Phishing attacks are evolving, blending deception with stealth and persistence. Fortinet’s FortiGuard Labs has uncovered a troubling new campaign using “MostereRAT,” a malware that began as banking trojanware but has now matured into a fully functional remote access Trojan (RAT). The campaign’s hallmarks include the use of an obscure programming language, tampering with security tools, and abusing trusted software to quietly embed itself within victim environments.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Targeting Japanese Windows Users
The campaign primarily targets Microsoft Windows users in Japan. Malicious emails posing as routine business inquiries lure victims into clicking a link to a compromised website. Once clicked, the site triggers the automatic download of a weaponized Word document containing an embedded archive file. This multi-layered tactic allows the attackers to bypass basic detection while tricking users into executing the payload.
Advanced Evasion and Persistence
According to Fortinet researcher Yurren Wan, MostereRAT is engineered for long-term infiltration. Its features include disabling antivirus programs, undermining endpoint defenses, and mimicking legitimate IT processes to avoid suspicion. “The malware’s design reflects long-term, strategic, and flexible objectives,” Wan explains, noting its ability to extend functionality, deploy additional payloads, and retain control over compromised systems. This flexibility ensures attackers can maximize victim resources while maintaining access to sensitive data.
Broader Implications
Though the campaign currently appears geographically confined to Japan, its sophistication signals broader risks. The abuse of trusted tools and stealthy tactics highlight a growing trend where attackers prioritize persistence over smash-and-grab operations. Cybersecurity experts warn that if MostereRAT campaigns spread beyond Japan, organizations worldwide could face heightened threats, particularly those relying heavily on Windows-based infrastructures.
Defensive Measures
Fortinet advises users to remain cautious of unsolicited business emails, enable multi-layered endpoint protection, and update security patches regularly. Organizations are urged to monitor for unusual IT activity that may conceal persistent threats. As phishing campaigns like MostereRAT evolve, proactive defense and vigilance remain the most effective countermeasures.