Xtreme RAT (also known as XTRAT and ExtRat) is a Windows remote access trojan. As documented by Malpedia (Fraunhofer FKIE), which cites Trend Micro, it is a backdoor that allows a remote attacker to steal information and control an infected system. It has been used in targeted attacks, including 2012 campaigns against Israeli and Syrian government targets, and is associated with the Molerats threat actor. Its capabilities include file management (downloading, uploading, and executing files), registry management, executing shell commands, computer control (such as shutdown and logging the user on or off), screen capture, and logging keystrokes on infected systems.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1059.003 T1056.001 T1113 T1125 T1105 T1071.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_XTRAT {
meta:
description = "Detects Xtrat (rat)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "xtrat" ascii wide nocase
$s2 = "xtreme rat" ascii wide nocase
$s3 = "xtremerat" ascii wide nocase
$s4 = "xrat" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Xtrat Activity
id: b6517930d2bcf040321a75d630c20717
status: experimental
description: Detects generic indicators of the xtrat malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*xtrat*"
- "*xtreme rat*"
- "*xtremerat*"
- "*xrat*"
condition: selection
level: mediumXtreme RAT (XTRAT, ExtRat) is a Windows remote access trojan and backdoor. According to Malpedia, citing Trend Micro, it lets a remote attacker steal information from and control an infected computer.
Per Malpedia's description, Xtreme RAT can receive commands to manage files (download, upload, and execute), manage the Windows registry (add, delete, query, and modify keys), run shell commands, control the computer (including shutdown and logging the user on or off), capture the screen, and log keystrokes.
Malpedia notes that Xtreme RAT has been used in targeted attacks, including 2012 campaigns against Israeli and Syrian government targets, and associates the family with the Molerats threat actor.
Keylogging is one of its capabilities. Malpedia states that, in addition to its backdoor command features, Xtreme RAT can log the keystrokes of infected systems, which can be used to capture credentials and other typed information.
Malpedia lists the family under the symbol win.extreme_rat with the common name Xtreme RAT and the alias ExtRat. It is also commonly abbreviated XTRAT in antivirus detections.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/xtrat.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.