Dark RAT Malware: Inside the Android Remote Access Trojan Targeting Victims Worldwide

Cybercriminals are constantly evolving their tactics, and the Dark RAT malware is a prime example of how commodity threats remain dangerous. Uncovered by Fujitsu Cyber Threat Intelligence in March 2017, this remote access trojan (RAT) is marketed as a Fully Undetectable (FUD) build, offering attackers a cheap and effective way to steal sensitive data. With a tiered pricing model and even an Android version, Dark RAT highlights the growing convergence of mobile and desktop threats.

What Is Dark RAT Malware and How Does It Work?

Dark RAT is a remote access trojan designed to infiltrate systems and exfiltrate private information. The developer offers it as a FUD build, meaning it can evade many antivirus programs. This makes it especially appealing to low-level cybercriminals—often called “average attackers”—who rely on commodity malware rather than sophisticated exploits.

The malware includes an Android variant, reflecting a broader trend in mobile malware. In 2015, authorities arrested several suspects linked to DroidJack, another Android RAT. More recently, Check Point identified adware on the Google Play Store that infected over 10,000 users. These incidents underscore the rising risk of mobile threats.

Dark RAT Features: Credential Theft and Keylogging

Although Dark RAT is not revolutionary, its features are highly effective for data theft. The trojan can capture browser credentials, log keystrokes, and steal login details from platforms like Steam and Skype. These capabilities allow attackers to compromise accounts and move laterally within networks.

According to metadata in the RAT builder, the developer used an unpaid evaluation copy of Resource Tuner from HeavenTools. This detail suggests the malware was created with limited resources, yet it still poses a serious threat.

Pricing Model: A Three-Tiered Approach

Dark RAT comes with three pricing tiers, including a trial version. Each tier offers varying levels of functionality, such as administrative controls and Android APK generation. This model makes the malware accessible to a wide range of attackers, from hobbyists to more organized groups.

Who Are the Victims of Dark RAT?

Fujitsu’s analysis revealed victims across multiple countries, including Russia, Ukraine, Sweden, the Czech Republic, and Kazakhstan. The geographic spread shows that commodity malware like Dark RAT does not discriminate—it can target anyone with weak security defenses.

This is not an isolated case. In November 2016, Fujitsu reported a similar operation targeting Middle Eastern businesses using KeyBase malware. The pattern is clear: remote access trojans remain a persistent threat, even if they lack the complexity of advanced persistent threats (APTs).

How to Protect Against Android Remote Access Trojans

Organizations cannot afford to ignore threats like Dark RAT malware. While they may not make headlines like APT attacks, they are far more common and can cause significant damage. A robust defense strategy includes three key components:

• Security education programs: Train employees to recognize phishing emails and suspicious downloads.
• Threat intelligence systems: Use services like Fujitsu Cyber Threat Intelligence to stay informed about emerging malware.
• Incident response plans: Prepare for a breach with clear protocols to minimize damage.

Building on this, mobile device management (MDM) solutions can help prevent Android malware infections. Regularly updating software and using reputable app stores also reduces risk. As the threat landscape evolves, complacency is no longer an option.

For more insights, check out our guide on cybersecurity best practices for businesses and learn about mobile threat prevention strategies.