Xtrat

Category: rat · Aliases: xtreme rat, xtremerat, xrat · Sample count (EMBER 2018): 35,969 · Enrichment: curated_sourced · Updated: 2026-06-10

Overview

Xtreme RAT (also known as XTRAT and ExtRat) is a Windows remote access trojan. As documented by Malpedia (Fraunhofer FKIE), which cites Trend Micro, it is a backdoor that allows a remote attacker to steal information and control an infected system. It has been used in targeted attacks, including 2012 campaigns against Israeli and Syrian government targets, and is associated with the Molerats threat actor. Its capabilities include file management (downloading, uploading, and executing files), registry management, executing shell commands, computer control (such as shutdown and logging the user on or off), screen capture, and logging keystrokes on infected systems.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1059.003 T1056.001 T1113 T1125 T1105 T1071.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_XTRAT {
    meta:
        description = "Detects Xtrat (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "xtrat" ascii wide nocase
        $s2 = "xtreme rat" ascii wide nocase
        $s3 = "xtremerat" ascii wide nocase
        $s4 = "xrat" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Xtrat Activity
id: b6517930d2bcf040321a75d630c20717
status: experimental
description: Detects generic indicators of the xtrat malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*xtrat*"
            - "*xtreme rat*"
            - "*xtremerat*"
            - "*xrat*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Xtreme RAT?

Xtreme RAT (XTRAT, ExtRat) is a Windows remote access trojan and backdoor. According to Malpedia, citing Trend Micro, it lets a remote attacker steal information from and control an infected computer.

What can Xtreme RAT do on an infected system?

Per Malpedia's description, Xtreme RAT can receive commands to manage files (download, upload, and execute), manage the Windows registry (add, delete, query, and modify keys), run shell commands, control the computer (including shutdown and logging the user on or off), capture the screen, and log keystrokes.

What has Xtreme RAT been used for?

Malpedia notes that Xtreme RAT has been used in targeted attacks, including 2012 campaigns against Israeli and Syrian government targets, and associates the family with the Molerats threat actor.

Is Xtreme RAT a keylogger?

Keylogging is one of its capabilities. Malpedia states that, in addition to its backdoor command features, Xtreme RAT can log the keystrokes of infected systems, which can be used to capture credentials and other typed information.

What other names is Xtreme RAT known by?

Malpedia lists the family under the symbol win.extreme_rat with the common name Xtreme RAT and the alias ExtRat. It is also commonly abbreviated XTRAT in antivirus detections.

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/xtrat.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.