New I2PRAT Malware: Advanced, Undetectable?

Cybersecurity researchers at Sekoia have uncovered a new and sophisticated Remote Access Trojan (RAT) leveraging the Invisible Internet Project (I2P) for anonymity, posing a severe threat to enterprise and personal data security. Dubbed I2PRAT, this malware emerged in November 2024 as part of an ongoing ClickFix campaign, and its multi-stage infection chain has sparked serious concerns in the cybersecurity community.

The I2PRAT malware follows a three-stage infection process, ensuring stealth and persistence:

1. Initial Stage – A binder/packer executes the next stage in memory.
2. Loader Stage – The malware uses obfuscation, privilege escalation, and defense evasion techniques to bypass security mechanisms.
3. Final Payload – The RAT exposes the compromised system on the I2P anonymization network, allowing remote attackers to control infected devices.

“One of the payloads dropped in a campaign starting from November 2024 drew our attention due to the absence of a signature and the lack of documented behaviour and network patterns in public reports,” Sekoia’s report states.

I2PRAT employs advanced privilege escalation techniques:

• Parent Process ID Spoofing – The malware identifies system-level processes and hijacks their privileges.
• RPC Exploitation – Attempts to bypass User Access Control (UAC) using Remote Procedure Calls (RPCs), though Windows patch KB50313565 has mitigated its success.
• Dynamic API Resolution – Uses hashed function resolution at runtime, preventing static analysis and hindering malware detection tools.

Sekoia’s analysts note, “The malware places the newly created process in a pending state, preventing a debugger from being attached to the process at that moment,” demonstrating the malware’s robust anti-debugging capabilities.

Unlike traditional RATs that communicate via standard C2 servers, I2PRAT utilizes the I2P network to ensure its command-and-control (C2) communications remain undetected. This method complicates takedown efforts and makes tracking the attackers significantly harder.

The communication process includes:

• AES-128 encryption in Cipher Block Chaining (CBC) mode for secure data transmission.
• Unique encryption keys per infection, ensuring session isolation.
• Victim fingerprinting, sending system details like OS version, user privileges, and security configurations to the attacker-controlled C2.

I2PRAT actively disables security mechanisms upon infection:

• Executes PowerShell scripts to deactivate Microsoft Defender:

  powershell.exe  -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
  powershell.exe  -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
  powershell.exe  -NoLogo -Command "Add-MpPreference -ExclusionPath '%HOMEDRIVE%\Users\'"
• Alters Windows Filtering Platform (WFP) to prevent security tools from detecting its network traffic.
• Creates a stealthy autostart service named “RDP-Controller” to maintain persistence

Despite its stealthy tactics, I2PRAT leaves behind detectable footprints:

• Privilege escalation detection – Monitor for SeDebugPrivilege adjustments and unexpected remote thread creation.
• Unusual registry modifications – Look for changes in RDP settings and Windows security configurations.
• Network anomaly monitoring – Track TCP connections to I2P nodes, particularly on ports 1110-1130

Sekoia warns that “The use of an anonymisation network complicates tracking and hinders the identification of the threat’s magnitude and spread in the wild.”

Related Posts:

• France Leads International Effort to Eradicate PlugX Trojan from 3,000 Systems
• Hackers make poisoned Final Cut Pro specifically to target Mac users
• Leak: NSA and US Army can capture Tor, I2P, VPNs to monitor Monero users