Trojan:Win32/Farfli is an infamous backdoor trojan family designed to grant remote attackers complete, unauthorized access to compromised Windows environments.
What You Need to Know
To a layman, Farfli is a silent invader that allows hackers to control a computer as if they were sitting right in front of it. For cybersecurity experts, Farfli represents a critical compromise of endpoint integrity. It is heavily utilized by advanced persistent threat (APT) groups and cybercriminals to establish a reliable beachhead within a corporate network, allowing for subsequent lateral movement and data exfiltration.
Malware TTPs and Architecture
Farfli is typically delivered via exploit kits, malicious email attachments, or dropped by primary trojans. Upon execution, it achieves persistence by injecting its malicious payload into trusted system processes (like explorer.exe or iexplore.exe) and creating autorun registry keys. The backdoor then opens a clandestine communications channel with its Command and Control (C2) server.
Impact and Incident Response
Once active, the Farfli backdoor provides a vast array of capabilities to the attacker: it can log keystrokes, capture screenshots, steal saved browser credentials, execute arbitrary shell commands, and download additional modules. Because it operates within the memory space of legitimate processes, it often successfully evades traditional, signature-based endpoint protection. Threat hunters must rely on behavioral analytics, searching for anomalous outbound network connections from standard processes and unexpected changes to system configuration files to detect a Farfli intrusion.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_FARFLI {
meta:
description = "Detects Farfli (rat)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "farfli" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Farfli Activity
id: 3df15747ef56349e162908e5ac150c9f
status: experimental
description: Detects generic indicators of the farfli malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*farfli*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/farfli.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.