Thursday, June 12, 2025
Homecyber securityNew DuplexSpy RAT Gives Attackers Full Control Over Windows Machines

New DuplexSpy RAT Gives Attackers Full Control Over Windows Machines

Published on

SIEM as a Service

Follow Us on Google News

A new Remote Access Trojan (RAT) named DuplexSpy has surfaced, posing a significant threat to Windows-based systems worldwide.

Developed in C# by GitHub user ISSAC/iss4cf0ng and released publicly on April 15, 2025, with a stated intent of “educational purposes,” this multi-functional malware offers attackers unprecedented control over compromised machines.

Sophisticated Threat Emerges with Modular Capabilities

With a user-friendly GUI builder and extensive customization options, DuplexSpy lowers the technical barrier for cybercriminals, enabling even novices to craft tailored attacks.

- Advertisement - Google News
DuplexSpy RAT
DuplexSpy RAT Panel

Its sophisticated design includes persistence mechanisms, stealthy execution, and a suite of surveillance tools, making it a potent weapon in the hands of malicious actors.

The open-source nature of the tool heightens the risk of widespread misuse across various attack chains, as threat actors can easily adapt and enhance its capabilities.

DuplexSpy RAT employs advanced techniques to ensure persistence and evade detection, mimicking legitimate processes such as “Windows Update” by copying itself to the Startup folder and modifying the Windows Registry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

According to Cyfirma Report, it utilizes fileless execution through in-memory loading and self-destruction methods, deleting its traces after execution to thwart traditional antivirus solutions.

System Disruption at the Core

The malware’s arsenal includes keylogging, capturing keystrokes and storing them in a Temp folder file (keylogger.rtf) for exfiltration to a remote server, alongside real-time screen monitoring, webcam and audio surveillance, and remote shell access for interactive command execution.

Additionally, it features anti-analysis tactics, terminating security processes and displaying fake error messages about a corrupted user32.dll to mislead users.

The RAT’s privilege escalation via UAC prompts, DLL injection for stealthy code execution, and cryptographic operations using AES and RSA for secure communication with command-and-control (C2) servers further enhance its ability to operate undetected.

DuplexSpy RAT
DLL Side Loading

Beyond surveillance, DuplexSpy can disrupt systems through power control commands like shutdown or sleep, manipulate mouse functions, play audio for psychological tactics, and enforce fake lock screens to extort victims, demonstrating its versatility as a comprehensive attack tool.

Network reconnaissance capabilities allow attackers to map active TCP connections, identifying open services or internal resources, while registry manipulation and process control such as suspending or killing processes aid in maintaining stealth and persistence.

Dynamic analysis reveals the malware establishing TCP connections (often via configurable ports like 5000) for continuous C2 communication, with real-time chat interfaces ensuring attackers maintain direct control.

Despite its educational disclaimer, the ongoing development roadmap, including plans for remote plugins and enhanced stability, signals a growing threat landscape.

Cybersecurity teams are urged to adopt threat intelligence-led programs, deploy EDR/XDR tools with memory scanning, and monitor registry and network activity for anomalies.

Blocking known Indicators of Compromise (IOCs) and raising user awareness about suspicious behaviors, such as unexpected UAC prompts or fake system alerts, are critical steps in mitigating this evolving danger posed by DuplexSpy RAT.

Indicators of Compromise (IOCs)

IndicatorTypeRemarks
2c1abd6bc9facae420235e5776b3eeaa3fc79514cf033307f648313362b8b721SHA-256DuplexSpyCS.exe
ab036cc442800d2d71a3baa9f2d6b27e3813b9f740d7c3e7635b84e3e7a8d66aSHA-256client.exe

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Cybercriminals Advertise Advanced MaaS Botnet with Blockchain C2 on Hacking Forums

Cybersecurity researchers have uncovered the alleged sale of a sophisticated Malware-as-a-Service (MaaS) botnet that...

Hackers Launch Coordinated Attack on Apache Tomcat Manager from 400 Unique IPs

Cybersecurity researchers at GreyNoise Intelligence have identified a significant coordinated attack campaign targeting Apache...

New Campaign Targets Entra ID User Accounts Using Pentesting Tool for Account Takeover

Proofpoint Threat Intelligence has uncovered a large-scale Account Takeover (ATO) campaign, internally tracked as...

Windows SMB Client Zero-Day Vulnerability Exploited via Reflective Kerberos Relay Attack

A newly disclosed vulnerability, CVE-2025-33073, dubbed the "Reflective Kerberos Relay Attack," has shaken the...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Cybercriminals Advertise Advanced MaaS Botnet with Blockchain C2 on Hacking Forums

Cybersecurity researchers have uncovered the alleged sale of a sophisticated Malware-as-a-Service (MaaS) botnet that...

Hackers Launch Coordinated Attack on Apache Tomcat Manager from 400 Unique IPs

Cybersecurity researchers at GreyNoise Intelligence have identified a significant coordinated attack campaign targeting Apache...

New Campaign Targets Entra ID User Accounts Using Pentesting Tool for Account Takeover

Proofpoint Threat Intelligence has uncovered a large-scale Account Takeover (ATO) campaign, internally tracked as...