Hello, I stumbled on a website, claiming to give you access to a RAT. I downloaded one of them and I began to analyze what this actually is.

(Educational Purposes Only)

Some of the “RATs” (Remote Access Trojan) had interesting names to say the least. But the thing is, these “RATs” are actually malware, and we will be analyzing Aphrobyte RAT 2026. But first I want to show you more of the website.

Every time you click their Instagram links, Youtube, etc. It just redirects back to the website. And there is way more than just “RATs”

There is 81 pages of this website.

—-

Now it’s time to actually analyze what one of these RATs are doing.

Here is our sample.

Just from this, we can say that this is a Discord based Remote Access Trojan (RAT)

Command & Control (C2): It uses Discord as its infrastructure. It requires a Bot Token and Guild ID.

Capabilities: The checkboxes show typical RAT features: persistence (Add to startup), evasion (Anti VM / Sandbox), and stealth (Hide after execution)

It uses GetTickCount for debugger detection (timing checks)

It modifies shortcuts in the Startup folder

It contains various hashing and encryption algorithms (AES, XOR, SHA256)

Next, I will use 7zip on the .exe to see what is inside.

We see svchost.exe

Real Windows svchost.exe files live in C:\\Windows\\System32. Seeing one here is a guarantee of a Masquerading attempt.

I opened sample.py in sublime text.

Taking a look here.

It uses discord to establish the Command and Control channel and `requests

os, sys, and psutil` give it deep access to the Windows operating system, allowing it to modify the registry, manage processes, and execute shell commands.

sqlite3, base64, and cryptography are specifically imported to decrypt and steal browser cookies and saved passwords

Now it’s time for dynamic analysis

I ran all of the EXEs are here is what I got:

When I ran the aphrobyte-discord-rat.exe a GUI came up. Now this is actually a real, functional Remote Access Trojan (RAT). The GUI is there for the Attacker, not the victim.