Skip to main content

BitRAT Remote Access Trojan delivered by APOMacroSploit Malware Builder

BitRAT is a Remote Access Trojan (RAT) that has been observed recently being delivered by APOMacroSploit Malware Builder.
Threat ID:
Trojan, Exploit
Threat Severity:
Threat Vector:
26 February 2021 11:14 AM
Report a cyber attack: call 0300 303 5222 or email


BitRAT is a Remote Access Trojan (RAT) that has been observed recently being delivered by APOMacroSploit, a macro exploit generator that can bypass antivirus software and phishing detections.

Affected platforms

The following platforms are known to be affected:

Threat details


First observed in November 2020, BitRAT Remote Access Trojan (RAT) has been seen delivered by APOMacroSploit, a tool that allows users to create malicious Excel documents, which are able to bypass several detection mechanisms.


BitRAT is delivered via spam campaigns attached as a malicious XLS documents. APOMacroSploit enables the document to bypass email-based phishing detection and when downloaded, bypass the Windows Antimalware Scan Interface (AMSI) and any antivirus software present on the victim’s machine.

Once downloaded, the infection chain starts when the dynamic content is enabled within the XLS document, the macro then calls out to cutt[.]ly which pulls down multiple BAT scripts as well as a Delpti Cryptor file ‘fola.exe’. This executable is then responsible for loading a VBS file into the system’s startup folder to enable persistence and to drop BitRAT onto the system.


BitRAT, once loaded, is capable of controlling the system via command and control (C2) servers, which may involve activities such as viewing webcams, logging keystrokes, mining cryptocurrencies as well as uploading and downloading additional files to the infected system.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise



Last edited: 26 February 2021 2:06 pm