Recently, security researchers have discovered a new version of Windows malware that opens the RDP port on the Windows PCs for future remote access.

The security researcher of SentinelOne, Jason Reaves, has revealed that this new version of malware is known as ‘Sarwent,’ and it has been in use since 2018.

Currently, this new version of the Sarwent malware is actively getting attention from several security experts.

A tweet from the security researcher, Vitali Kremez, surfaced at the beginning of this year, 2020, in which he mentioned a few information about this Sarwent malware.

Security experts have also clarified that it is not yet confirmed, exactly how Sarwent is distributed, it may be possible that this may happen through other malware. Moreover, the earlier versions of Sarwent were developed to install additional malware on compromised PCs.

Apart from this, the operators of Sarwent malware are most likely serving to sell access to these compromised systems on the hackers’ portals and forums, as it’s one of the most common methods to monetize the RDP-capable hosts.

Sarwent Infection Functionality

Sarwent malware is still being actively developed and used by the hackers, but, with new commands and a focus on Remote Desktop Protocol (RDP). The new version of Sarwent stands out for its ability to execute custom CLI commands through the Windows Command Prompt and PowerShell utilities. 

Although this new feature is highly intrusive on its own, but, the security experts have claimed that Sarwent also received another new feature with the update, and it’s the ability to registers a new Windows user account on each infected host.

Once Sarwent is active on a system, the malware creates a new Windows user account, modifies the Firewall, and then opens the RDP ports.

In short, the attackers will be able to use the new Windows user they created on the infected system to access the host without being blocked by the Windows firewall.

According to the security researcher of SentinelOne, Jason Reaves, this is done in order to gain future remote access on the compromised system. This may involve the attackers themselves, but the investigator does not rule out the possibility that the RDP access is resold to other criminals.

The limited number of original commands clearly shows that the functionality of this malware, ‘Sarwent,’ historically loops around being a loader, and here are the limited original commands:-


But, recently, the attackers have modified the Sarwent malware to add a few number of commands that mainly concentrate on the backdoor or RAT like abilities, and here are the new addition of commands:-


Apart from this, the operators behind Sarwent malware may use the RDP access for themselves only, to steal the proprietary data or install ransomware, or they can rent the RDP access to other hackers, as we told earlier.

Indicators of Compromise (IOC)

Along with the description of the malware, the security expert at SentinelOne, Jason Reaves, has also presented the indicators of compromise (IOCs).


An IOC is a sign to detect the presence of a specific threat like this within the network, and these include IP addresses, hashes, and domains.

So, what do you think about this? Share your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Please enter your comment!
Please enter your name here