Varonis researchers discovered the Atroposia malware-as-a-service (MaaS) platform. For $200 per month, its customers get a remote access trojan (RAT) with extensive capabilities, including: remote desktop, file system control, data theft (including credentials, clipboard contents, and cryptocurrency wallets), DNS spoofing, as well as a built-in scanner for finding local vulnerabilities.
According to analysts, Atroposia has a modular architecture. The malware communicates with command-and-control (C2) servers over encrypted channels and can bypass User Account Control (UAC) to escalate privileges in Windows. After infection, it maintains persistent, stealthy access to the victim’s system. The key modules of Atroposia are:
HRDP Connect launches a hidden remote desktop session in the background, allowing attackers to open applications, read documents and email, and generally interact with the system without any visible signs of malicious activity. The researchers emphasize that standard remote access monitoring tools may fail to notice what’s happening.
File Manager works like the familiar File Explorer: attackers can browse, copy, delete, and execute files. The grabber component searches for the required data by extensions or keywords, packages them into password-protected ZIP archives, and sends them to the command-and-control (C2) server using in-memory techniques, which minimizes the attack footprint on the system.
The stealer collects saved logins, cryptocurrency wallet data, and chat files. Meanwhile, the real-time clipboard manager intercepts everything the user copies (passwords, API keys, wallet addresses) and saves it for the attackers.
DNS spoofing module replaces domains with the attackers’ IP addresses at the host level, silently redirecting the victim to servers under the hackers’ control. This enables phishing, MitM attacks, distribution of fake updates, injection of ads or malware, and data exfiltration via DNS queries.
Built-in vulnerability scanner searches the victim’s system for unpatched vulnerabilities, insecure configurations, and outdated software. The results are sent to the malware operators as a risk score that attackers can use to plan further exploitation. Researchers warn that this module is particularly dangerous in corporate environments: the malware can detect an outdated VPN client or a privilege-escalation vulnerability, which will ultimately be used to dig deeper into the victim’s infrastructure. In addition, the scanner looks for nearby vulnerable systems to enable lateral movement.
Varonis notes that Atroposia continues the trend toward the democratization of cybercrime. Alongside other MaaS platforms (such as SpamGPT and MatrixPDF), it lowers the technical barrier to entry — even low-skilled attackers gain the ability to conduct effective subscription-based attacks.