New I2PRAT Malware: Advanced, Undetectable?

Cybersecurity researchers at Sekoia have uncovered a new and sophisticated Remote Access Trojan (RAT) leveraging the Invisible Internet Project (I2P) for anonymity, posing a severe threat to enterprise and personal data security. Dubbed I2PRAT, this malware emerged in November 2024 as part of an ongoing ClickFix campaign, and its multi-stage infection chain has sparked serious concerns in the cybersecurity community.

The I2PRAT malware follows a three-stage infection process, ensuring stealth and persistence:

1. Initial Stage – A binder/packer executes the next stage in memory.
2. Loader Stage – The malware uses obfuscation, privilege escalation, and defense evasion techniques to bypass security mechanisms.
3. Final Payload – The RAT exposes the compromised system on the I2P anonymization network, allowing remote attackers to control infected devices.

“One of the payloads dropped in a campaign starting from November 2024 drew our attention due to the absence of a signature and the lack of documented behaviour and network patterns in public reports,” Sekoia’s report states.

I2PRAT employs advanced privilege escalation techniques:

• Parent Process ID Spoofing – The malware identifies system-level processes and hijacks their privileges.
• RPC Exploitation – Attempts to bypass User Access Control (UAC) using Remote Procedure Calls (RPCs), though Windows patch KB50313565 has mitigated its success.
• Dynamic API Resolution – Uses hashed function resolution at runtime, preventing static analysis and hindering malware detection tools.

Sekoia’s analysts note, “The malware places the newly created process in a pending state, preventing a debugger from being attached to the process at that moment,” demonstrating the malware’s robust anti-debugging capabilities.

Unlike traditional RATs that communicate via standard C2 servers, I2PRAT utilizes the I2P network to ensure its command-and-control (C2) communications remain undetected. This method complicates takedown efforts and makes tracking the attackers significantly harder.

The communication process includes:

• AES-128 encryption in Cipher Block Chaining (CBC) mode for secure data transmission.
• Unique encryption keys per infection, ensuring session isolation.
• Victim fingerprinting, sending system details like OS version, user privileges, and security configurations to the attacker-controlled C2.

I2PRAT actively disables security mechanisms upon infection:

• Executes PowerShell scripts to deactivate Microsoft Defender:

  powershell.exe  -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
  powershell.exe  -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
  powershell.exe  -NoLogo -Command "Add-MpPreference -ExclusionPath '%HOMEDRIVE%\Users\'"
• Alters Windows Filtering Platform (WFP) to prevent security tools from detecting its network traffic.
• Creates a stealthy autostart service named “RDP-Controller” to maintain persistence

Despite its stealthy tactics, I2PRAT leaves behind detectable footprints:

• Privilege escalation detection – Monitor for SeDebugPrivilege adjustments and unexpected remote thread creation.
• Unusual registry modifications – Look for changes in RDP settings and Windows security configurations.
• Network anomaly monitoring – Track TCP connections to I2P nodes, particularly on ports 1110-1130

Sekoia warns that “The use of an anonymisation network complicates tracking and hinders the identification of the threat’s magnitude and spread in the wild.”

Related Posts:

• France Leads International Effort to Eradicate PlugX Trojan from 3,000 Systems
• Hackers make poisoned Final Cut Pro specifically to target Mac users
• Leak: NSA and US Army can capture Tor, I2P, VPNs to monitor Monero users

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts