top of page
  • Admin

Meet Escanor RAT. What The New, Spying, Thieving, Dirty Trickster Trojan Is Up To

Published: November 21, 2022 on our newsletter Security Fraud News & Alerts Newsletter.

Cybersecurity researchers discovered a new RAT (remote access trojan) having its way with many big-bank victims. The RAT named Escanor was found leveling its spyware on financial institutions, able to steal data making them ripe for the picking. International banks in 10 countries, including in the U.S., have been attacked by Escanor, with the trojan forging paths directly to their vaults, so to speak. This is a RAT we should all know about, especially since who and where Escanor will strike next is unknown.

Earlier this year on January 26th, Resecurity researchers found Escanor for sale on the dark web. For the right price, experienced and wannabe hackers purchase the remote access trojan for their own use. Escanor gained popularity building a trustworthy reputation amongst thieves, and its 28,000+ Telegram subscribers.

Being a type of trojan spyware, Escanor originally infected the widely used Microsoft Office and Adobe PDF files on PC devices only. Most recently, Resecurity finds this RAT also being delivered via Escanor Exploit Builder. Hackers send targets fraudulent documents from known online services, designed as notifications and invoices, for them to open and unleash the RAT.

What Escanor’s PC and Mobile Versions Can Do

Resecurity says of Escanor RAT for PC’s “The tool can be used to collect GPS coordinates of the victim, monitor key strokes, activate hidden cameras, and browse files on the remote mobile devices to steal data…” These functions, along with potentially even more tools added by hackers for additional crimes, at the very least gives them what they need to compromise financial institutions.

For those cybercriminals partial to attacking mobile devices, Escanor has another version available called “Escape-RAT” or “Esca-Rat” made especially for use on mobile devices. This version intercepts OTPs (one-time passwords) from online banking users that verify their identity. Once the attacker is viewed as legitimate, they have control of the victim’s account, allowing them to release the spyware. It too has the spying abilities of Escanor, adding to it browsing files for valuable data and activating hidden cameras.

As always, watch for potential phishing attempts when perusing your email messages. With over 100 of them arriving in your inbox on a daily basis, it’s easy to quickly react. But don’t! Take some time and be sure that if the sender is unknown, don’t click on links or attachments. Also, phishing can appear to be from anyone these days. So even if you do recognize the sender, but aren’t expecting an attachment or link, contact them independently of the email to verify it’s legit. If the message makes you feel anxious and gives a sense that something bad may happen if you don’t act now, the message is likely phishing for something.

In a world where anyone can purchase malware like Escanor online and customize it with their own cyber-tricks, no one is sure where and how this RAT will reappear. As Cyware Social sees the future of Escanor, “Similarities with past incidents indicate that the attacker may be developing this new malware by leveraging past experiences and malware code…this threat actor may be planning for making further investments and enhancements in this malware.” Let’s hope that doesn’t happen, but know that it could.

Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at


bottom of page