Remote Access Trojan (RAT) - what it is, how it operates, and how to detect and remove it

Remote Access Trojan (RAT)

What it is

A Remote Access Trojan is malware that pretends to be legit software but secretly installs a back door. Once running, it gives an outsider admin-level control of the device: they can browse files, capture screens and keystrokes, turn on the mic or camera, and drop more payloads. RATs often arrive via phishing attachments or cracked installers and are built to hide, persist, and reconnect if the victim reboots. Background and examples: https://gridinsoft.com/blogs/remote-access-trojan-meaning/

Why it matters

With live remote control, an attacker can steal credentials and data, move laterally, and stage ransomware or fraud. The longer a RAT stays hidden, the bigger the damage.

How it works - quick tour

  • Entry: phished docs, malicious installers, or drive-by downloads.

  • Establish: drops to AppData/ProgramData, creates Run keys or Scheduled Tasks.

  • Control: beacons to a command server, receives instructions, streams data out.

  • Expand: downloads additional tools like stealers or encryptors on demand.

Red flags

  • New autoruns launching random-named EXEs from user folders.

  • Unfamiliar processes making steady outbound connections to dynamic DNS or odd ports.

  • Sudden prompts to allow an unknown app through the firewall.

  • EDR hits for keylogging, screen capture, or clipboard access.

Prevent it

  • Block risky attachments and disable Office macros from the internet.

  • Enforce phishing-resistant MFA and rotate sessions after cleanup.

  • Keep systems patched and restrict local admin rights.

  • Monitor for new Scheduled Tasks, Run keys, and unusual outbound traffic.

  • If suspected, isolate the host, collect triage data, scan, and reimage if integrity is uncertain.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Async RAT

        What it is Async RAT is a remote-access tool turned spy kit. Once installed, attackers can watch screens, log keystrokes, steal files and passwords, and control the device from afar. For behaviors and examples, see the Async RAT threat guide. What ...

      • Remcos (Remcos RAT)

        What it is Remcos is a Windows remote access tool (RAT) sold by Breaking Security that’s widely abused by threat actors. Once on a system, it gives remote control: keylogging, screen capture, file exfiltration, command execution, and persistence. ...

      • Quasar RAT

        What it is Quasar RAT is a Windows remote-access trojan that lets attackers spy, steal data, and control a PC from afar. It shows up through fake emails or cracked software and blends in as a “normal” app. More detail in Gridinsoft’s explainer: ...

      • NanoCore

        What it is NanoCore is a remote access trojan (RAT) used by criminals to spy on victims, steal data, and control Windows PCs from afar. It can log keystrokes, grab screenshots, record from the webcam or mic, and drop more malware. Technical details ...

      • Qbot (QakBot)

        Qbot (QakBot) What it is Qbot - also known as QakBot - is a modular banking trojan targeting Windows. It steals credentials, cookies, and session tokens from browsers and mail clients, monitors web logins with injects, and can log keystrokes. ...