Wabot

Category: rat · Aliases: None known · Sample count (EMBER 2018): 1,185 · Enrichment: high · Updated: 2026-06-09

Overview

Trojan:Win32/Wabot is a malicious botnet component and trojan designed to compromise Windows systems and recruit them into a larger controlled network. It is characterized by its ability to receive dynamic commands from a remote server, allowing operators to repurpose the infected hosts for various malicious activities, such as launching Distributed Denial of Service (DDoS) attacks, distributing spam, or downloading additional credential-stealing modules. Wabot typically achieves persistence by copying itself to hidden system directories and modifying the Windows Registry. It often communicates over standard web protocols (HTTP/HTTPS) or IRC to blend its command-and-control traffic with legitimate network activity.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1071.001Application Layer Protocol: Web ProtocolsCommand and Control
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderPersistence
T1105Ingress Tool TransferCommand and Control
T1498Network Denial of ServiceImpact
T1056.001Input Capture: KeyloggingCollection

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_WABOT {
    meta:
        description = "Detects Wabot (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "wabot" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Wabot Activity
id: 0a8a0fc26f634428e5abc843868607a8
status: experimental
description: Detects generic indicators of the wabot malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*wabot*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate the infected endpoint to prevent it from participating in DDoS attacks or spam campaigns.
  2. Analyze network traffic to identify the C2 infrastructure and implement network-level blocks.
  3. Scan the system for persistence mechanisms in the registry and remove dropped executable files in hidden folders.
  4. Reset any compromised credentials if Wabot managed to download and deploy keylogging modules.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not leave the endpoint connected to the network during triage, as it may actively harm external targets or internal bandwidth.

References & External Analysis

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/wabot.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.