Remote Access Trojans are incredibly dangerous. They are one of the few forms of malware that can give someone else near complete control over your device. This means they can control your webcam, take screenshots without your permission, steal your files and data, and more.
Warning signs of a Remote Access Trojan include the following:
- A slow device with poor performance
- Antivirus and security measures that aren’t working as they should
- A webcam that’s activated even though you’re not using it
- Suspicious files on your hard drive that you don’t remember downloading
- Processes in Task Manager that you don’t recognize
At a minimum, we always recommend using a good antivirus solution to protect yourself from more basic RATs. This could be an experienced antivirus provider like Bitdefender, which is known to block specific RATs, like Proton RAT.
You can also take additional protection measures against RATs by:
- Using a properly configured firewall
- Always installing system updates
- Not opening links and emails that originate from an unknown sender
- Being on the lookout for phishing scams
For more tips on how to protect yourself and what to do if your device is infected with a RAT, read the complete article below.
Many of us are familiar with the term “Trojan,” but what is a Remote Access Trojan (RAT)? RATs can wreak absolute havoc on your system by remotely controlling it. They can quietly go through your documents and private files or breach your firewalls and security systems.
How do RATs operate and infect your system? What types of RAT malware exist, and how do you spot and remove them? We’ll answer all these questions and more in this extensive guide.
What Is a Remote Access Trojan (RAT)?
Remote Access Trojans are designed to grant a cybercriminal extensive unauthorized remote access to a victim’s computer. In this sense, they’re similar to legitimate remote access programs, such as TeamViewer. Many RATs even started out as legitimate remote access tools.
RAT access can entail secret surveillance of your system and files. As far as their spying capabilities go, many RATs are like spyware and keylogger programs in one. This means RATs can access your browser history, emails, and chat logs, but they also register your keystrokes and, therefore, any sensitive information you’re typing.
There’s more: RAT operators are able to change your settings, steal your files, and use the target system for illegal activities. This combination of spying capabilities and complete administrative control over your system makes RATs so devastating.
How common are Remote Access Trojans?
According to the Cybersecurity and Infrastructure Security Agency (CISA), the Remote Access Trojan is one of the most common types of modern malware. In 2021, it was one of the four most common strains of malware. Other popular malware types included banking Trojans, “information stealers” (spyware and keyloggers), and ransomware.
RATs have been around since the late 90s, but they have become much more advanced and grown in number over time. In the last decade alone, over 250 new types have been discovered.
The capabilities of a RAT program depend on its type and the specific malware involved. Further down, we’ll discuss some well-known RATs, but first, we’ll explain how a RAT infects a target computer.
How Do Remote Access Trojans Infect Your System?
RATs can infect your (mobile) device in many different ways. Often, the attacker will have to earn a victim’s trust to get them to click on an infected link or download an infected program. We’ll discuss some of the most common infection methods below.
1. Infected (email) attachments
Cybercriminals can infect your system with RAT malware by using malicious email attachments. Downloading the RAT-infested attachment will also download and install the Remote Access Trojan on your computer.
Often, this tactic relies on crafty social engineering methods. In other words, the attacker will entice you to click on or download the attachment with a made-up but plausible-sounding story.
This infection method can be used with any type of attachment. It doesn’t specifically have to be an email attachment. Rather, this technique can be used on any platform that allows for file-sharing.
2. Infected links and pages
Apart from dangerous attachments, infected web pages or links can also host RATs. This means some pages could contain RAT-infested files that they encourage visitors to download.
An infected system can also result from simply clicking on a malicious link, however. Nowadays, so-called drive-by downloads of malware are very common. This means malware can download itself on your system without your knowledge or permission if you visit a dangerous URL.
3. Fake software downloads
Cybercriminals often hide their RATs in legitimate(-looking) software, so they can infect the device of anyone who downloads that software. This is one of the most popular ways for a RAT attack to infect a system.
Remote Access Trojans often hide in fake but legitimate-looking antivirus software, but they are just as likely to be found in pirated games or cracked business applications. This ties in with the next popular way in which RATs might reach your system: through torrenting.
4. Torrenting platforms
Torrenting platforms make it easy to access movies, music, games, and other digital media. However, they are also a common way in which unsuspecting downloaders contract dangerous malware, such as Remote Access Trojans.
Popular torrent files, whether they’re software downloads or the latest blockbuster, get downloaded by thousands or even millions of users. Therefore, it’s no surprise many cyber criminals decide to use torrenting platforms to distribute RATs and other malware. All they have to do is conceal the malicious functionality as a popular movie or piece of software, and victims will download it of their own accord.
5. Help desk scams
Up until now, we’ve discussed ways in which criminals convince you to download and install RATs on your system. However, sometimes criminals find a way to get (partial) access to your system instead so they can install the malware themselves.
One way to get access to your system could be through so-called help desk scams. A scammer will contact you and pretend to be a (technical) support representative of a large company, such as Microsoft. They’ll talk you into giving them access to your system to resolve a made-up issue. Subsequently, they can damage your system in various ways, including leaving behind malware such as RATs.
Popular Remote Access Trojans
Some Remote Access Trojans take control of your camera and microphone, while others steal sensitive information from your device.
In this section, we’ll list some of the most well-known Remote Access Trojans, discuss how they can affect your device, and delve into some of their characteristics.
FlawedAmmyy: A dangerous hacking RAT targeting Windows PCs
FlawedAmmyy is one of the most common modern RATs used by PC hackers. It’s based on the leaked source code of Ammyy Admin, a legitimate administration tool for business.
Since FlawedAmmyy uses information from a tool that allows remote control, this RAT is especially dangerous. It has a lot of advanced built-in remote access features, such as:
- The ability to take and collect screenshots
- Access to the file system of your PC
- The power to control your camera and microphone
A device infected with FlawedAmmyy is a huge privacy risk. Among other things, it could spy on you through your webcam and see what you’re doing on your screen at any moment.
AndroRAT: A dangerous Trojan targeting Android devices
As the name implies, AndroRAT malware targets Android users. Its developers initially created it as a research project to demonstrate their ability to remotely control Android phones. As such, the code is even publicly available on GitHub.
Unfortunately, many criminals have adopted it for non-research purposes. This makes sense, as it’s easy to inject this hacking RAT’s code into legitimate apps. This allows cybercriminals to develop their own apps and hide the RAT in them.
AndroRAT includes several functions to monitor smartphone user behavior:
- Camera and microphone access
- Call monitoring
- GPS tracking
In other words, if your phone has an AndroRAT in it, your location and calls are no longer private.
Sub7: Vintage RAT malware that steals information from Windows PCs
Sub7 is one of the oldest Remote Access Trojans. Its creator, a hacker that goes by “Mobman,” released this Trojan in 1999. Despite being over 20 years old, Sub7 still has a user base, likely because of its notoriety.
Sub7 was created to attack Windows machines. The original version can do all sorts of harm, such as:
- Take over the victim’s webcam and microphone
- Turn your monitor on or off
- Steal passwords to your online accounts and other sensitive information
- Take screenshots
You might think there’s no reason to worry about 20-year-old malware. However, new releases of Sub7 have popped up over the years. As recently as 2021, members of the Sub7 “fan base” released the so-called Sub7 legacy version. This version is claimed to be for “secure, legal operation” only. Nevertheless, cybercriminals might find ways to use this program or its code for illegal purposes.
DarkComet: A dangerous RAT that can (ab)use your network
Going back to more modern RAT malware, we’ve got DarkComet. This advanced Remote Access Trojan was released in 2011 and grew in popularity from 2012 onwards. Although the developer stopped the project and no longer offers new downloads of this RAT, cybercriminals still use it to this day.
DarkComet has the following capabilities, among others:
- Sound capture from the victim’s microphone
- Capturing webcam images and videos
- Keylogging
- Unhindered interaction with the victim’s desktop
Some claim DarkComet was used during the Syrian civil war in 2014 when Syrian authorities took advantage of this hacking RAT to spy on Syrian human rights activists.
Proton RAT: A danger to Mac users
Most RATs tend to focus on Windows PCs or Android devices. Proton RAT, however, targets Mac users.
Although Macs have a reputation for being more secure than Windows devices, a lot of Macs got infected with Proton RAT a few years ago. The RAT’s distributors hid the Trojan in a video conversion program for Mac called HandBrake.
As for the RAT’s capabilities, it can cause damage in a variety of ways, including:
- Exercising full control over your webcam
- Keylogging
- Bypassing two-factor authentication
- Accessing your iCloud account and stealing your data
Over time, this RAT has shown up in different kinds of legitimate software. In the case of Elmedia Player, it even hid in the official downloads on the distributor’s website after they suffered a security breach. This breach has since been closed, and Proton RAT no longer affects the software.
Remote Access Trojan Symptoms
Although there are literally hundreds of different RATs, certain symptoms are shared by a lot of them. If you encounter some (or all) of the issues mentioned below on your device, this might mean your machine is infected by a RAT.
1. Your device suddenly slows down
If your device is suddenly a lot slower, there is a good chance some malware has found its way onto your PC or phone. This might just be a Remote Access Trojan.
RATs, like many types of malware, use up a lot of system resources. This can affect your system’s performance and speed.
It’s very easy to check if your PC’s components are suddenly experiencing unusually heavy loads. You can also view which programs are using up most of your system resources. To do this on Windows, simply follow these steps:
- Click on the Windows logo on your keyboard or in your taskbar.
- Type “Task Manager” and click on the app icon.
- You will see the Task Manager window on your screen.
- Have a look at all the programs running in the background.
Through the Task Manager, you can also see exactly how much of your processing power, RAM, storage, and network capacity these processes are using.
On Mac, the process overview window is aptly called the “Activity Monitor.” To access it and check how your system resources are being used, follow these steps:
- Click on the spotlight icon (the little magnifying glass) in the top right corner of your screen.
- Type “Activity Monitor” and click on the first option that appears.
- Check if any programs are using up suspicious amounts of system resources.
On Mac, system resources are displayed by category, so you can check out each component or type of resource separately: CPU, RAM, energy consumption, storage, and network load.
Beware that a slower device doesn’t always mean you have a RAT. You might simply have too much installed on your HDD/SSD. Alternatively, you might have a different type of malware on your device. Therefore, be sure to check out the signs below too.
2. A slow network connection
Apart from your device itself, a slower internet connection can also point to a compromised system. After all, some RATs actually enable cybercriminals to use your network and bandwidth to commit crimes anonymously.
It’s not always easy to check if a RAT is eating up your bandwidth. After all, many of them manage to stay hidden, as we’ll discuss later.
Still, it’s a good idea to have a look at your system resources to see what could be causing a sudden decrease in network speed. To do so, simply follow the steps in the section above: Your device suddenly slows down.
3. Your security measures are not working
A lot of RATs can actually turn off your antivirus program and your firewall. Turning off the former can help them evade detection, while disabling the latter could help them to infect your system with even more malware.
As a result of this, you could start to notice symptoms of other types of malware shortly after noticing possible RAT symptoms. Examples could include a hijacked browser and a ransomware infection, for instance.
To make sure it doesn’t get that far, it’s important to regularly check your antivirus software and firewall. This is also a great way to verify a RAT or other malicious program hasn’t turned off your system’s defenses.
Most antivirus and firewall solutions will clearly let you know whether they are active. In the case of Bitdefender, for instance, you should see a green shield as soon as you open the app.
Moreover, most antivirus software will frequently send you a notification if they’ve been put on non-active.
There is also a way to check on your Windows PC if your antivirus software is currently active. To do so, simply follow these steps:
- Click on the Windows logo on your keyboard or in your taskbar.
- Type “Windows Security” into the taskbar.
- Click on the first result that appears.
- Select “Virus & threat protection.”
- You will now see whether your antivirus software is active, what antivirus software you’re using, and if you need to take any actions to improve your security.
On Mac, the best way to check if you have an antivirus app running (apart from XProtect, which comes standard with all Macs) is by following these steps:
- Click on the launch pad icon (nine little squares of different colors) in your dock or taskbar.
- Scroll through the list of apps that appears to find an antivirus app, or type the name of the app if you know you’ve got an antivirus app installed.
- Open the app.
- Check whether it’s active. In the case of Bitdefender, just check if the little shield in the menu is green.
Note that most antivirus apps will send you frequent notifications, for instance, when they discover a dangerous page. Have you not been getting these notifications for a while? Then it’s best to use one of the methods above to check if your antivirus software is still active.
4. Your webcam is activated when you are not using it
Most Remote Access Trojans can access your webcam. This may result in a blinking webcam indicator light, even when you haven’t turned on your camera. However, this is not always the case. Unfortunately, many RATs can override your device’s firmware and turn off the webcam light.
Some other signs your webcam might be taken over (hacked) by a cybercriminal include the following:
- The webcam process is running. You can check this in your Task Manager.
- There are videos or pictures on your device which you didn’t take.
- An error message claims your webcam is already in use when you try to turn it on.
These are just some of the many signs that your webcam has been hacked.
5. You find untrustworthy applications or processes in your Task Manager
A lot of RATs are very good at hiding themselves in your system. They might employ so-called rootkits or similar methods to hide within the very core of your operating system.
This way, they won’t show up as a process when you open Task Manager. They might even manage to stay undetected from your intrusion detection systems.
Nevertheless, some RATs that are not as advanced, stealth-wise, do show up in your Task Manager. They will likely appear under the name of a legitimate-sounding program to avoid detection.
If you don’t remember installing said program, you can do a quick Google search to see if it’s associated with any malware. For example, when opening Task Manager, instead of seeing the name of a specific program, like Microsoft OneDrive, you may only see the name “Program” with no publisher details. In this case, you can open the Command Line and see where that program is on your computer. If you notice any suspicious behavior, you can have a look on Google for more information about this specific program.
How to Remove a Remote Access Trojan From Your Device
It is seldom easy to remove a Remote Access Trojan from your system. After all, their advanced anti-detection features often help them to hide from antivirus software.
Nevertheless, there are steps you can take to remove RATs. We will list and discuss these from least to most extreme.
1. Remove the (suspected) infected program
The first step you can take to remove a RAT is quite obvious. If you suspect a specific program of harboring a RAT, it’s time to exterminate it. To put that in computer terms: delete the program.
Before doing this, however, we recommend verifying as much as possible that the program actually contains malware. Sometimes this might be relatively easy, as a lot of malware is known and identified already. In this case, you might very well find out if a program contains a RAT or other malware by doing a quick search.
Unfortunately, it’s not always this easy. You might only be able to infer the presence of a RAT. This could be, for instance, because a certain program uses up an unusual amount of system resources. Or perhaps you notice many of the RAT symptoms mentioned above after installing a certain program.
If you have a strong reason to believe a program is infected with a RAT, you can delete it like this (on Windows):
- Click on the Windows icon on your keyboard or in your taskbar.
- Type “Add or remove programs.”
- You are now at “Apps > Installed apps.”
Here you can easily review all your programs and uninstall the ones you want to remove.
To do the same on a Mac, follow these steps:
- Click on the Finder icon. This is the little blue and white smiley in the toolbar at the bottom of your screen.
- Select “Applications.”
- Scroll through your list of apps and remove the ones that are undesired or that you find suspicious.
2. Use good antivirus software
Using good antivirus software can be an easy way to locate and remove a RAT. We recommend using this tactic if you know or suspect you have a RAT but can’t find it among your programs.
It’s true that antivirus programs often have a hard time identifying RATs. However, some RATs can be detected by using good antivirus software. For instance, Bitdefender is able to effectively detect and combat Proton RAT.
Proton Rat is a remote access trojan that targets Mac users. It was initially discovered in 2017 when it was found out it was hiding in a video converter app for Mac called HandBrake.
If you want to use antivirus software to find and remove a Remote Access Trojan, follow these steps:
- Install a good antivirus solution on your device if you don’t have one already. We recommend Bitdefender.
- Open the Bitdefender app and do a “System Scan.” You’ll find this option on your main dashboard.
- If the antivirus software finds any malware, follow the suggested actions to quarantine and delete it. To remove the malware manually, continue reading. If no malware is found, check out RAT-removal methods #3 and #4 below.
- Go to the “Protection” tab within Bitdefender.
- Click on “Open” under “Antivirus.”
- Go to “Settings” and click on “Manage Quarantine” next to “Quarantined Threats.”
- Choose to either remove or restore the files that your virus scanner marked as malware.
Note that the steps described above apply to Bitdefender and Windows 11. Depending on your device, OS, and antivirus software, the steps might look slightly different.
Contact (Bitdefender) support
If your antivirus solution isn’t picking up on any malware, but you do believe you’re dealing with a RAT-infected machine, you can always contact support.
Different antivirus solutions have different processes you should follow. Since we use Bitdefender on Windows, we’ll outline the process of contacting their support staff to help you find an elusive piece of malware on Windows.
First, you will need to generate a BDsys log. BDsysLog is a Bitdefender tool that’s useful for identifying evasive and unknown malware. It performs a deep scan of critical system areas and generates a report of the scan’s findings. Bitdefender’s security experts can use this report to find very elusive malware.
To generate a BDsys log on your Windows PC, follow these steps:
- On the PC that shows signs of a malware infection, use this link to generate a BDsys log.
- Wait till the download has been completed. Close all applications and programs.
- Open the downloaded file and click “Yes” when you’re asked if you want to “allow this app to make changes to your device.”
- Click on “Create Log.”
- Wait while Bitdefender is performing a deep scan of critical system areas.
- Wait until the scan is finished, which should look like this:
- A Windows Explorer window will open up, showing you the generated BDsys log. This is the log you’ll refer Bitdefender’s support staff to.
Once you have generated your BDsys log, you can contact Bitdefender’s support staff. Make sure to choose the email option, as it allows you to add your BDsys log to the conversation. They’ll likely ask you for a description and a screenshot of the malware symptoms as well.
3. Contact a malware removal specialist
Just like the real-life critter, removing a virtual RAT might prove too difficult. So what do you do when your own rat trap and cheese aren’t cutting it? That’s right, time to contact an expert who can bring in some heavier weaponry, like specialized virtual tools.
If your company has been attacked by a RAT, you could try an internationally acclaimed expert like Malwarebytes. However, if it’s your personal device, it might make more (financial) sense to contact a local expert.
It’s always best to look for someone with cybersecurity experience rather than just a general computer technician.
You could try to just walk into or contact a few computer repair stores or tech stores. You might very well find someone who has plenty of know-how regarding malware.
On the other hand, maybe you prefer to look for an expert online, letting client reviews guide you. In that case, you could use a platform like Thumbtack to find virus removal experts close to you.
4. Do a factory reset of your device
If all else fails, you can always reboot your device. Do note that this is a last-resort method. Unless you have made a backup of your data, you will lose all your device’s data during the factory reset. Remember to always make a backup before rebooting or resetting your device to factory settings.
If you do have a RAT on your device, whatever device you use to back up your data will also be infected with said RAT. Therefore, you’d be wise to use a separate storage device for this backup. In other words, use a hard drive that you don’t use for anything else. That is if you are using a physical storage device.
Whether you store your backed-up files on- or offline, don’t transfer them to a non-infected computer or device. Needless to say, this will just serve to spread the RAT infection among your devices.
Here’s how you can completely reset your Windows PC, Mac, Android, or iPhone.
Factory resetting a Windows PC (Windows 11)
- Click on the Windows icon in the toolbar at the bottom of your screen.
- Go to the search field and type “Reset this PC.” Click on the result that appears.
- Click on “Reset PC.”
- Choose whether you want to keep your personal files or remove everything. For your best chance at removing a RAT, the latter is preferred.
- Confirm and follow the steps that appear on your screen.
Unfortunately, it can be incredibly hard to get a RAT off desktop computers. A rootkit program might give a RAT deep access to target operating systems. In this case, even a factory reset won’t be enough.
If this unfortunate scenario applies to you, we’ll have to refer you back to RAT-removal method #3. You’ll have to look for an expert that knows their way around difficult-to-remove hardware. If this doesn’t resolve the issue, we’re afraid it might be time to consider doing a factory reset on your device.
Factory resetting a Mac computer (or MacBook)
- Go to “System Settings.”
- Click on “General.”
- Select “Transfer or Reset.”
- Click “Erase All Content and Settings.”
- Confirm and follow the steps on the screen.
Factory resetting an Android phone
On Android smartphones, usually, a factory reset is enough to get rid of all malware, including RATs. However, this only applies to devices that haven’t been rooted.
Here’s how you can clear your Android device completely.
- Go to “Settings.”
- Tap on “About phone.”
- Select “Factory reset.”
- Click on “Erase all data.”
- Confirm and follow the steps on the screen.
Note: There are some (minor) differences between Android devices. Although the steps should be quite similar, names and menus on your phone might be slightly different depending on your type of Android system.
Factory resetting an iPhone
- Go to “Settings.”
- Tap “General.”
- Select “Transfer or Reset iPhone.”
- Tap “Erase All Content and Settings.”
- Confirm and follow the instructions on your screen.
Note: It’s very rare to find a Remote Access Trojan on iPhones because of their strong security features. Generally, you’ll only see RATs on jailbroken iPhones.
How to Protect Yourself Against Remote Access Trojans
Remote Access Trojans are a very dangerous type of malware. That’s why it’s important to take security measures to keep this type of malware from infecting your device.
- Get a good anti-malware solution on your device to spot RATs and other malware and do regular system scans. Our recommendation is Bitdefender.
- If your antivirus software doesn’t come with a firewall (although uncommon), install a properly configured firewall. Bitdefender does come with its own firewall.
- Always install system updates as soon as they’re available to address security vulnerabilities.
- Update all your (security) programs regularly to avoid exploits and maintain a maximum level of security.
- Avoid downloading “cracked” software. If possible, only download the official version of a program from its authorized distributor.
- Never open web links or email attachments that you don’t trust or that come from someone you don’t know.
- Be wary of phishing and help desk scams. There is a wide range of phishing scams out there, so it’s best to stay informed.
Final Thoughts: Be Wary of RATs and Malware
Remote Access Trojans are among the most dangerous malware types out there. They can literally take over your system remotely. This allows them to monitor user behavior, steal data and files from your device, change your system configuration, and infect your device with more malware.
Fortunately, there are ways to protect yourself from RATs:
- Use a good antivirus program and a secure firewall.
- Always install new system updates as soon as they’re available, as these often contain important security patches.
- Never open any attachments or links from senders you don’t know or don’t trust.
RATs and other malware are not the only online threats. Without using any malware, people can still spy on you and view your browsing history. If you’d like to double up on your antivirus software and also protect your privacy and anonymity, we advise using a VPN like NordVPN.
Be sure to also check out our other articles about staying safe online, such as:
- What Is a Computer Virus? How Can You Protect Yourself?
- What Are Keyloggers and How Can You Protect Yourself From Them?
- What Is Phishing? Be Wary of Fake Emails and Other Scams!
Do you have a specific question about Remote Access Trojans or how they operate? Check out our FAQ down below.
A Remote Access Trojan (RAT) is a type of malware that gives a hacker remote control over your device. Depending on the type of Remote Access Trojan, it can spy on you, take over your device, and more.
What a Remote Access Trojan can do exactly depends on the specific RAT we’re talking about. However, below are some features that are commonly found among RATs:
- Keylogging to steal your data as you’re typing
- Taking screenshots without your permission and awareness
- Accessing your personal files and data
- Using your network and bandwidth for the cybercriminal’s (illegal) activities
- Controlling your webcam
Remote Access Trojan infections happen in many different ways, such as:
- By downloading legitimate-looking software that’s infected
- Through installing cracked software or other files on torrenting platforms
- By opening malicious email attachments or links
- Through phishing and help desk scams
Often, malware detection programs such as Malwarebytes have a hard time detecting Remote Access Trojans. That’s because many use advanced anti-detection techniques. If you’re going to use an anti-malware tool, we recommend a good premium antivirus solution, such as Bitdefender. Bitdefender has a reputation for blocking some dangerous RATs, such as Proton RAT on Mac.