SimayRAT, Ghost RAT, Phishing, Remote Access Trojan

Sophisticated SiMay RAT Spreads Via Telegram Phishing Site


Keylogger and Gh0st RAT Variant deployed to spy on Users


Threat actors (TAs) have been relentlessly employing diverse techniques to propagate malware by leveraging counterfeit websites of renowned applications. Cyble Research and Intelligence Labs (CRIL) reported on a trojanized version of Telegram specifically aimed at Chinese users. Telegram is a widely used application, and due to its unavailability in China, TAs exploit this condition to deceive users by providing fake Chinese-language versions of the software.

Recently, CRIL found a phishing site, hxxps://telagarm[.]top spreading a malicious Telegram installer. We believe that this installer file targets Chinese users as the default language used in the installer is Chinese.

The figure below shows the phishing site.

Phishing Site, SiMay, Telegram
Figure 1 – Phishing Site

This sophisticated malware operates through multiple stages and employs advanced evasion techniques to avoid detection. Unlike typical downloaders that directly fetch payloads, this downloader, used in the current campaign, follows a sequence of requests to obtain the URL for the final stage. The ultimate payload, in turn, utilizes a combination of techniques, including process injection, DLL sideloading, and encrypted shell code, to achieve execution.

While investigating this campaign, we found evidence linking it to the same Threat Actor (TA) behind the SiMay RAT attacks in 2022. The TA uses an updated version of the downloader and final stage payloads in this campaign.


Technical Analysis


This phishing site is distributing a malicious installer file in the form of a .msi file. The language used by default in the installer file (SHA256: 8013a2e9bde9dcfd3f49cc09d5842ad55d21962d7a1216897121ff4d0f344558) is Chinese, suggesting that the TA could be targeting Chinese-speaking users. This installer disguises itself as a legitimate Telegram file while simultaneously dropping and executing a downloader file in the background.

The figure below shows the installer window.

RAT, UI, Installer
Figure 2 – Installer User Interface


The .msi file consists of two distinct files within it. The first file (iii.exe) contained within the .msi package is a malicious downloader that downloads and executes the next stage payloads. This file is dropped by the installer in the “Documents” folder.

The second file (tsetupx64.4.8.3.exe) is a seemingly legitimate Telegram setup, which appears to be the installation package for the popular messaging application Telegram. This is meant to deceive users into thinking they are downloading and installing authentic Telegram software.


The figure below shows the content of the .msi file.

Installer, File
Figure 3 – Files Contained in Installer File

The figure below shows the process tree.

Process Tree, Simay
Figure 4 – Process Tree




The downloader file (SHA256: 17c2faa7d7e5ecefd6f33a991cd60e9c033b589dd27023bb820cb4ba52ba0c5c) is a 32-bit executable targeting the Windows operating system.

The figure below shows the file details.

File details
Figure 5 – File Details


The downloader, upon execution, starts connecting to IP addresses “”, which resolves to a Chinese cloud service provider.

The figure below shows the network TCP requests made by the downloader.

TCP Request, SiMay
Figure 6 – TCP Requests


Using the InternetReadFile() function, this malware fetches the content from a specific URL: “hxxps[:]//”. The content retrieved from this URL is then loaded into a buffer, as shown in the figure below.

Figure 7 – Fetching JSON Data


The content mentioned above is in the form of a JSON object. An analysis of this response identified an email address associated with the threat actor (TA). Delving deeper into the investigation, we found that the same email address was previously linked to a TA mentioned in a report released by K7 researchers in 2022.

Drawing connections from this discovery, it is suspected that the identical TA responsible for the SiMay RAT attacks reported in 2022 is the one executing these current attacks.

The sharetime mentioned in the JSON data, “1685768121180,” resolves to “June 3, 2023,” suggesting that the threat actor (TA) has restarted their attack campaign. In the previous campaign, the share was activated in 2021.

The figure below shows the email ID present in the JSON object.

Threat Actor, Profile, SiMay
Figure 8 – TA Profile


This downloader utilizes the key values obtained from the previously fetched JSON object to construct URLs for upcoming requests. Now it retrieves content from the URL:

  • hxxps[:]//note.youdao[.]com/yws/public/notebook/9fa9db02d7c790b6f9709e3b1605c6cc/subdir/WEB400eaebc293ddb0f58dcafa44f8b74c2

The fetched content is in the form of another JSON object, as shown in the figure below. This JSON object contains crucial details regarding “.dat” files, which are scheduled to be downloaded in the next step of the process.

Fetch details, .dat
Figure 9 – Fetch Details of .dat files


The TA has hosted three “.dat” files on hxxps://note.youdao[.]com/ynoteshare/index.html?id=9fa9db02d7c790b6f9709e3b1605c6cc&type=notebook&_time=1686584769284. These .dat files contain a Base64 encoded URL and other details related to next stage payload. These “.dat” files are named using “DU” followed by a number.

The figure below shows the “.dat” files.

.dat, files
Figure 10 – .dat files


Now this downloader downloads the “DU_3.dat” file from “hxxps://”

The downloader creates a folder with a random name formed by combining a sequence of 6 characters which contains alphanumeric characters and an underscore under the “C:\\Users\\Public\\Music” directory.

After creating the folder, it saves the “DU_3.dat” file in this folder and sets the file’s attributes to hidden. The “CreateFileA” function is called for this purpose.

Figure 11 – CreateFileA


The figure below shows the Base64 decoded content of the “DU_3.dat” file. It contains the URL for the next stage, the name of the payload, and the name of the directory to save the payload.

Decoding, .dat file
Figure 12 – Decoded Content of .dat File


After analyzing all the “.dat” files shown in the figure above, we found that they point to a different URL, as highlighted in the figure below.

  • dat
  • dat


  • dat


Referral link, .dat
Figure 13 – Links Referred by all .dat files

Now, the downloader performs requests in a manner similar to how it downloaded the “.dat” file. It initiates the process by making a request to the following URL:

  • hxxps://note.youdao[.]com/yws/api/personal/share?method=get&shareKey=d04da3da6f8f011be18e9fe893ed2cfb

The content received from this initial URL is then utilized to form the URL for the next request, as highlighted in the figure below. It makes a request to the following URL to fetch details of files hosted on the server.

  • hxxps://note.youdao[.]com/yws/public/notebook/d04da3da6f8f011be18e9fe893ed2cfb/subdir/WEB4c64cfb83b69382247b8bc37425e47ac


JSON,data, URL
Figure 14 – Uses JSON Data to Construct Next URL


Afterwards, it downloads the next stage payload from:

  • hxxps://note.youdao[.]com/yws/api/personal/file/WEB029bbc731cdb99b8d1d1c3c0e15fc223?method=download&shareKey=d04da3da6f8f011be18e9fe893ed2cfb

Compressed Payload


The compressed payload file “” is downloaded and temporarily stored as “sl2VMF” in the root of the “C:\Users\Public\” location. This ZIP-compressed file comprises four folders: “package,” “static,” “txtCode,” and “winzipper,” as shown below.

Compressed payload, Contents
Figure 15 – Contents of the compressed payload


The “package” folder contains two files: “afedf.trg” and “GetSkype.dll.” The “static” folder contains a file named “png.1413131.” The “txtCode” folder holds a file called “out.bin,” while the “winzipper” folder contains a file named “fdafvdav.fdafda,” as shown below.

Unarchived payload, Files
Figure 16 – Files inside the unarchived payload


After being extracted, the main malware file proceeds to write the contents of the “package” folder to specific predefined locations on the system. The files from the “package” folder are copied to the below path:

  • C:\Users\Public\Public Documents\etvc\<random_foldername><random_filename>

This directory includes the malicious DLL file (GetSkype.dll) and a legitimate executable named “afedf.trg.” The executable “afedf.trg” is copied and renamed with a random filename like “TDtng6.exe.” While running, the DLL will be loaded alongside the renamed executable using side-loading techniques.

Package folder, SiMay
Figure 17 – File copied from Package folder


The content of the “winzipper” folder, with the name “fdaf1.fda1gfq,” is copied to the “%Appdata%<random_foldername>” location, named “_wdJ.exe.” This copied file is a WinRAR file.

Next, the malware downloads a ZIP file named “” and extracts its contents, which include a shortcut file named “VCsite_ingcure.lnk.” The purpose of this shortcut file is to execute the following command line when executed:

  • C:\Users\Public\Documents\etvc\b4VOly\TDtng6.exe

To ensure persistence, the malware copies the lnk file into the Startup folder, enabling it to automatically run the ” TDtng6.exe” executable every time the system starts. The figure below illustrates the files generated during execution to achieve persistence.

Figure 18 – Files copied from the winzipper folder


During the execution process, the file “png.1413131” from the “static” folder is copied to the “C:\ProgramData” directory. The copied file is subsequently renamed as “SHELL.TXT,” a shell code with an encrypted payload that the malware decrypts and uses to perform the malicious activity.

The figure below shows the malware’s process of creating a file and copying the content from the temporary ZIP file.

Static Folder
Figure 19 – File copied from static folder


The figure below displays the content of “SHELL.TXT,” which is a shellcode with encrypted payload XORed by the value ‘0x25.’

Figure 20 – Contents of SHELL.TXT file


Additionally, the malware drops several internet shortcut files with randomly generated names. These shortcut files are utilized to execute the “TDtng6.exe” when a user runs it. This tactic aims to deceive users into thinking that the shortcut points to a legitimate website or resource when, in fact, it leads to the execution of a malicious file (TDtng6.exe) stored in the specified location.

Malware, Internet Shortcuts
Figure 21 – Internet Shortcut files dropped by malware


DLL SideLoading


DLL side-loading is a technique used by TAs to execute their malicious code within a legitimate application to evade detection, maintain persistence, and gain elevated privileges on a targeted system. By leveraging trusted processes, the malware can blend in with legitimate activities, making it harder to detect. This method allows attackers to distribute and update malware while bypassing security measures, ensuring prolonged control over compromised machines.

In this case, the malware employs the genuine “GetSkype” product executable named “TDtng6.exe” to facilitate the side-loading of the malicious “GetSkype.dll” into the victim’s system, as shown in the figure below.

DLL Side Loading, SiMay
Figure 22 – DLL side loading

The “GetSkype.dll” file, identified by the SHA256 hash: 67ebe6b782bf613a444fc20fca7002bfb9aa6b468a7f7b2b075953d65cf9ba93, is a 32-bit DLL executable that was compiled using Visual C++, as shown below.

GetSkype.dll, DLL, Static Details
Figure 23 – Static details of GetSkype.dll


Upon execution, the “TDtng6.exe” file performs side-loading of the “GetSkype.dll” which exhibits characteristics of a keylogger malware. It performs a range of functionalities, including evasion of antivirus detection by specifically targeting antivirus processes. The malware is designed to detect virtual machine environments, thereby concealing its malicious behavior during analysis. The presence of version information suggests its ability to adjust actions according to the target system’s operating system. Furthermore, it can gather system information, establish persistence by manipulating the registry, communicate with the C&C server, manipulate files, and capture keyboard inputs from the victims.

Remote Access Trojan (RAT)


Subsequently, the malware accesses the “SHELL.TXT” file, which contains the shell code responsible for importing modules, along with an encrypted PE file. Each byte of the encrypted PE file is XORed by the value 0x25. The figure below shows the decrypted PE file obtained by applying XOR with the value 0x25.

SHELL.TXT, Decrypted, Payload
Figure 24 – Decrypted payload from SHELL.TXT


While executing, the malware decrypts the encrypted content in the “SHELL.TXT,” which is a malicious DLL executable file. The malware then loads and executes this decrypted DLL payload into the process memory. The observed payload’s behavior is similar to that of the Gh0st RAT.

The decrypted PE file, identified by the SHA256 hash: 2c16df586856e0d5ef10f27b6bafdf9c2445aa877d6a139f2eb4cd88a26f4003, is a 32-bit DLL executable that was compiled using Visual C++, as shown below.

Final Paylad, SiMay
Figure 25 – Static details of the final payload


This RAT has been in existence for several years as open-source software. Despite its long history, it remains actively distributed even today. As a RAT, it is utilized by TAs for unauthorized access and control of compromised computer systems. This malware possesses formidable capabilities and poses significant risks.

Its functionalities include remote control, keylogging, screen capture, file management, system surveillance, and data theft. Due to its versatility and ability to operate discreetly, this RAT is frequently employed in targeted attacks, cyber espionage, and data breaches to extract sensitive information.

The figure below displays the hardcoded strings found in the decrypted malware payload, which are utilized to execute various malicious activities of the RAT.

RAT, Hardcoded Strings
Figure 26 – Hardcoded strings of RAT

In addition to its functionalities, the malware payload includes a list of antivirus processes to evade detection and defense mechanisms, as shown below.

Evading detection, Antivirus, Process names
Figure 27 – List of antivirus process names to evade detection



The discovery of the advanced multi-stage malware campaign, coupled with the attribution of the TA behind this campaign to the same entity responsible for spreading the SiMay RAT in 2022, highlights a sophisticated and persistent cyber threat. By capitalizing on the absence of Telegram in China, TAs deceive users by offering fake versions of the application. The wide popularity of Telegram as a communication platform only exacerbates the impact of these malicious campaigns.


Our Recommendations


We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Malware Attacks

  • Do not open suspicious links in emails.
  • Do not download the software from untrusted sources.
  • Use a reputed antivirus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Malware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impact And Cruciality of Malware

  • Additional malware can be dropped into the system.
  • Infected systems could attack other systems.
  • Loss of valuable data.
  • Loss of the organization’s reputation and integrity.
  • Loss of the organization’s sensitive business information.
  • Disruption in organization operation.
  • Monetary loss.

MITRE ATT&CK® Techniques


Tactic  Technique ID  Technique Name 
Initial Access T1566 Phishing
Execution T1204


User Execution

Command and Scripting Interpreter

Persistence T1547.001 Registry Run Keys / Start-up Folder
Defense Evasion T1140





Deobfuscate/Decode Files or

Hide Artifacts

Hijack Execution Flow: DLL Side-Loading

Obfuscated Files or Information

Process Injection

Privilege Escalation T1055 Process Injection
​Credential Access T1555




​Credentials from Password Stores

​Steal Web Session Cookie

​Unsecured Credentials


​Collection T1113
​Screen Capture

Input Capture

​Discovery T1087







​Account Discovery

​Software Discovery

​Process Discovery

​System Time Discovery

​System Service Discovery

​System Location Discovery

​Peripheral Device Discovery

Command and Control T1071


Application Layer Protocol



  Indicator Type Description
hxxps://telagarm[.]top URL Phishing Site



Domain MSI File














































Scroll to Top