Redazione RHC : 30 October 2025 15:30
Varonis researchers have discovered the Atroposia MaaS (malware-as-a-service) platform. For $200 a month, its customers receive a remote access Trojan with extensive functionality, including remote desktop, file system management, information stealing, credentials, clipboard contents, cryptocurrency wallets, DNS hijacking, and a built-in local vulnerability scanner.
According to analysts, Atroposia has a modular architecture. The malware communicates with command and control servers via encrypted channels and is capable of bypassing User Account Control (UAC) to escalate privileges in Windows.
Once infected, it provides persistent and undetectable access to the victim’s system. Atroposia’s key modules are:
HRDP Connect launches a hidden remote desktop session in the background, allowing attackers to open applications, read documents and emails, and generally interact with the system without any visible signs of malicious activity. Researchers note that standard remote access monitoring tools may miss this activity.
The file manager functions like a familiar Windows Explorer: attackers can view, copy, delete, and execute files. The grabber component searches for data by extension or keyword, compresses it into password-protected ZIP archives, and sends it to the command and control server using in-memory methods, minimizing the attack’s traces on the system.
The stealer collects saved login information, cryptocurrency wallet data, and chat files. The clipboard manager intercepts everything the user copies ( passwords, API keys, wallet addresses) in real time and stores it for attackers.
The DNS spoofing module replaces domains with attackers’ IP addresses at the host level, silently redirecting victims to hacker-controlled servers. This opens the door to phishing, MitM attacks, fake updates, adware or malware injection, and data theft via DNS queries.
The integrated vulnerability scanner scans the victim’s system for unpatched vulnerabilities, unsafe settings, and outdated software. The results are sent to malware operators as a score, which attackers can use to plan further attacks.
Researchers warn that this module is particularly dangerous in corporate environments: the malware could detect an outdated VPN client or a privilege escalation vulnerability, which can then be exploited to gain deeper insights into the victim’s infrastructure. The scanner also scans nearby vulnerable systems to detect any lateral movement.
Varonis notes that Atroposia continues the trend toward the democratization of cybercrime.
Together with other MaaS platforms (such as SpamGPT and MatrixPDF) , it lowers the technical barrier to entry, allowing even low-skilled attackers to conduct effective “subscription attacks”.
Redazione
