Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it. 

The RAT retrieves and uploads victim information to the C2 server, including:

  • Username

  • Hostname

  • Campaign Identifier

  • Microsoft Windows version

  • Victim unique identifier

  • Processor architecture

  • Malware version

Cardinal has a number of features, including:

  • Collect victim information

  • Update settings

  • Act as a reverse proxy

  • Execute command

  • Uninstall itself

  • Recover passwords

  • Download and execute new files

  • Keylogging

  • Capture screenshots

  • Update Cardinal RAT

  • Clean cookies from browsers


  • March 2019: Cardinal targets fintech and cryptocurrency trading companies to harvest credentials, passwords, and other confidential information. Also includes introduction of obfuscation techniques to hide the underlying code. (Unit 42 of Palo Alto Networks)

Technical Details

  • Palo Alto Networks provides technical analysis on the Cardinal RAT, available here.