Overview

• The campaign uses business-themed phishing emails that primarily target Japanese users and funnel victims from a Word document with a hidden archive to an embedded executable.
• MostereRAT is written in Easy Programming Language and employs staged execution, disables security tools, blocks antivirus traffic, and encrypts command-and-control with mutual TLS.
• The malware achieves persistence by installing components in system directories, creating services that run with SYSTEM privileges, and impersonating the TrustedInstaller account for escalation.
• Once established, it deploys legitimate remote-access software such as AnyDesk, TightVNC and RDP Wrapper, and it creates hidden administrator accounts to retain control.
• FortiGuard links elements of the infrastructure to a 2020 banking trojan and vendors advise restricting automatic downloads in browsers, applying least-privilege configurations, and enforcing application control.