Summary:
On February 9, 2024, the Justice Department announced the seizure of internet domains selling the Warzone RAT malware, a sophisticated Remote Access Trojan. Domains including www[.]warzone[.]ws were seized, with two suspects arrested in Malta and Nigeria for selling the malware. The operation, led by the FBI and supported by Europol and J-CAT, aimed to disrupt cybercriminals using the malware.

Masquerading as a legitimate commercial IT administration tool maintained by an entity named Solmyr, Warzone RAT offers affordable monthly plans starting at $37.95, with options for 1-month, 3-month, and 12-month licenses, including a "Poison" version with a rootkit installation module. The optional Dynamic Domain Name System (DDNS) service is utilized to conceal command-and-control (C2) server locations in cyberattacks.

Analyst Comments:
Warzone RAT's cracked versions are available on darknet forums, and instructional videos on YouTube facilitate basic deployment and C2 administration. Notable campaigns involving Warzone RAT include targeting government employees and military personnel of India's National Informatics Centre (NIC) and its use by the Confucius APT group against mainland Chinese government entities and South Asian countries. Additionally, Warzone RAT was employed in a sophisticated phishing campaign spoofing official government communications to distribute malware in Hungary.

Suggested Corrections:
Warzone has been distributed in a virtually endless number of initial infection vectors but is officially sold in two distinct first-stage configurations; as an embedded Microsoft Office macro dropper or packed as a compressed and encrypted dropper payload designed to bypass anti-virus detection. However, outside of its official modes, Warzone is deployed via both malspam and targeted phishing campaigns that leverage: