A new Remote Access Trojan (RAT) named DuplexSpy has surfaced, posing a significant threat to Windows-based systems worldwide.
Developed in C# by GitHub user ISSAC/iss4cf0ng and released publicly on April 15, 2025, with a stated intent of “educational purposes,” this multi-functional malware offers attackers unprecedented control over compromised machines.
Sophisticated Threat Emerges with Modular Capabilities
With a user-friendly GUI builder and extensive customization options, DuplexSpy lowers the technical barrier for cybercriminals, enabling even novices to craft tailored attacks.
.png
)
Its sophisticated design includes persistence mechanisms, stealthy execution, and a suite of surveillance tools, making it a potent weapon in the hands of malicious actors.
The open-source nature of the tool heightens the risk of widespread misuse across various attack chains, as threat actors can easily adapt and enhance its capabilities.
DuplexSpy RAT employs advanced techniques to ensure persistence and evade detection, mimicking legitimate processes such as “Windows Update” by copying itself to the Startup folder and modifying the Windows Registry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
According to Cyfirma Report, it utilizes fileless execution through in-memory loading and self-destruction methods, deleting its traces after execution to thwart traditional antivirus solutions.
System Disruption at the Core
The malware’s arsenal includes keylogging, capturing keystrokes and storing them in a Temp folder file (keylogger.rtf) for exfiltration to a remote server, alongside real-time screen monitoring, webcam and audio surveillance, and remote shell access for interactive command execution.
Additionally, it features anti-analysis tactics, terminating security processes and displaying fake error messages about a corrupted user32.dll to mislead users.
The RAT’s privilege escalation via UAC prompts, DLL injection for stealthy code execution, and cryptographic operations using AES and RSA for secure communication with command-and-control (C2) servers further enhance its ability to operate undetected.
Beyond surveillance, DuplexSpy can disrupt systems through power control commands like shutdown or sleep, manipulate mouse functions, play audio for psychological tactics, and enforce fake lock screens to extort victims, demonstrating its versatility as a comprehensive attack tool.
Network reconnaissance capabilities allow attackers to map active TCP connections, identifying open services or internal resources, while registry manipulation and process control such as suspending or killing processes aid in maintaining stealth and persistence.
Dynamic analysis reveals the malware establishing TCP connections (often via configurable ports like 5000) for continuous C2 communication, with real-time chat interfaces ensuring attackers maintain direct control.
Despite its educational disclaimer, the ongoing development roadmap, including plans for remote plugins and enhanced stability, signals a growing threat landscape.
Cybersecurity teams are urged to adopt threat intelligence-led programs, deploy EDR/XDR tools with memory scanning, and monitor registry and network activity for anomalies.
Blocking known Indicators of Compromise (IOCs) and raising user awareness about suspicious behaviors, such as unexpected UAC prompts or fake system alerts, are critical steps in mitigating this evolving danger posed by DuplexSpy RAT.
Indicators of Compromise (IOCs)
| Indicator | Type | Remarks |
|---|---|---|
| 2c1abd6bc9facae420235e5776b3eeaa3fc79514cf033307f648313362b8b721 | SHA-256 | DuplexSpyCS.exe |
| ab036cc442800d2d71a3baa9f2d6b27e3813b9f740d7c3e7635b84e3e7a8d66a | SHA-256 | client.exe |
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
 named DuplexSpy has surfaced, posing a significant threat to Windows-based systems worldwide.){kind=link}