SpankRAT Exploits Windows Explorer Processes for Stealth and Delayed Detection

Home ANY.RUN SpankRAT Exploits Windows Explorer Processes for Stealth and Delayed Detection A newly identified two-component Remote Access Trojan (RAT) toolkit built in Rust, dubbed SpankRAT, is being used by threat actors to abuse legitimate Windows processes, bypass reputation-based security controls, and maintain persistent access to compromised environments while largely evading detection on VirusTotal. Researchers at ANY.RUN has identified and analyzed the SpankRAT toolkit, flagging it as a significant stealth threat due to its ability to route C2 traffic through trusted system processes. Because malicious network activity originates from legitimate Windows binaries, the toolkit can evade reputation-based detection controls and be deprioritized during triage, drastically reducing SOC visibility and increasing the risk of missed compromise. The SpankLoader: First Stage of Attack The attack chain begins with SpankLoader, a lightweight first-stage loader that retrieves the primary payload from a command-and-control (C2) server over unencrypted HTTP. Upon execution, SpankLoader escalates privileges using SeDebugPrivilege and drops a malicious DLL (rmm_agent.dll) to C:\ProgramData\ before injecting it into the legitimate explorer.exe process using classic DLL injection techniques. To ensure persistent access across reboots, SpankLoader creates a Scheduled Task named RmmAgentCore configured with a logon trigger and highest privilege execution. This technique of injecting into explorer.exe is especially dangerous because it allows malware-generated network traffic to appear as originating from a trusted, built-in Windows process, effectively masking the true nature of the activity from traditional endpoint and network detection solutions. Boost detection rate and increase the alert handling in your Tier 1 by adding ANY.RUN’s Threat Intelligence to your SOC workflows SpankRAT: Full-Featured Remote Access Capability Once installed within explorer.exe, SpankRAT establishes a WebSocket-based connection to the C2 server (ws://<C2>:9000/ws/agent) using a JSON-based communication protocol. The full-featured variant supports 18 distinct server commands, giving attackers comprehensive remote control over infected systems. SpankRAT Execution Chain The command set spans the following operational capabilities: Session management: Registration, heartbeat telemetry (CPU, RAM, disk, uptime) Remote execution: Arbitrary command execution returning stdout and exit code; UAC elevation via Start-Process -Verb RunAs File operations: List, read, upload, delete, rename files, and create directories Process control: Enumerate running processes (PID, name, memory, user, CPU); kill processes Windows services: List services; start, stop, or restart services Registry manipulation: Full CRUD — read keys/values, set, create, and delete registry entries Scheduled task control: List, run, and toggle scheduled tasks Software inventory: Enumerate installed software All system interactions are executed through PowerShell using -NoProfile -NonInteractive -ExecutionPolicy Bypass flags, and OS fingerprinting retrieves the build number and product name directly from the registry. This piece is highly exclusive, as the samples are unavailable anywhere else. At the time of analysis, most SpankRAT samples remained undetected on VirusTotal, underscoring a critical gap in signature-based and reputation-reliant detection approaches. This reinforces the necessity of behavioral analysis platforms such as ANY.RUN Sandbox, which can surface the full execution chain, injection activity, C2 communication patterns, and privilege escalation behaviors in real time — even when traditional detection fails. Indicators of Compromise (IOCs) Security teams should hunt for the following indicators across their environments: C2 Servers: 45.131.214[.]132:9000 (HTTP staging + WebSocket C2), 166.1.144[.]109:9000 (alternate WebSocket C2 variant) Agent Hash: f0afbbb3c80e5347191452f2f3b147627e9d1ae4d60b61d6da900a60b35eec95 Malicious Files: RmmAgentCore.exe (loader), rmm_agent.dll (payload), arc_agent.exe (standalone variant) Drop Path: C:\ProgramData\ Persistence Mechanism: Scheduled Task RmmAgentCore, logon trigger, highest privileges Injection Target: explorer.exe Build Environment: Rust (Cargo); Windows MSVC + Linux cross-compile; dev paths indicate C:\Users\spank\.cargo\ and /root/.cargo\ Mitigations Security operations teams should prioritize behavioral detection rules that flag DLL injections into explorer.exe, unauthorized Scheduled Task creation with elevated privileges, and outbound WebSocket connections from non-browser system processes. Hunting for HTTP GET requests to paths matching */download/rmm_agent.dll* Within SIEM or EDR telemetry, SpankLoader staging activity can be identified within the environment. Organizations relying solely on antivirus or reputation-based tools are strongly advised to incorporate dynamic sandbox analysis into their triage workflows to reduce dwell time for threats like SpankRAT. This is a particularly valuable piece, as the samples mentioned are not publicly available anywhere else, so it’s quite exclusive. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Microsoft 365 Web Services Hit by Google Chrome 147 Compatibility Issue Cyber Security News Two U.S. Nationals Sentenced for Running Laptop Farm for DPRK Remote Workers Cyber Security News New UAC-0247 Campaign Steals Browser and WhatsApp Data From Hospitals and Governments Cyber Security News Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code Cyber Security News McGraw Hill Confirms Data Breach Exposing 13.5 Million Users’ Personal Data