Micropsia is a remote access trojan (RAT) written in the Delphi programming language. It copies itself to a C drive folder and creates a shortcut named "shortcut.exe" that allows it to maintain persistence. It then retrieves an executable from its C2 server that is downloaded in string format and modified to become a binary file. In the file, an obfuscation algorithm is used to hide the configuration of the RAT. Micropsia can remotely control infected systems. It was first identified in April 2017 in a spear phishing campaign targeting Palestinians, specifically Palestinian law enforcement agencies. The spear phishing email has an attached a RAR file that contains an executable that, when launched, extracts and opens a decoy document. The decoy is a scanned document from the Ministry of Interior of the State of Palestine and contains seven pages of new internet usage policies. In the background, Micropsia is executed on the system.


  • June 2017: Threat actors use a spear phishing campaign to spread the Micropsia trojan. (Talos)

Technical Details

  • Talos provides technical details on the Micropsia RAT, here.