An effective type of trojan malware that provides full backdoor access to Windows systems can be purchased for almost nothing on underground forums.

It also appears that the backdoor malware, dubbed DCRat, is being created and maintained by a single individual. The trojan was first discovered in 2018, but it has been redesigned and relaunched since then.

As I mentioned above, the malware is very cheap; it can be purchased for only $5. Given the low price, some might think that it has only delivering limited capabilities, but DCRat “can do better than that”. Among others, the trojan is able to collect personal information like usernames and passwords, credit card information, browser history, Telegram login credentials, Steam accounts, and Discord tokens.

Some other functions of the DCRat malware include:

  • taking screenshots,
  • stealing clipboard contents,
  • tracking anything the victim types onto their computer,
  • providing threat actors with complete access to almost everything the target does after the malware download.

Who Is Behind the DCRat Malware?

Security analysts at BlackBerry said that such powerful malware is usually the work of advanced and well-resourced cybercrime organizations, but in this case, it seems that DCRat is created and maintained by only one person.

According to them, the malware developer is actively advertising their product on multiple Russian-speaking underground forums and a Telegram channel.

This remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget.


The fact that the accounts are nameless doesn’t reveal much about the developer of DCRat, but experts think that, despite the malware’s power, maintaining it is their part-time job.

The financial situation of the trojan’s author could also explain why DCRat is so cheap in comparison to other tools with comparable capabilities.

A lone-wolf operator would have low operating costs and, given the associated complexity of DCRat, low costs for backend infrastructure hosting.


The malware is written in JPHP, an obscure PHP implementation that operates on a Java virtual machine. Because of its ease of use and flexibility, cross-platform game developers frequently use this coding language. These characteristics make DCRat ideal for developing and updating malware, with experts observing that minor updates and fixes are announced daily.

Also, due to the fact that JPHP is not as popular as other programming languages, detecting signatures and defending systems may be more difficult.

A Continuous Threat

DCRat will continue to be a dangerous cybersecurity threat, allowing threat actors to steal large amounts of data from both persons and companies, especially since the malware is still being developed and new features are being added.

We would anticipate that organisations with weak endpoint defences and poor internal security posture would be likely targets or at greater risk.


Although the exact method by which DCRat is delivered to victims is unknown, researchers have discovered that it frequently coincides with the use of Cobalt Strike, a threat emulation software released in 2012 which can be used to deploy beacons on systems to simulate cyberattacks and test network defenses.

How to Stay Protected

Cybersecurity experts recommend the implementation of multi-factor authentication, which can help prevent accounts from being taken over even if passwords have been stolen. IT departments are advised to monitor the network to spot and prevent potentially unusual activity.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Why You Should Start Using Two-Factor Authentication Now

Cobalt Strike – A Common Tool in the Arsenal of Cybercriminals

What is a Remote Access Trojan (RAT)?

Leave a Reply

Your email address will not be published. Required fields are marked *