HiatusRAT: A Trojan compromising business-grade routers

HiatusRAT is a type of malware known as a Remote Access Trojan (RAT). Cybercriminals employ remote access Trojans to take over and control a target device from a distance. HiatusRAT malware appears to have been in use since July 2022 in its most current iteration. The Hiatus campaign primarily targeted outdated i386-based DrayTek Vigor versions 2960 and 3900.

A never-before-seen campaign utilizing infected routers was discovered and named ‘Hiatus.’ Two malicious programmes, including the Remote Access Trojan (RAT) and a tcpdump version that permits packet collection on the target device, are distributed when it infects business-grade routers.

HiatusRAT gives the attacker remote access to the compromised machine after infection. The threat actor can track activity on router ports relevant to file transfers and email conversations, thanks to the programme for packet capturing. It is unknown how the Hiatus campaign’s first access is gained, but it is known that after gaining it, the attackers use a bash script to download and run HiatusRAT and a packet-capture programme.

Threat actors may exploit routers as effective sites to install malware, frequently for cyberespionage. In addition to typically employing customized versions of current operating systems, routers are frequently less secure than regular devices. As a result, attacking routers might be fascinating for attackers but more difficult to hack into and utilize effectively than an ordinary endpoint or server.

Other features of the malware include the ability to change its configuration file, provide the attacker access to a remote shell, read, delete, and upload files, download, and run files, and enable SOCKS5 packet forwarding or plain TCP packet forwarding.

HiatusRAT has been observed in attacks targeting organizations in the Middle East, particularly in Saudi Arabia, Southeast Asia, and Europe. The malware is known to target industries including finance, and energy as well as several government facilities.


  1. https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/
  2. https://www.techrepublic.com/article/hiatus-malware-campaign-targets-routers/
  3. https://www.makeuseof.com/new-hiatusrat-malware-targets-business-routers/
SISA’s Latest
close slider