Remote Access Trojan
Poison Ivy
First seen: 2005 • Status: inactive
Currently Inactive
Poison Ivy was like an easy-to-use remote control for hackers, so popular that it was found in spy attacks all over the world for over a decade.
Overview
Poison Ivy is one of the most widely used RATs in APT campaigns, particularly by Chinese threat actors. Despite being older, its ease of use and effectiveness made it a staple in espionage operations.
Also Known As
PIVY, Darkmoon
How It Spreads
- • Spear phishing
- • Drive-by downloads
- • USB drives
What It Does
- • Remote desktop control
- • Keylogging
- • File transfer
- • Password harvesting
- • Screen capture
Is your business exposed?
Target Platforms
Windows
Detection Tips
- • Monitor for Poison Ivy network signatures
- • Check for known mutex patterns
- • Analyze startup registry keys
- • Review process injection activity
MITRE ATT&CK Techniques
T1021, T1056, T1105, T1555, T1113
If You're Infected
- 1.
Remove Poison Ivy from affected systems
- 2.
Reset all potentially compromised credentials
- 3.
Block known C2 infrastructure
- 4.
Update email filtering and endpoint protection
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required