GovRAT is a trojan that exploits vulnerabilities in the Windows OS and was designed to target US military and government agencies using sophisticated cyberespionage capabilities. The first version was discovered for sale on a dark web marketplace in November 2015 for the price of 4.5 Bitcoin. Recently, the developer began offering a second version of the malware, GovRAT 2.0, for sale on a dark web forum. GovRAT 2.0 includes anti-debugging and detection evasion features, the ability to automatically map hard drives and network shares, file transfer and remote code execution capabilities, a keylogger, Tor support, and the ability to sniff network passwords. It also acts as a worm, copying itself to connected external drives, such as USB flash drives, in order to spread the infection to other systems. In most cases, GovRAT 2.0 attacks take place via drive-by download and server-side compromise. The basic binaries and C2 code for GovRAT 2.0 are for sale on the dark web for the price of $1,000 USD and the entire software package, including the source code, costs $6,000 USD.


  • November 2015: Security experts at InfoArmor discovered GovRAT, a trojan offered to APT groups on the dark web. (Security Affairs)
  • September 2016: InfoArmor published a full report on GovRAT 2.0. (InfoArmor)

One example of the GovRAT trojan. Image Source: Softpedia