShell command to download and extract an archive file, subsequently running an HTA file contained within it. Upon execution of the HTA file, it retrieves a PowerShell script in memory, which then downloads a VBScript file from a remote server. After execution of the VBScript, a CMD file is dropped, initiating another PowerShell script that deploys the final payload identified as WarzoneRAT (Avemaria).