GovRAT is a trojan that exploits vulnerabilities in the Windows OS and was designed to target US military and government agencies using sophisticated cyberespionage capabilities. The first version was discovered for sale on a dark web marketplace in November 2015 for the price of 4.5 Bitcoin. Recently, the developer began offering a second version of the malware, GovRAT 2.0, for sale on a dark web forum. GovRAT 2.0 includes anti-debugging and detection evasion features, the ability to automatically map hard drives and network shares, file transfer and remote code execution capabilities, a keylogger, Tor support, and the ability to sniff network passwords. It also acts as a worm, copying itself to connected external drives, such as USB flash drives, in order to spread the infection to other systems. In most cases, GovRAT 2.0 attacks take place via drive-by download and server-side compromise. The basic binaries and C2 code for GovRAT 2.0 are for sale on the dark web for the price of $1,000 USD and the entire software package, including the source code, costs $6,000 USD.


  • November 2015: Security experts at InfoArmor discovered GovRAT, a trojan offered to APT groups on the dark web. (Security Affairs)
  • September 2016: InfoArmor published a full report on GovRAT 2.0. Sold on Dark Web cybercrime forums by a hacker or hackers who go by the nicknames "BestBuy" and “Popopret,” and targets U.S. military and government agencies. (InfoArmor)
  • July 2017: The hacker or hackers responsible for GovRAT may be linked to the perpetrator(s) who controlled the Mirai botnet that targeted Deutsche Telekom. (KrebsOnSecurity)

One example of the GovRAT trojan. Image Source: Softpedia

Trojan VariantsNJCCICGovRAT