Cybersecurity researchers have detailed a phishing campaign delivering MostereRAT, a stealthy banking malware turned remote access trojan (RAT). According to Fortinet FortiGuard Labs, the campaign employs advanced evasion techniques that allow attackers to fully compromise systems, steal data, and deploy additional malicious tools through modular plugins.
One of the most unusual elements of the attack is its use of the Easy Programming Language (EPL), an obscure visual coding language that supports Chinese, Japanese, and English. This enables the staged payload to conceal its malicious operations, disable security tools, and secure its command-and-control (C2) communications using mutual TLS (mTLS).
The phishing emails, primarily aimed at Japanese users, masquerade as business inquiries and lure recipients into opening malicious Microsoft Word documents. These files embed a ZIP archive containing an executable that launches MostereRAT. Once active, the malware drops remote access tools such as AnyDesk, TigerVNC, and TightVNC while disabling Windows security mechanisms and blocking telemetry from antivirus programs — a technique reminiscent of the EDRSilencer red team tool.
MostereRAT also abuses the TrustedInstaller account, a privileged Windows process, to tamper with registry settings, interfere with core system processes, and even delete files. It can log keystrokes, monitor foreground activity in apps like Alibaba’s Qianniu Seller Tool, capture screenshots, inject code into svchost.exe, and create hidden administrator accounts. These capabilities make detection and analysis significantly harder.
Beyond its RAT functions, the campaign showcases self-propagating and modular behavior. Attackers can load DLLs, EXEs, or shellcode on demand, while also exfiltrating sensitive data and maintaining stealthy persistence. The sophistication indicates a move from simple banking malware toward full-featured espionage and control frameworks.
In parallel, researchers observed a related wave of ClickFix-inspired attacks delivering MetaStealer, a commodity infostealer. These campaigns trick victims into “fixing” a supposed process error by interacting with fake Cloudflare verification pages. The attack chain abuses the search-ms: URI protocol to disguise malicious LNK files as PDFs, ultimately leading to data theft.
Adding to the concern, CloudSEK reported an emerging threat using AI prompt overdose techniques. By flooding summarizers in email clients or productivity apps with attacker-controlled text, adversaries can manipulate AI-generated summaries to embed hidden ClickFix-style instructions, potentially guiding victims into enabling ransomware deployment.
The discovery of MostereRAT and related ClickFix evolutions underscores how phishing campaigns are evolving into highly evasive, multi-stage operations. Organizations should reinforce user awareness training, implement advanced email security, and closely monitor system processes for signs of privilege abuse or suspicious persistence mechanisms. With attackers now experimenting with AI-driven social engineering, defenders face an increasingly complex landscape where both human and machine trust can be weaponized.
