Sdbot

Category: rat · Aliases: win32.sdbot, sdbot.worm, rbot, spybot, sdbot.a · Sample count (EMBER 2018): 1,931 · Enrichment: documented_reference_only · Updated: 2026-06-09

Overview

sdbot is classified as a remote access trojan (RAT), malware that gives an attacker remote control of an infected computer. It has one or more associated MITRE ATT&CK technique references (linked on this page) that document the behaviors observed for it. We have not yet published a hand-verified detailed profile for this family; the MITRE references below are the authoritative source for its documented techniques.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1059.003 T1071.003 T1547.001 T1105 T1091 T1498

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_SDBOT {
    meta:
        description = "Detects Sdbot (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "sdbot" ascii wide nocase
        $s2 = "win32.sdbot" ascii wide nocase
        $s3 = "sdbot.worm" ascii wide nocase
        $s4 = "rbot" ascii wide nocase
        $s5 = "spybot" ascii wide nocase
        $s6 = "sdbot.a" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Sdbot Activity
id: dc1efed9e974e10bbb00bc22910b8ad6
status: experimental
description: Detects generic indicators of the sdbot malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*sdbot*"
            - "*win32.sdbot*"
            - "*sdbot.worm*"
            - "*rbot*"
            - "*spybot*"
            - "*sdbot.a*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about sdbot?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/sdbot.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.