Remote Access Trojan

Warzone RAT

First seen: 2018 • Status: active

Currently Active Threat

Warzone is a spy program sold to criminals that was so successful the FBI had to shut it down, but copies are still being used.

Overview

Warzone RAT is a commercial RAT sold on underground forums. In 2024, the FBI seized its infrastructure and arrested operators, but variants continue to circulate.

Also Known As

Ave Maria, WarzoneRAT

How It Spreads

  • Phishing campaigns
  • Malicious Office macros
  • Cracked software

What It Does

  • Remote desktop
  • Keylogging
  • Password theft
  • Webcam capture
  • Cryptocurrency theft
  • Privilege escalation

Is your business exposed?

Target Platforms

Windows

Detection Tips

  • Monitor for Warzone network signatures
  • Check for UAC bypass attempts
  • Analyze process injection activity
  • Review HKCU Run keys

MITRE ATT&CK Techniques

T1566, T1204, T1056, T1555, T1068

If You're Infected

  1. 1.

    Terminate Warzone processes

  2. 2.

    Remove persistence mechanisms

  3. 3.

    Reset all passwords

  4. 4.

    Check for privilege escalation artifacts

Related Malware

Remcos, Nanocore, Asyncrat

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices