“You dirty RAT” – Spy versus Spy in the cybercrime underworld
Thanks to Gabor Szapannos of SophosLabs, who did the hard work behind this article.
Not all malware is ransomware, even though ransomware hogs the spotlight these days.
Keyloggers are still popular in the cyberunderworld, because they help crooks to steal your passwords.
Armed with your email password, for example, crooks can pull off much more audacious crimes than ransomware, such as business email attacks, also known a CEO fraud or wire-wire scams.
That’s where a crook logs in with a stolen password to send an email that doesn’t just look as though it came from your CEO’s account, it really did come from her account.
The fraudulent email in a wire-wire scam won’t be a demand for $300 in bitcoins, which is a typical price-point in ransomware, but an official-sounding corporate instruction to put through a massive funds transfer.
The amount may be $100,000 or even more, and the email will typically claim that that the funds are part of time-critical business venture such as an acquisition, to justify both the large sum and the urgency.
In other words, there’s still big money in keyloggers.
One of the most popular keyloggers these days is KeyBase, a product that was originally sold as a legitimate application before being abandoned in apparent disgust by its author:
But KeyBase lives on, with cybercrooks giving it a new home all over the cybercriminal underground.
Dishonour among thieves
Sometimes crooks turn on their own kind, as happened here.
A user on the popular underground site leakforums, going by the name pahan12, popped up offering a PHP Remote Access Trojan called SLICK RAT:
The SLICK RAT download contained an installer:
But newbie crooks who ran the installer didn’t get what they paid for.
They ended up infected with the KeyBase data stealer instead, and their stolen passwords were sent off to a data-collection website. (The “Pahan” connection continued here, because the URL contained the text pahan123.)
Our guess is that Pahan was after his victims’ logins for leakforums and other hacker sites, in order to build up his rank in the underground.
He went after users on other crime forums, too, like this offensivecommunity post offering the same RAT with the same screenshot:
As it is a php rat it doesnot required any port forward.
those having problem to port forwarding or those are in restricted network firewall try this…
its having all features like othr rat
IF anyone need this email me its cost 20$
Interestingly, Pahan has a history of this sort of double-cross, promoting one cybercrime tool but infecting it with another.
Here’s an example from November 2015, when pahan was offering a malware scrambling tool called Aegis Crypter:
Cryptors take an existing malware program as input, and churn out a modified, scrambled, compressed and obfuscated program file as output, in the hope that this will bypass basic virus-blocking tools.
But Pahan’s version of Aegis included its own “secret sauce”: a zombie Trojan called Troj/RxBot than hooks up infected computers to an IRC server from which remote command-and-control instructions can be sent to the network of zombies.
The IRC channels on the server that were used by Pahan’s zombie were pahan12 and pahan123.
And in March 2016, a user going by pahann was promoting a version of the KeyBase toolkit, which can be used to generate keylogger files to order:
This KeyBase malware generation toolkit was itself infected, in a weird sort of “malware triangle”:
Amusingly (if cybercriminality can ever truly be funny), the COM Surrogate warning you can see in the popup warning above installed the very same Troj/RxBot zombie variant as the turncoat version of Aegis Crypter, as well as installing a completely different keylogger called Cyborg.
By this time, things were getting quite complicated for Pahan, who had samples of SLICK RAT for sale that were infected with KeyBase; of Aegis Crypter infected with Troj/RxBot; and of KeyBase infected with COM Surrogate, which delivered Troj/RxBot and Cyborg.
Things didn’t go so well for the duplicitous Pahan, a.k.a. Pahan12, a.k.a. Pahan123, a.k.a. Pahann, after that.
Last week [2026-08-11], when we were looking around to see what Pahan had been up to recently, we found this intriguing screenshot amongst the data and postings relating to him:
Click on image for full screen view.
We can’t be certain, but we think it’s pretty likely that Pahan/12/123/n has managed to infect himself with one or more of the malware samples he’s been juggling recently.
We think the screenshot above was grabbed from his own computer.
So, if you’ve ever wondered what a cybercrook keeps up his sleeve, this might give you some ideas: we can see a ransomware sample, various pre-prepared malware binaries, scanners, a sniffer, remote access tools and more.
Maybe his next step will be to scramble his own files with the ransomware we can see stashed there in his Google Drive account?
So, if you had to write the story “What Pahan did next?”…
…what would you say? (And if you could choose, what would you wish for?)