XenoRAT

Overview Open-source .NET Framework remote-access trojan (RAT) authored by moom825 and distributed as both builder and standalone payloads. Active in-the-wild deployments are typically builder-generated binaries masquerading as "Windows Update" or similar system utilities. No encryption of the binary itself — builders trust version-info masquerade and social engineering.

Build Stack

• .NET Framework 4.0–4.8 target (MSBuild IL output)
• No packer, no obfuscator (plain C# async/await compiled to IL)
• Version-info masquerade with fabricated Microsoft identity
• Unsigned; Authenticode absent

Deploy / TTPs

• C2: Async TCP with parent Node + child subNodes; raw framing with LZNT1 compression and AES encryption
• Persistence: Registry Run keys + startup folder + schtasks
• Discovery: WMI AV / hardware enumeration, active-window caption, idle-time, machine/user name
• Plugin loading: Reflective via AppDomain.CurrentDomain.AssemblyResolve
• Anti-analysis: Minimal — only VM string references (Xen) per capa

Variants / Aliases

• Known builder versions: v1.x–v3.x (GitHub repo moom825/xeno-rat)
• In-the-wild samples often strip the moom825 string but retain the xeno_rat_client namespace

Notable Analyses

• 6133cd0b — full static deep-dive; LZNT1, async state machines, DDoS recv variants ^[/intel/analyses/6133cd0b2a8a7a1ecf353ae072c1e64934bfbeb0693cb7dc59d6d55173d6e0a7.html]

Capabilities

• async-tcp-c2-node-subnode
• lznt1-compression-nt-api
• aes-md5-traffic-encryption
• registry-run-persistence
• scheduled-task-persistence
• wmi-system-discovery
• assemblyresolve-reflective-plugin-loading
• ddos-stress-recv-variants
• active-window-capture
• idle-time-monitoring
• console-capture-exfil

Related

• dotnet-assemblyresolve-plugin-loader — technique page for the reflective plugin pattern
• Builder shares conceptual DNA with asyncrat and nanocore (open-source .NET RAT ecosystem) but uses LZNT1 where AsyncRAT uses MessagePack