Top 5 Basic Remote Access Trojans (RATs) You Shouldn’t Ignore in 2025

Remote Access Trojans

Remote Access Trojans (RATs) are a foundational tool in the arsenal of cybercriminals. While some advanced RATs are highly stealthy and complex, there’s a whole class of basic RATs that remain dangerous precisely because of their simplicity and ease of use. In my experience analyzing malware in lab environments, I’ve found that basic RATs are often the first tools used by novice hackers and script kiddies, yet they remain surprisingly effective due to poor endpoint security practices.

Let’s take a deep dive into five of the most prominent basic RATs still making waves in 2025. I’ll also show you how they work under the hood, with code examples and platform-specific implementation or detection strategies.

Book Your FREE Security Consultation Now!

1. NjRAT

Overview: NjRAT is a .NET-based RAT that first emerged in 2013 and continues to be a favorite among entry-level attackers due to its small size, simple GUI, and rich set of features.

Key Features:

  • Remote desktop view

  • File upload/download

  • Webcam and mic access

  • Keylogging

Code Snippet – Client Connection Stub:

Dim client As New TcpClient("127.0.0.1", 4444)
Dim stream As NetworkStream = client.GetStream()
stream.Write(Encoding.ASCII.GetBytes("Connected"), 0, 9)

Detection Tip – Windows Event Logging: Look for suspicious child processes spawned by explorer.exe, which is a common tactic used by NjRAT droppers.

Get-WinEvent -LogName Security | \
Where-Object {$_.Id -eq 4688 -and $_.Message -match "explorer.exe"}

2. DarkComet

Overview: DarkComet, though officially discontinued, is still circulating through cracked underground versions. It’s a basic but versatile RAT often used in surveillance campaigns.

Key Features:

  • Registry editor

  • Remote shell

  • LAN discovery

Payload Deployment Strategy: Attackers typically disguise it inside an innocent-looking application:

Read on Remote Access Trojans

@echo off
start notepad.exe
DarkComet.exe

Detection Strategy – Registry Monitoring: Use Sysinternals Autoruns or monitor these keys for persistence:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

3. QuasarRAT

Overview: Written in C#, QuasarRAT is open-source and often modified. It’s heavily used by pentesters and attackers alike due to its remote shell and process management features.

Key Features:

  • Remote shell

  • Keylogger

  • TCP tunneling

Server Initialization Example (C#):

TcpListener listener = new TcpListener(IPAddress.Any, 4782);
listener.Start();
TcpClient client = listener.AcceptTcpClient();

Linux Detection Tip (via Sysmon for Linux): Look for outbound connections to non-standard ports on startup.

sudo ausearch -k netactivity | grep 4782

4. Remcos RAT

Overview: Remcos is commercially sold as a remote administration tool but is often cracked and abused. It is relatively lightweight and often embedded in phishing documents.

Key Features:

  • Clipboard spying

  • Application control

  • Screen locker

Code Behavior – VBS Dropper Example:

Set objShell = CreateObject("Wscript.Shell")
objShell.Run "Remcos.exe", 0, False

Platform-Specific Detection – Email Gateway: Use a DLP (Data Loss Prevention) solution to scan Office documents with embedded macros. Regex-based scans can identify obfuscated macro payloads:

Auto(Open|Close)|CreateObject\("[a-zA-Z]+"\)

5. jRAT (Java RAT)

Overview: jRAT is platform-independent due to its Java base and can target Windows, macOS, and Linux machines.

Key Features:

  • Cross-platform control

  • Screenshot capture

  • File browser

Sample Client Initialization (Java):

Socket socket = new Socket("127.0.0.1", 9999);
DataOutputStream out = new DataOutputStream(socket.getOutputStream());
out.writeUTF("Connection successful");

macOS Detection Tip – Launch Agents: Check for unusual plist files under the following path:

~/Library/LaunchAgents

Malware often uses LaunchAgents for persistence on macOS.

remote access trojans

Check out the RATs Dominating 2025

Conclusion

Basic RATs may not be sophisticated, but their simplicity is what makes them so effective. They’re easy to modify, simple to deploy, and hard to detect without proper endpoint monitoring. As seen above, each of these RATs has its unique behavior patterns that defenders can leverage for detection.

If you’re running blue team operations or just want to harden your home systems, understanding the behavior of even these “basic” threats is essential. In 2025, RATs remain a persistent and evolving threat. Don’t underestimate them just because they’ve been around for a while.


Why Businesses Trust SecureMyOrg for Comprehensive Network Security​

At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!

Some of the things people reach out to us for –

  1. Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
  2. Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
  3. DevSecOps consulting
  4. Red Teaming activity
  5. Regular security audits, before product release
  6. Full time security engineers.

Relevant Posts

RATs Advanced Persistent Remote Access Trojans

Top 5 Advanced Persistent Remote Access Trojans (RATs) in 2025

This blog explores five of the most sophisticated Advanced Persistent Remote Access Trojans (AP-RATs) currently active in the cyber threat landscape. We analyze their infection vectors, stealth mechanisms, command-and-control infrastructure, and persistence techniques to help security professionals understand and defend against these high-risk threats.

Read More »

Subscribe to our newsletter !