Cyber Security News

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated Windows RAT that, initially detected in 2023, employs advanced evasion tactics and robust C2 capabilities to target Indian government agencies, diplomatic personnel, and military installations. 

The group leverages multiple platforms, including Windows, Linux, and Android, to broaden its attack surface as the latest ElizaRAT iterations introduce new deployment methods, payloads, and infrastructure, making it a persistent and evolving threat to India’s critical infrastructure. 

ElizaRAT, a malicious software, leverages SlackAPI.dll, identified by its MD5 hash 2b1101f9078646482eb1ae497d44104, to facilitate covert communication through Slack channels. 

Circle Chain Infection

CPL files, commonly associated with Windows settings, are exploited as a delivery mechanism.

Once executed, the malware extracts sensitive information from Userinfo.dll and transmits it to a remote server, which periodically checks for new instructions, enabling remote control over the compromised system.

It leverages Slack’s API for command and control by continuously polling a specific channel (C06BM9XTVAS) using the ReceiveMsgsInList() function and retrieving messages via the conversations.history endpoint. 

By utilizing a bot token and victim ID, it provides authentication and identification, and to issue commands, ElizaRAT employs the SendMsg() function, posting messages to channel C06BWCMSF1S through the chat.postMessage endpoint. 

The malware can also upload stolen files using the SendFile() function and the files.upload endpoint.

For file downloads, DownloadFile() retrieves files from URLs provided by the attacker and saves them on the compromised system, likely utilizing HttpClient for secure communication with the download server. 

Slack API.dll communicating IP address.

The SlackAPI.dll file has been identified as malicious by multiple security vendors, which communicates with known malicious IP addresses and exhibits behaviors associated with the MITRE ATT&CK framework. 

It is potentially linked to the ElizaRAT and ApoloStealer campaigns and leverages the rundll32.exe process to execute malicious activities and persist on infected systems.

Circle ElizaRAT, a new variant of ElizaRAT malware that emerged in January 2024, utilizes a dropper component for enhanced evasion, and by targeting Indian systems, it checks the time zone and stores victim data in the %appdata%\CircleCpl folder. 

This variant leverages a VPS for C2 communication, making detection difficult, and retrieves the victim’s IP address and possibly downloads the SlackFiles.dll payload, suggesting a link between the Circle and Slack campaigns. 

HTTP stream example

The circulatedrop.dll is a malicious payload associated with the ElizaRAT malware, which leverages Google Cloud C2 to receive commands and download subsequent payloads from VPS servers. 

Scheduled tasks and rundll32.exe are used to carry out the execution of these payloads, which are disguised as legitimate files such as SpotifyAB.dll or Spotify-news.dll. 

According to Reco, the campaign utilizes multiple IP addresses, some of which are flagged as malicious by numerous security vendors and are linked to known vulnerabilities that exhibit aggressive activity, particularly on specific dates, suggesting targeted attacks.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Ratatouille Malware Bypass UAC Control & Exploits I2P Network to Launch Cyber Attacks

A newly discovered malware, dubbed "Ratatouille" (or I2PRAT), is raising alarms in the cybersecurity community…

1 minute ago

Sandworm APT Hackers Weaponize Microsoft KMS Activation Tools To Compromise Windows

In a sophisticated cyber-espionage operation, the Russian state-sponsored hacking group Sandworm (APT44), linked to the…

5 minutes ago

Hackers Can Exploit “Wormable” Windows LDAP RCE Vulnerability for Remote Attacks

A critical new vulnerability in Microsoft’s Windows Lightweight Directory Access Protocol (LDAP), tagged as CVE-2025-21376,…

47 minutes ago

Google Chrome’s Safe Browsing Now Protects 1 Billion Users Worldwide

Google's Safe Browsing technology now ensures enhanced protection for over 1 billion Chrome users worldwide.…

1 hour ago

Critical Ivanti CSA Vulnerability Allows Attackers Remote Code Execution to Gain Restricted Access

A critical vulnerability has been discovered in the Ivanti Cloud Services Application (CSA), potentially allowing…

2 hours ago

Critical OpenSSL Vulnerability Let Attackers Launch Man-in-the-Middle Attacks

A high-severity security vulnerability (CVE-2024-12797) has been identified in OpenSSL, one of the most widely…

3 hours ago