A new and highly deceptive phishing campaign is targeting Windows users in Japan with a sophisticated malware named MostereRAT. This threat, identified by cybersecurity experts, uses clever tricks to remain undetected while giving attackers complete control over infected systems. The attack begins with convincing phishing emails written in Japanese, which trick users into downloading a malicious Word document, setting the stage for a stealthy takeover of their computers.
How the Phishing Attack Begins
The attack chain is initiated through carefully crafted phishing emails. These messages are designed to look like routine business inquiries, making them incredibly difficult for the average employee to identify as malicious.
When a user clicks the link in the email, they are redirected to a fake website that automatically downloads a corrupted Word document. This document contains a compressed file that is the first step in deploying the MostereRAT malware. Attackers specifically target users in Japan with localized content to increase their success rate.
Initially functioning as a banking trojan, the malware quickly evolves into a full-fledged Remote Access Trojan (RAT). This transformation grants hackers persistent and quiet access to the infected Windows machine, allowing for long-term data theft or espionage.
MostereRAT’s Unique Hiding Techniques
What truly sets this malware apart is its foundation in a rare coding language known as Easy Programming Language (EPL). Because EPL is an uncommon choice for malware development, many standard antivirus and security solutions fail to detect it. This choice of language is a deliberate strategy to evade analysis and fly under the radar.
Once it has infiltrated a system, MostereRAT unpacks itself in multiple stages. It uses one component to establish persistence and disable security software, while another component handles the core malicious activities. By gaining the highest system privileges, it can modify critical system files that are normally protected, even from administrators. Researchers at Fortinet highlighted that the malware cleverly mixes its malicious code with legitimate remote access applications to mask its activities as normal IT operations.
The Alarming Powers of the Malware
MostereRAT is equipped with a range of dangerous features that pose a significant threat to user security and privacy. It is specifically designed to dismantle a system’s defenses before carrying out its primary objectives.
The malware is capable of deactivating a wide array of popular antivirus products, including Windows Defender, Kaspersky, and Avast. This allows it to operate without triggering any security alerts. Some of its most troubling capabilities include:
- Logging all keystrokes to capture passwords, financial details, and other sensitive information.
- Creating hidden administrator accounts to ensure attackers have a permanent backdoor.
- Using encrypted communication channels to send stolen data back to its operators.
- Deploying legitimate tools like AnyDesk to gain full remote control of the screen.
It also manipulates Windows event filters to block security alerts from ever being generated. This means attackers could remain undetected on a network for weeks or even months.
Why This Threat Matters to All Users
While this campaign is currently focused on Japan, the tactics used by MostereRAT could easily be adopted by cybercriminals worldwide. A single click on a convincing phishing email could result in a complete compromise of your Windows computer. Experts recommend that organizations enforce the principle of least privilege, stripping users of unnecessary admin rights to limit the potential damage from a malware infection.
The abuse of legitimate remote tools is another key concern. Since applications like AnyDesk are often trusted, their malicious use can go unnoticed. Blocking all unneeded remote access software is a critical step in reducing the attack surface. The following table breaks down the core risks posed by this malware.
| Threat Feature | Impact on Users |
|---|---|
| AV Disablement | Stops security alerts, allowing attacks to proceed unnoticed. |
| Privilege Escalation | Allows the malware to make deep, unauthorized changes to the system. |
| Remote Tool Abuse | Gives hackers direct control over the user’s screen and files. |
| Data Exfiltration | Steals personal and corporate information without the user’s knowledge. |
This attack aligns with trends noted in Fortinet’s 2025 threat report, which shows attackers are leveraging automation to find vulnerabilities faster. Similarly, a JPCERT report from early 2025 highlighted a surge in phishing attacks in Japan, making threats like MostereRAT particularly timely and dangerous.
Frequently Asked Questions about MostereRAT
What is MostereRAT?
MostereRAT is a Remote Access Trojan (RAT) that targets Windows users through phishing emails. It is known for its stealth features, including the use of an uncommon programming language called EPL to evade antivirus detection.
How does the MostereRAT attack start?
The attack begins with phishing emails written in Japanese that pretend to be normal business communications. These emails trick victims into clicking a link, which leads to the download of a malicious Word document that installs the malware.
Why is MostereRAT so hard to detect?
MostereRAT uses an unusual programming language (EPL) that most security tools are not designed to scan. It also disables antivirus software, hides its activities by mimicking legitimate IT tools, and blocks security alerts from being generated.
What are the main risks of a MostereRAT infection?
The primary risks include the theft of sensitive data through keylogging, complete system takeover via remote access tools like AnyDesk, and the creation of hidden backdoors for long-term access. Attackers can spy on users, steal financial information, and deploy additional malware.
How can I protect myself from MostereRAT and similar threats?
To protect yourself, be extremely cautious with unsolicited emails, especially those asking you to click links or download files. Ensure your user account does not have administrator privileges for daily tasks, and block or uninstall any remote access software you do not need. Keeping your operating system and security software updated is also crucial.
