Poison

Category: rat · Aliases: None known · Sample count (EMBER 2018): 261 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Backdoor:Win32/Poison (widely known as PoisonIvy) is an infamous, highly customizable Remote Access Trojan (RAT) that has been a staple of both cybercriminal and nation-state (APT) arsenals for over a decade.

Understanding PoisonIvy
To a layman, PoisonIvy is the ultimate spyware, granting a remote hacker total control over the victim's computer. For cybersecurity experts, PoisonIvy is a severe Indicator of Compromise (IoC) often linked to targeted espionage campaigns. Due to its builder interface, attackers can highly customize the payload, making each instance unique and difficult for static anti-virus engines to detect.

Execution and Evasion Strategies
PoisonIvy is typically delivered via spearphishing emails containing exploited documents (e.g., CVE-2012-0158) or weaponized executables. Upon execution, the RAT immediately injects itself into legitimate system processes (such as explorer.exe or the default browser) to mask its presence from Task Manager. It establishes persistence via the ActiveX or Run registry keys. The malware encrypts its Command-and-Control (C2) traffic, often using a custom protocol over TCP port 3460 (by default, though highly configurable).

Forensic Footprint & Capabilities
Once active, PoisonIvy provides the attacker with a vast array of capabilities: interactive command shell access, file system manipulation, registry editing, audio/video capture via webcam and microphone, keylogging, and password hash theft. Incident responders must utilize memory forensics to extract the PoisonIvy configuration block from the injected process memory, which reveals the C2 IP address, the campaign ID (mutex), and the encryption password.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1055Process InjectionDefense Evasion
T1056.001Input Capture: KeyloggingCollection
T1125Video CaptureCollection
T1059.003Command and Scripting Interpreter: Windows Command ShellExecution
T1573Encrypted ChannelCommand and Control

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_POISON {
    meta:
        description = "Detects Poison (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "poison" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Poison Activity
id: 35393c24384b8862798716628f7bc6f4
status: experimental
description: Detects generic indicators of the poison malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*poison*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Immediately sever the endpoint from the network to terminate the attacker's interactive, remote-control session.
  2. Capture a full RAM image of the endpoint; memory forensics is critical for extracting the PoisonIvy configuration and C2 details.
  3. Identify the specific C2 IP address and implement immediate blocks at the perimeter firewall and proxy servers.
  4. Assume total endpoint compromise; perform a clean OS rebuild and force password resets for all accounts that accessed the machine.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not leave the machine connected to the network during triage; the attacker has live access and will likely destroy evidence or deploy ransomware.
  2. Do not assume the infection is isolated; PoisonIvy is frequently used as a beachhead for lateral movement across the domain.

References & External Analysis

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/poison.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.