Trojan:Win32/Wabot is a malicious botnet component and trojan designed to compromise Windows systems and recruit them into a larger controlled network. It is characterized by its ability to receive dynamic commands from a remote server, allowing operators to repurpose the infected hosts for various malicious activities, such as launching Distributed Denial of Service (DDoS) attacks, distributing spam, or downloading additional credential-stealing modules. Wabot typically achieves persistence by copying itself to hidden system directories and modifying the Windows Registry. It often communicates over standard web protocols (HTTP/HTTPS) or IRC to blend its command-and-control traffic with legitimate network activity.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1071.001 | Application Layer Protocol: Web Protocols | Command and Control |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Persistence |
T1105 | Ingress Tool Transfer | Command and Control |
T1498 | Network Denial of Service | Impact |
T1056.001 | Input Capture: Keylogging | Collection |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_WABOT {
meta:
description = "Detects Wabot (rat)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "wabot" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Wabot Activity
id: 0a8a0fc26f634428e5abc843868607a8
status: experimental
description: Detects generic indicators of the wabot malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*wabot*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/wabot.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.