Thursday, May 1, 2025
HomeCyber AttackNotorious WrnRAT Delivered Mimic As Gambling Games

Notorious WrnRAT Delivered Mimic As Gambling Games

Published on

SIEM as a Service

Follow Us on Google News

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games like Badugi, Go-Stop, and Hold’em to disguise itself as a malicious program. 

The attackers created a fraudulent gambling website that, when accessed, prompts users to download a game launcher.

Instead of initiating the game, the launcher installs the malicious WrnRAT software. 

- Advertisement - Google News

Once installed, WrnRAT grants attackers remote control over the infected system, enabling them to steal sensitive information and potentially execute further malicious actions. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Deceitful page for downloading gambling games
Deceitful page for downloading gambling games

Malware, likely initially installed through a Korean-commented batch script, is distributed via platforms like HFS.

HFS acts as a dropper, introducing additional malware into the system. The malware’s primary function appears to be data theft, and it could particularly target sensitive information.

The .NET-based dropper malware, disguised as installers, infiltrates systems. Upon execution, it spawns a launcher and the WrnRAT trojan, masking it as “iexplorer.exe” within an Internet Explorer directory. 

Platforms used for malware distribution
Platforms used for malware distribution

The launcher is responsible for initiating WrnRAT, which enables it to carry out malicious activities.

After that, the launcher self-destructs, leaving behind the stealthy WrnRAT trojan, which can compromise the system.

WrnRAT, a Python-based malware, is distributed as an executable file that primarily functions as a screen capture tool.

It transmits captured images to a remote server and is also capable of gathering fundamental system information and terminating particular processes. 

Dropper and launcher malware
Dropper and launcher malware

With the deployment of additional malware to manipulate firewall settings, the threat actor further enhances the attack, which may make it more difficult to detect and respond to the threat.

It is a remote access Trojan (RAT) capable of executing various malicious commands and can request and transmit system information, including IP address, MAC address, client ID, and gateway. 

Configuration data of WrnRAT
Configuration data of WrnRAT

It can also control screen capture functionality, including enabling or disabling monitoring and setting capture delay and quality by terminating specific target processes on the infected system.

Recent cyberattacks have targeted people who are interested in gambling games, specifically those who play 2-player go-stop, hold’em, and badugi, according to the ASEC

Malicious actors are distributing malware disguised as these games to steal sensitive information, including gameplay screenshots.

This allows attackers to monitor user activity, potentially leading to financial loss for both legitimate and illegitimate players. 

To mitigate this threat, users should exercise caution when downloading game installers, avoid suspicious sources, and keep antivirus software like V3 updated. This is crucial to ensure robust protection against such attacks.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Commvault Confirms Zero-Day Attack Breached Its Azure Cloud Environment

Commvault, a global leader in data protection and information management, has confirmed that a...

FBI Uncovers 42,000 Phishing Domains Tied to LabHost PhaaS Operation

The Federal Bureau of Investigation (FBI) has revealed the existence of 42,000 phishing domains...

Tor Browser 14.5.1 Released with Enhanced Security and New Features

The Tor Project has announced the official release of Tor Browser 14.5.1, introducing a...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Commvault Confirms Zero-Day Attack Breached Its Azure Cloud Environment

Commvault, a global leader in data protection and information management, has confirmed that a...

FBI Uncovers 42,000 Phishing Domains Tied to LabHost PhaaS Operation

The Federal Bureau of Investigation (FBI) has revealed the existence of 42,000 phishing domains...