‘MostereRAT’ Malware Blends In, Blocks Security Tools

Summary

Fortinet’s FortiGuard Labs has detailed a new campaign using a banking-malware-turned-RAT tracked as MostereRAT. The threat targets Windows users (so far observed in Japan) via phishing that drops a weaponised Word document which stages and executes encrypted payloads in multiple phases. The malware uses the uncommon Easy Programming Language (EPL) to hinder analysis, splits functionality across modules for persistence and RAT operations, and supports as many as 37 commands plus mTLS-protected C2 communications.

MostereRAT elevates the threat by running with TrustedInstaller-like privileges, deploying legitimate remote-access tools (AnyDesk, TightVNC) for covert hands-on access, and systematically disabling AV/EDR products. It leverages Windows filtering mechanisms to block security telemetry, and can log keystrokes, exfiltrate data, create hidden admin accounts, and install additional payloads for long-term control.

Key Points

Delivery: Phishing campaigns lure users to a malicious site that auto-downloads a weaponised Word doc containing an embedded archive to stage the infection.
Unusual language: Core modules are written in Easy Programming Language (EPL) to complicate detection and analysis.
Split architecture: One module handles persistence, privilege escalation and AV evasion; the other provides RAT functions (up to 37 commands) and mTLS C2.
High privileges: Malware runs with TrustedInstaller-level access, letting it alter system files, registry and security settings.
Use of legitimate tools: Attackers deploy AnyDesk and TightVNC to achieve full remote control while appearing benign to many EDR solutions.
Security tampering: MostereRAT contains hardcoded AV/EDR product paths and uses Windows Filtering Platform filters to block telemetry and alerts from many vendors.
Post-compromise capabilities: Keystroke logging, data exfiltration, hidden admin account creation and the ability to deploy further payloads for persistence.

Context and Relevance

This campaign is a clear escalation in offensive tradecraft: combining code obfuscation via a niche language, elevated privileges, AV/EDR disabling and the abuse of legitimate remote-access tools makes detection and response much harder. For defenders, it underlines ongoing trends — attackers increasingly focus on persistence and stealth rather than noisy, one-off attacks. Organisations still relying on broad EDR alerts without hardening local privileges and controlling remote-access software are particularly exposed.

Author’s take

Punchy and to the point: this is the sort of malware that keeps security teams awake. MostereRAT isn’t flashy — it blends into normal admin noise by using signed tools and standard services — but that’s precisely why it matters. If you run Windows endpoints, this is not a ‘nice to know’ item; it’s a tactical red flag for remediation and privilege review.

Why should I read this?

Look — if you manage endpoints or run a SOC, read this. MostereRAT shows how attackers quietly keep access by disabling defences and hiding inside legitimate tools. It’s practical intel: check local admin rights, lock down unapproved remote-access clients, and hunt for unusual use of AnyDesk/TightVNC and WFP-related tampering. We’ve done the heavy reading so you know where to focus.