Backdoor:Win32/Poison (widely known as PoisonIvy) is an infamous, highly customizable Remote Access Trojan (RAT) that has been a staple of both cybercriminal and nation-state (APT) arsenals for over a decade.
Understanding PoisonIvy
To a layman, PoisonIvy is the ultimate spyware, granting a remote hacker total control over the victim's computer. For cybersecurity experts, PoisonIvy is a severe Indicator of Compromise (IoC) often linked to targeted espionage campaigns. Due to its builder interface, attackers can highly customize the payload, making each instance unique and difficult for static anti-virus engines to detect.
Execution and Evasion Strategies
PoisonIvy is typically delivered via spearphishing emails containing exploited documents (e.g., CVE-2012-0158) or weaponized executables. Upon execution, the RAT immediately injects itself into legitimate system processes (such as explorer.exe or the default browser) to mask its presence from Task Manager. It establishes persistence via the ActiveX or Run registry keys. The malware encrypts its Command-and-Control (C2) traffic, often using a custom protocol over TCP port 3460 (by default, though highly configurable).
Forensic Footprint & Capabilities
Once active, PoisonIvy provides the attacker with a vast array of capabilities: interactive command shell access, file system manipulation, registry editing, audio/video capture via webcam and microphone, keylogging, and password hash theft. Incident responders must utilize memory forensics to extract the PoisonIvy configuration block from the injected process memory, which reveals the C2 IP address, the campaign ID (mutex), and the encryption password.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_POISON {
meta:
description = "Detects Poison (rat)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "poison" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Poison Activity
id: 35393c24384b8862798716628f7bc6f4
status: experimental
description: Detects generic indicators of the poison malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*poison*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/poison.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.