LuminosityLink remote access trojan (RAT) is a malware family that was first identified in May 2015 and claims to be a system administration utility; however, it is a keylogger and backdoor typically used by cybercriminals. It allows attackers to host a LuminosityLink server as well as generate customized binaries, obfuscated with ConfuserEX 0.4.0 – an open-source project that obfuscates the underlying .NET code, making it difficult to reverse engineer. When LuminosityLink executes, attackers have access to a keylogger, password stealer, and a remote desktop, and can interact with a shell on the device. As of July 2016, LuminosityLink’s author was selling it for $40, which makes it an affordable and readily available option for cybercriminals to use against individuals and organizations.


  • June 2015: Sundown Exploit Kit Spreads LuminosityLink RAT. (Proofpoint)
  • January 2018: The UK's National Crime Agency (NCA), with assistance from Europol and law enforcement agencies across Europe, Australia, and North America, has taken down the LuminosityLink RAT operation. (ESET)

Technical Details

  • Palo Alto Networks provides technical analysis on LuminosityLink, available here.