sdbot is classified as a remote access trojan (RAT), malware that gives an attacker remote control of an infected computer. It has one or more associated MITRE ATT&CK technique references (linked on this page) that document the behaviors observed for it. We have not yet published a hand-verified detailed profile for this family; the MITRE references below are the authoritative source for its documented techniques.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1059.003 T1071.003 T1547.001 T1105 T1091 T1498
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_SDBOT {
meta:
description = "Detects Sdbot (rat)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "sdbot" ascii wide nocase
$s2 = "win32.sdbot" ascii wide nocase
$s3 = "sdbot.worm" ascii wide nocase
$s4 = "rbot" ascii wide nocase
$s5 = "spybot" ascii wide nocase
$s6 = "sdbot.a" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Sdbot Activity
id: dc1efed9e974e10bbb00bc22910b8ad6
status: experimental
description: Detects generic indicators of the sdbot malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*sdbot*"
- "*win32.sdbot*"
- "*sdbot.worm*"
- "*rbot*"
- "*spybot*"
- "*sdbot.a*"
condition: selection
level: mediumRefer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/sdbot.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.