Farfli

Category: rat · Aliases: None known · Sample count (EMBER 2018): 360 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Farfli is an infamous backdoor trojan family designed to grant remote attackers complete, unauthorized access to compromised Windows environments.

What You Need to Know
To a layman, Farfli is a silent invader that allows hackers to control a computer as if they were sitting right in front of it. For cybersecurity experts, Farfli represents a critical compromise of endpoint integrity. It is heavily utilized by advanced persistent threat (APT) groups and cybercriminals to establish a reliable beachhead within a corporate network, allowing for subsequent lateral movement and data exfiltration.

Malware TTPs and Architecture
Farfli is typically delivered via exploit kits, malicious email attachments, or dropped by primary trojans. Upon execution, it achieves persistence by injecting its malicious payload into trusted system processes (like explorer.exe or iexplore.exe) and creating autorun registry keys. The backdoor then opens a clandestine communications channel with its Command and Control (C2) server.

Impact and Incident Response
Once active, the Farfli backdoor provides a vast array of capabilities to the attacker: it can log keystrokes, capture screenshots, steal saved browser credentials, execute arbitrary shell commands, and download additional modules. Because it operates within the memory space of legitimate processes, it often successfully evades traditional, signature-based endpoint protection. Threat hunters must rely on behavioral analytics, searching for anomalous outbound network connections from standard processes and unexpected changes to system configuration files to detect a Farfli intrusion.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1055Process InjectionDefense Evasion
T1056.001Input Capture: KeyloggingCollection
T1113Screen CaptureCollection
T1059.003Command and Scripting Interpreter: Windows Command ShellExecution
T1571Non-Standard PortCommand and Control

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_FARFLI {
    meta:
        description = "Detects Farfli (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "farfli" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Farfli Activity
id: 3df15747ef56349e162908e5ac150c9f
status: experimental
description: Detects generic indicators of the farfli malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*farfli*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate the endpoint from both the internet and the internal network immediately to severe the attacker's interactive backdoor access.
  2. Capture a full forensic memory image of the machine prior to shutdown, as Farfli operates heavily in memory via process injection.
  3. Identify the C2 IP addresses and ports used by Farfli and implement organization-wide blocks at the firewall.
  4. Force a global password reset for any user accounts that logged into the infected machine, as Farfli possesses extensive keylogging capabilities.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not leave the endpoint connected to the network during triage; the attacker has active, remote control and may sabotage the system.
  2. Do not rely solely on automated AV removal, as Farfli's deep system hooks often require manual forensic remediation or a complete OS rebuild.

References & External Analysis

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/farfli.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.