The sub-techniques beta is now live! Read the release blog post for more info.


NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. [1]

ID: S0247
Platforms: Windows
Version: 1.0
Created: 17 October 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

NavRAT leverages cmd.exe to perform discovery techniques.[1]

Enterprise T1074 Data Staged

NavRAT writes multiple outputs to a TMP file using the >> method.[1]

Enterprise T1056 Input Capture

NavRAT logs the keystrokes on the targeted system.[1]

Enterprise T1057 Process Discovery

NavRAT uses tasklist /v to check running processes.[1]

Enterprise T1055 Process Injection

NavRAT copies itself into a running Internet Explorer process to evade detection.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.[1]

Enterprise T1105 Remote File Copy

NavRAT can download files remotely.[1]

Enterprise T1064 Scripting

NavRAT loads malicious shellcode and executes it in memory.[1]

Enterprise T1071 Standard Application Layer Protocol

NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.[1]

Enterprise T1082 System Information Discovery

NavRAT uses systeminfo on a victim’s machine.[1]

Groups That Use This Software

ID Name References
G0067 APT37

NavRAT is linked to APT37 with medium confidence.[1]