PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors

<!doctype html> <html lang="en"> <head> <title>PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors</title>  <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">  <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/bootstrap.min.css?v=f6330d1ebe"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/navigation.css?v=f6330d1ebe"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/footer.css?v=f6330d1ebe"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/pagination.css?v=f6330d1ebe"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/banners.css?v=f6330d1ebe"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/style.css?v=f6330d1ebe"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/prism.css?v=f6330d1ebe"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/prism-vsc-dark-plus.css?v=f6330d1ebe"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/prism-talos.css?v=f6330d1ebe"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/landing-page.css?v=f6330d1ebe"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Roboto:ital,wght@0,100;0,300;0,400;0,500;1,100;1,300;1,400&display=swap" rel="stylesheet"> <link href="https://fonts.googleapis.com/css2?family=Fira+Mono:wght@400;500&family=Roboto:ital,wght@0,100;0,300;0,400;0,500;1,100;1,300;1,400&display=swap" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/ghost-theme-utils@latest/dist/css/style.min.css" rel="stylesheet"> <link rel="icon" href="https://blog.talosintelligence.com/content/images/size/w256h256/2022/07/talos_o_square.png" type="image/png"> <link rel="canonical" href="https://blog.talosintelligence.com/poetrat-covid-19-lures/"> <meta name="referrer" content="no-referrer-when-downgrade"> <meta property="og:site_name" content="Cisco Talos Blog"> <meta property="og:type" content="article"> <meta property="og:title" content="PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors"> <meta property="og:description" content="By Warren Mercer, Paul Rascagneres and Vitor Ventura. News summary * Azerbaijan government and energy sector likely targeted by an unknown actor. * From the energy sector, the actor demonstrates interest in SCADA systems related to wind turbines. * The actor uses Word documents to drop malware that allows remote control over the"> <meta property="og:url" content="https://blog.talosintelligence.com/poetrat-covid-19-lures/"> <meta property="og:image" content="https://blog.talosintelligence.com/content/images/-Nt6HzUPYagU/XpiFEYsTlpI/AAAAAAAAAt0/prXLbpEEhmYK4YpwXlO_K-weAIeTSYg8wCLcBGAsYHQ/w1200-h630-p-k-no-nu/image4.png"> <meta property="article:published_time" content="2020-04-16T17:52:00.000Z"> <meta property="article:modified_time" content="2022-08-24T15:20:14.000Z"> <meta property="article:tag" content="COVID-19"> <meta property="article:tag" content="RAT"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:title" content="PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors"> <meta name="twitter:description" content="By Warren Mercer, Paul Rascagneres and Vitor Ventura. News summary * Azerbaijan government and energy sector likely targeted by an unknown actor. * From the energy sector, the actor demonstrates interest in SCADA systems related to wind turbines. * The actor uses Word documents to drop malware that allows remote control over the"> <meta name="twitter:url" content="https://blog.talosintelligence.com/poetrat-covid-19-lures/"> <meta name="twitter:image" content="https://blog.talosintelligence.com/content/images/-Nt6HzUPYagU/XpiFEYsTlpI/AAAAAAAAAt0/prXLbpEEhmYK4YpwXlO_K-weAIeTSYg8wCLcBGAsYHQ/w1200-h630-p-k-no-nu/image4.png"> <meta name="twitter:label1" content="Written by"> <meta name="twitter:data1" content="Warren Mercer"> <meta name="twitter:label2" content="Filed under"> <meta name="twitter:data2" content="COVID-19, RAT"> <meta name="twitter:site" content="@TalosSecurity"> <meta property="og:image:width" content="610"> <meta property="og:image:height" content="320"> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Article", "publisher": { "@type": "Organization", "name": "Cisco Talos Blog", "url": "https://blog.talosintelligence.com/", "logo": { "@type": "ImageObject", "url": "https://blog.talosintelligence.com/content/images/2022/11/TalosBrand_ukraine.svg" } }, "author": { "@type": "Person", "name": "Warren Mercer", "url": "https://blog.talosintelligence.com/author/warren-mercer/", "sameAs": [] }, "headline": "PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors", "url": "https://blog.talosintelligence.com/poetrat-covid-19-lures/", "datePublished": "2020-04-16T17:52:00.000Z", "dateModified": "2022-08-24T15:20:14.000Z", "image": { "@type": "ImageObject", "url": "https://blog.talosintelligence.com/content/images/-Nt6HzUPYagU/XpiFEYsTlpI/AAAAAAAAAt0/prXLbpEEhmYK4YpwXlO_K-weAIeTSYg8wCLcBGAsYHQ/w1200-h630-p-k-no-nu/image4.png", "width": 610, "height": 320 }, "keywords": "COVID-19, RAT", "description": "By Warren Mercer, Paul Rascagneres and Vitor Ventura.\n\n\nNews summary\n\n * Azerbaijan government and energy sector likely targeted by an unknown actor.\n * From the energy sector, the actor demonstrates interest in SCADA systems related to wind turbines.\n * The actor uses Word documents to drop malware that allows remote control over the victims.\n * The new remote access trojan, dubbed PoetRAT, is written in Python and is split into multiple parts.\n * The actor collects files, passwords and even im", "mainEntityOfPage": "https://blog.talosintelligence.com/poetrat-covid-19-lures/" } </script> <meta name="generator" content="Ghost 5.109"> <link rel="alternate" type="application/rss+xml" title="Cisco Talos Blog" href="https://blog.talosintelligence.com/rss/"> <script defer src="https://cdn.jsdelivr.net/ghost/sodo-search@~1.5/umd/sodo-search.min.js" data-key="4ffb0139d74ada998f4b141e4d" data-styles="https://cdn.jsdelivr.net/ghost/sodo-search@~1.5/umd/main.css" data-sodo-search="https://cisco-talos-blog.ghost.io/" data-locale="en" crossorigin="anonymous"></script> <link href="https://blog.talosintelligence.com/webmentions/receive/" rel="webmention"> <script defer src="/public/cards.min.js?v=f6330d1ebe"></script><style>:root {--ghost-accent-color: #006db6;}</style> <link rel="stylesheet" type="text/css" href="/public/cards.min.css?v=f6330d1ebe"> <style type='text/css'> img[src*="icon_check_white.svg"] { width: 20px; margin-left: 0px; margin-right: auto; } #ghost-portal-root { display: none; } </style>  <script async src="https://www.googletagmanager.com/gtag/js?id=G-F45RVJG3BK"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-F45RVJG3BK'); </script> </head> <body class="post-template tag-covid-19 tag-rat"> <div id="mobile-page-header" class="desktop-hide"> <h1>Cisco Talos Blog</h1> </div> <nav id="nav"> <input id="nav-trigger" class="nav-trigger" type="checkbox"/> <label for="nav-trigger"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="22px" height="16px" viewBox="0 0 22 16"> <g id="menu-icon"> <path fill="#FFFFFF" d="M20.5,3h-19C0.672,3,0,2.329,0,1.5S0.672,0,1.5,0h19C21.328,0,22,0.671,22,1.5S21.328,3,20.5,3z"></path> <path fill="#FFFFFF" d="M20.5,9.5h-19C0.672,9.5,0,8.828,0,8c0-0.829,0.672-1.5,1.5-1.5h19C21.328,6.5,22,7.171,22,8 C22,8.828,21.328,9.5,20.5,9.5z"></path> <path fill="#FFFFFF" d="M20.5,16h-19C0.672,16,0,15.328,0,14.5S0.672,13,1.5,13h19c0.828,0,1.5,0.672,1.5,1.5S21.328,16,20.5,16z"></path> </g> </svg> </label> <div id="top-nav-bar"> </div> <div id="navigation"> <div class="navigation-logos-wrapper"> <div id="talos-logo-wrapper"> <a class="navbar-brand" href="https://talosintelligence.com"> </a> </div> </div> <div class="navigation-links-wrapper"> <ul class="main-nav-list"> <li class="nav-item"> <div class="primary-link-wrapper"> <a class="primary_nav_link" href="https://talosintelligence.com/reputation"> <div class="mobile-nav-icon"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" height="20px" width="20px" style="enable-background:new 0 0 20 20;" xml:space="preserve"> <style type="text/css"> .white{fill:#FFFFFF;} </style> <g> <path class="white" d="M19.5,9.5h-1.1c-0.3-4.2-3.6-7.6-7.8-7.8V0.5C10.5,0.2,10.3,0,10,0l0,0C9.7,0,9.5,0.2,9.5,0.5l0,0v1.1 C5.3,1.9,1.9,5.3,1.6,9.5H0.5C0.2,9.5,0,9.7,0,10s0.2,0.5,0.5,0.5l0,0h1.1c0.3,4.2,3.6,7.6,7.8,7.8v1.1c0,0.3,0.2,0.5,0.5,0.5l0,0 c0.3,0,0.5-0.2,0.5-0.5l0,0v-1.1c4.2-0.3,7.6-3.6,7.8-7.8h1.1c0.3,0,0.5-0.2,0.5-0.5C20,9.7,19.8,9.5,19.5,9.5 M16.6,10.5h0.7 c-0.3,3.6-3.2,6.5-6.8,6.8v-0.8c0-0.3-0.2-0.5-0.5-0.5l0,0c-0.3,0-0.5,0.2-0.5,0.5v0.8C5.8,17,3,14.2,2.7,10.5h0.8 C3.8,10.5,4,10.3,4,10S3.8,9.5,3.5,9.5l0,0H2.7C3,5.8,5.8,3,9.5,2.7v0.8C9.5,3.7,9.7,4,10,4l0,0c0.3,0,0.5-0.2,0.5-0.5V2.7 C14.2,3,17,5.8,17.3,9.5h-0.7c-0.3,0-0.5,0.2-0.5,0.5C16.1,10.3,16.3,10.5,16.6,10.5L16.6,10.5"></path> <circle class="white" cx="10" cy="10" r="3.2"></circle> </g> </svg> </div> <span class="top-nav-link-text"> Intelligence Center </span> </a> </div> <input class="sub-nav-trigger" id="intelligence-sub-trigger" type="checkbox"> <label class="sub-nav-trigger-label" for="intelligence-sub-trigger"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75"> <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle> <g> <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle> </g> </svg> </label> <ul class="sub-nav sub-nav-single-list"> <li class="desktop-hide"> <a class="mobile_nav_link" href="https://talosintelligence.com/reputation"><h1>Intelligence Center</h1> </a></li> <li class="desktop-hide"> <label class="subnav-back-button" for="intelligence-sub-trigger">BACK</label> </li> <li><a class="secondary_nav_link" href="https://talosintelligence.com/reputation_center">Intelligence Search</a></li> <li><a class="secondary_nav_link" href="https://talosintelligence.com/reputation_center/email_rep">Email & Spam Trends</a></li> </ul> <div class="desktop-hide subnav-overlay"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" height="20px" width="20px" style="enable-background:new 0 0 20 20;" xml:space="preserve"> <style type="text/css"> .white{fill:#FFFFFF;} </style> <g> <path class="white" d="M19.5,9.5h-1.1c-0.3-4.2-3.6-7.6-7.8-7.8V0.5C10.5,0.2,10.3,0,10,0l0,0C9.7,0,9.5,0.2,9.5,0.5l0,0v1.1 C5.3,1.9,1.9,5.3,1.6,9.5H0.5C0.2,9.5,0,9.7,0,10s0.2,0.5,0.5,0.5l0,0h1.1c0.3,4.2,3.6,7.6,7.8,7.8v1.1c0,0.3,0.2,0.5,0.5,0.5l0,0 c0.3,0,0.5-0.2,0.5-0.5l0,0v-1.1c4.2-0.3,7.6-3.6,7.8-7.8h1.1c0.3,0,0.5-0.2,0.5-0.5C20,9.7,19.8,9.5,19.5,9.5 M16.6,10.5h0.7 c-0.3,3.6-3.2,6.5-6.8,6.8v-0.8c0-0.3-0.2-0.5-0.5-0.5l0,0c-0.3,0-0.5,0.2-0.5,0.5v0.8C5.8,17,3,14.2,2.7,10.5h0.8 C3.8,10.5,4,10.3,4,10S3.8,9.5,3.5,9.5l0,0H2.7C3,5.8,5.8,3,9.5,2.7v0.8C9.5,3.7,9.7,4,10,4l0,0c0.3,0,0.5-0.2,0.5-0.5V2.7 C14.2,3,17,5.8,17.3,9.5h-0.7c-0.3,0-0.5,0.2-0.5,0.5C16.1,10.3,16.3,10.5,16.6,10.5L16.6,10.5"></path> <circle class="white" cx="10" cy="10" r="3.2"></circle> </g> </svg> </div> </li> <li class="nav-item"> <div class="primary-link-wrapper"> <a class="primary_nav_link" href="https://talosintelligence.com/vulnerability_info"><div class="mobile-nav-icon"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="26px" height="20px" viewBox="0 0 26 20"> <g id="vuln-icon" class="nav-icon"> <path fill="#FFFFFF" d="M24.256,18.49L13.872,0.503C13.692,0.192,13.36,0,13,0c-0.359,0-0.692,0.192-0.872,0.503L1.744,18.49 c-0.18,0.312-0.18,0.695,0,1.006C1.924,19.809,2.257,20,2.616,20h20.769c0.359,0,0.691-0.191,0.871-0.504 C24.436,19.186,24.436,18.803,24.256,18.49 M14.268,18.215h-2.533v-1.85h2.533V18.215z M14.268,15.441h-2.533L10.89,6.515h4.222 L14.268,15.441z"></path> </g> </svg> </div> <span class="top-nav-link-text"> Vulnerability Research </span> </a></div> <input class="sub-nav-trigger" id="vuln-sub-trigger" type="checkbox"> <label class="sub-nav-trigger-label" for="vuln-sub-trigger"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75"> <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle> <g> <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle> </g> </svg> </div> </label> <ul class="sub-nav sub-nav-single-list"> <li class="desktop-hide"> <a href="https://talosintelligence.com/vulnerability_info"><h1>Vulnerability Research</h1> </a></li> <li class="desktop-hide"> <label class="subnav-back-button" for="vuln-sub-trigger">BACK</label> </li> <li><a class="vulnerabilty-info-nav-link" href="https://talosintelligence.com/vulnerability_reports">Vulnerability Reports</a></li> <li><a class="vulnerabilty-info-nav-link" href="https://talosintelligence.com/ms_advisories">Microsoft Advisories</a></li> </ul> <div class="desktop-hide subnav-overlay"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="26px" height="20px" viewBox="0 0 26 20"> <g id="vuln-icon" class="nav-icon"> <path fill="#FFFFFF" d="M24.256,18.49L13.872,0.503C13.692,0.192,13.36,0,13,0c-0.359,0-0.692,0.192-0.872,0.503L1.744,18.49 c-0.18,0.312-0.18,0.695,0,1.006C1.924,19.809,2.257,20,2.616,20h20.769c0.359,0,0.691-0.191,0.871-0.504 C24.436,19.186,24.436,18.803,24.256,18.49 M14.268,18.215h-2.533v-1.85h2.533V18.215z M14.268,15.441h-2.533L10.89,6.515h4.222 L14.268,15.441z"></path> </g> </svg> </div> </li> <li class="nav-item"> <div class="primary-link-wrapper"> <a class="primary_nav_link" href="https://talosintelligence.com/incident_response"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" width="111.588" height="148.311" viewBox="0 0 111.588 148.311"> <path d="M1.181,128.446v15.7a4.167,4.167,0,0,0,4.167,4.167h100.9a4.167,4.167,0,0,0,4.167-4.167v-15.7a4.167,4.167,0,0,0-4.167-4.167H5.348a4.167,4.167,0,0,0-4.167,4.166M55.8,63.109a3.277,3.277,0,1,1,0,6.553c-10.344,0-20.755,8.578-20.755,18.57a3.277,3.277,0,1,1-6.554,0C28.489,73.947,41.93,63.109,55.8,63.109Zm0-12.016c-21.787,0-39.325,17.81-39.325,39.937v26.7H95.122V91.03c0-22.128-17.537-39.937-39.324-39.937m52.365-38.3a3.291,3.291,0,0,0-2.254,1.024L88.432,31.294a3.283,3.283,0,0,0,4.642,4.644l17.478-17.479a3.278,3.278,0,0,0-2.389-5.666m-105.138,0a3.276,3.276,0,0,0-1.98,5.666L18.522,35.938a3.283,3.283,0,0,0,4.643-4.644L5.687,13.817A3.255,3.255,0,0,0,3.025,12.793ZM55.389.026a3.276,3.276,0,0,0-2.867,3.345V19.642a3.277,3.277,0,1,0,6.554,0V3.371A3.283,3.283,0,0,0,55.389.026Z" fill="#fff"></path> </svg> </div> <span class="top-nav-link-text"> Incident Response </span> </a> </div> <input class="sub-nav-trigger" id="ir-sub-trigger" type="checkbox"> <label class="sub-nav-trigger-label" for="ir-sub-trigger"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75"> <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle> <g> <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle> </g> </svg> </div> </label> <ul class="sub-nav sub-nav-single-list"> <li class="desktop-hide"> <a href="/incident_response"> <h1>Incident Response</h1> </a> </li> <li class="desktop-hide"> <label class="subnav-back-button" for="ir-sub-trigger">BACK</label> </li> <li> <a class="secondary_nav_link" href="https://talosintelligence.com/incident_response/services#reactive-services">Reactive Services</a> </li> <li> <a class="secondary_nav_link" href="https://talosintelligence.com/incident_response/services#proactive-services">Proactive Services</a></li> <li> <a href="https://talosintelligence.com/incident_response/contact">Emergency Support</a> </li> </ul> <div class="desktop-hide subnav-overlay"><svg xmlns="http://www.w3.org/2000/svg" width="111.588" height="148.311" viewBox="0 0 111.588 148.311"> <path d="M1.181,128.446v15.7a4.167,4.167,0,0,0,4.167,4.167h100.9a4.167,4.167,0,0,0,4.167-4.167v-15.7a4.167,4.167,0,0,0-4.167-4.167H5.348a4.167,4.167,0,0,0-4.167,4.166M55.8,63.109a3.277,3.277,0,1,1,0,6.553c-10.344,0-20.755,8.578-20.755,18.57a3.277,3.277,0,1,1-6.554,0C28.489,73.947,41.93,63.109,55.8,63.109Zm0-12.016c-21.787,0-39.325,17.81-39.325,39.937v26.7H95.122V91.03c0-22.128-17.537-39.937-39.324-39.937m52.365-38.3a3.291,3.291,0,0,0-2.254,1.024L88.432,31.294a3.283,3.283,0,0,0,4.642,4.644l17.478-17.479a3.278,3.278,0,0,0-2.389-5.666m-105.138,0a3.276,3.276,0,0,0-1.98,5.666L18.522,35.938a3.283,3.283,0,0,0,4.643-4.644L5.687,13.817A3.255,3.255,0,0,0,3.025,12.793ZM55.389.026a3.276,3.276,0,0,0-2.867,3.345V19.642a3.277,3.277,0,1,0,6.554,0V3.371A3.283,3.283,0,0,0,55.389.026Z" fill="#fff"></path> </svg> </div> </li> <li class="nav-item"> <a class="primary_nav_link" href="https://blog.talosintelligence.com"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" width="260px" height="296.5px" viewBox="0 0 260 296.5" enable-background="new 0 0 260 296.5" xml:space="preserve"> <path fill="#FFFFFF" d="M243.586,42.404h-14.448c-0.943-4.513-3.143-8.813-6.616-12.33L201.793,9.098 c-4.7-4.757-10.972-7.377-17.66-7.377c-6.578,0-12.777,2.547-17.457,7.173l-33.875,33.511H17.586c-6.6,0-12,5.399-12,12V226.28 c0,6.6,5.4,12,12,12H153.83l84.21,56.278l-27.448-56.278h32.994c6.6,0,12-5.4,12-12V54.404 C255.586,47.804,250.186,42.404,243.586,42.404z M214.662,48.045c-0.01,0.2-0.021,0.399-0.044,0.599 c-0.008,0.069-0.021,0.139-0.031,0.207c-0.046,0.345-0.113,0.688-0.196,1.026c-0.034,0.137-0.063,0.273-0.103,0.408 c-0.039,0.135-0.087,0.267-0.133,0.399c-0.051,0.151-0.102,0.302-0.16,0.45c-0.049,0.126-0.105,0.249-0.16,0.373 c-0.068,0.153-0.139,0.307-0.216,0.457c-0.059,0.116-0.12,0.23-0.184,0.345c-0.088,0.157-0.181,0.312-0.278,0.465 c-0.065,0.104-0.13,0.206-0.2,0.308c-0.115,0.168-0.239,0.33-0.366,0.492c-0.064,0.081-0.124,0.165-0.19,0.244 c-0.199,0.238-0.409,0.472-0.635,0.694L82.458,182.308l-47.932,12.871l13.427-47.74L177.223,19.561 c1.917-1.895,4.414-2.84,6.911-2.84c2.534,0,5.068,0.975,6.99,2.92l20.726,20.974c0.545,0.552,1.002,1.156,1.39,1.79 c0.574,0.938,0.975,1.951,1.206,2.993c0.004,0.021,0.01,0.04,0.014,0.06c0.049,0.226,0.086,0.453,0.119,0.682 c0.008,0.06,0.017,0.118,0.024,0.178c0.026,0.211,0.045,0.424,0.058,0.636c0.004,0.077,0.007,0.153,0.009,0.23 c0.007,0.203,0.011,0.407,0.005,0.61C214.673,47.877,214.666,47.961,214.662,48.045z"></path> </svg> </div> <span class="top-nav-link-text">Blog</span> </a> </li> <li class="nav-item"> <a class="primary_nav_link" href="https://support.talosintelligence.com"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" width="26px" height="20px" viewBox="0 0 123.17 159.292"> <path d="M61.59,0,0,17.069v85.32c0,23.472,61.59,56.9,61.59,56.9s61.58-36.288,61.58-56.9V17.069Zm-.433,149.746C38.314,136.662,8.128,114.3,8.128,102.389V23.239l53.029-14.7Z" fill="#fff"></path> </svg> </div> <span class="top-nav-link-text">Support</span> </a> </li> </ul>    <ul class="secondary-nav-list"> <div class="more-desktop-link"> <div class="more-link-wrapper"> <span class="more-nav-link"> <div class="desktop-nav-icon more-menu-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="22px" height="16px" viewBox="0 0 22 16"> <g id="menu-icon"> <path fill="#FFFFFF" d="M20.5,3h-19C0.672,3,0,2.329,0,1.5S0.672,0,1.5,0h19C21.328,0,22,0.671,22,1.5S21.328,3,20.5,3z"></path> <path fill="#FFFFFF" d="M20.5,9.5h-19C0.672,9.5,0,8.828,0,8c0-0.829,0.672-1.5,1.5-1.5h19C21.328,6.5,22,7.171,22,8 C22,8.828,21.328,9.5,20.5,9.5z"></path> <path fill="#FFFFFF" d="M20.5,16h-19C0.672,16,0,15.328,0,14.5S0.672,13,1.5,13h19c0.828,0,1.5,0.672,1.5,1.5S21.328,16,20.5,16z"></path> </g> </svg> </div> <span class="top-nav-link-text top-nav-more-text"> More </span> </span> </div> </div> <li class="nav-item more-text-link"> <div class="more-link-wrapper more-link-wrapper-mobile"> <span class="more-nav-link"> <div class="mobile-nav-icon"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" style="enable-background:new 0 0 20 20;" width="25px" height="25px" xml:space="preserve"> <style type="text/css"> .white{fill:#FFFFFF;} </style> <path class="white" d="M19.4,17.1c0,0.1-0.1,0-0.2,0c0,0-1.3-0.9-2-1.4c-0.2-0.1-0.5-0.1-0.6,0.1c-0.3,0.3-0.6,0.8-0.9,1.3 c-0.1,0.2-0.1,0.5,0.1,0.6l2,1.5c0.1,0,0,0.1,0.1,0.2c0,0.1,0,0.1-0.1,0.2c-1.2,0.5-2.6,0.2-3.5-0.7c-0.8-0.9-1-2-0.7-3.1L4.5,6.5 c-1,0.3-2.3,0-3-0.9c-0.8-0.9-1.1-1.7-1-2.7c0-0.1,0-0.1,0.1-0.2c0.1,0,0.2,0.1,0.2,0.1l2,1.5C3,4.4,3.3,4.5,3.4,4.2 c0,0,0.5-0.8,0.9-1.3c0.1-0.2,0.1-0.5-0.1-0.6L2.3,0.9c-0.1,0,0-0.1-0.1-0.3c0-0.1,0-0.1,0.1-0.2C3.5-0.1,5,0.2,5.8,1.1 c0.8,0.9,1,2,0.7,3.1l9.1,9.3c1-0.3,2.3,0,3,0.9c0.7,0.7,0.9,1.5,0.9,2.5C19.5,16.9,19.5,17,19.4,17.1z"></path> </svg> </div> <span class="top-nav-link-text top-nav-more-text"> Security Resources </span> </span> </div> <input class="sub-nav-trigger" id="security-resources-sub-trigger" type="checkbox"> <label class="sub-nav-trigger-label" for="security-resources-sub-trigger"> <div class="mobile-nav-icon"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75"> <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle> <g> <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle> </g> </svg> </div> </label> <div class="sub-nav sub-nav-multiple-list sub-nav-multiple-list-left"> <div class="sub-nav-multiple-wrapper"> <div class="sub-nav-list-top-of-mobile-wrapper"> <h1 class="sub-nav-list-header sub-nav-list-top-of-mobile">Security Resources</h1> <ul class="sub-nav-list"> <li class="desktop-hide"> <label class="subnav-back-button" for="security-resources-sub-trigger">BACK</label> </li> </ul> </div> <div class="sub-nav-list-item-wrapper"> <span class="sub-nav-desktop-header uppercase">Security Resources</span> <ul class="sub-nav-list"> <li> <a href="https://talosintelligence.com/software"><span>Open Source Security Tools</span> </a></li> <li> <a href="https://talosintelligence.com/categories"><span>Intelligence Categories Reference</span> </a></li> <li> <a href="https://talosintelligence.com/secure-endpoint-naming"><span>Secure Endpoint Naming Reference</span> </a></li> </ul> </div> </div> </div> <div class="desktop-hide subnav-overlay"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" style="enable-background:new 0 0 20 20;" width="25px" height="25px" xml:space="preserve"> <style type="text/css"> .white{fill:#FFFFFF;} </style> <path class="white" d="M19.4,17.1c0,0.1-0.1,0-0.2,0c0,0-1.3-0.9-2-1.4c-0.2-0.1-0.5-0.1-0.6,0.1c-0.3,0.3-0.6,0.8-0.9,1.3 c-0.1,0.2-0.1,0.5,0.1,0.6l2,1.5c0.1,0,0,0.1,0.1,0.2c0,0.1,0,0.1-0.1,0.2c-1.2,0.5-2.6,0.2-3.5-0.7c-0.8-0.9-1-2-0.7-3.1L4.5,6.5 c-1,0.3-2.3,0-3-0.9c-0.8-0.9-1.1-1.7-1-2.7c0-0.1,0-0.1,0.1-0.2c0.1,0,0.2,0.1,0.2,0.1l2,1.5C3,4.4,3.3,4.5,3.4,4.2 c0,0,0.5-0.8,0.9-1.3c0.1-0.2,0.1-0.5-0.1-0.6L2.3,0.9c-0.1,0,0-0.1-0.1-0.3c0-0.1,0-0.1,0.1-0.2C3.5-0.1,5,0.2,5.8,1.1 c0.8,0.9,1,2,0.7,3.1l9.1,9.3c1-0.3,2.3,0,3,0.9c0.7,0.7,0.9,1.5,0.9,2.5C19.5,16.9,19.5,17,19.4,17.1z"></path> </svg> </div> </li> <li class="nav-item"> <div class="more-link-wrapper more-link-wrapper-mobile"> <span class="more-nav-link"> <div class="mobile-nav-icon"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" width="25px" height="25px" style="enable-background:new 0 0 20 20;" xml:space="preserve"> <style type="text/css"> .sticoncomment{fill-rule:evenodd;clip-rule:evenodd;fill:#FFFFFF;} </style> <path class="sticoncomment" d="M13.6,7.1H6.4c-0.3,0-0.6-0.3-0.6-0.6c0-0.3,0.3-0.6,0.6-0.6l7.2,0c0.3,0,0.6,0.3,0.6,0.6 C14.2,6.8,13.9,7.1,13.6,7.1L13.6,7.1z M13.6,9.4H6.4c-0.3,0-0.6-0.3-0.6-0.6s0.3-0.6,0.6-0.6l7.2,0c0.3,0,0.6,0.3,0.6,0.6 C14.2,9.2,13.9,9.4,13.6,9.4L13.6,9.4z M11.5,11.7H6.4c-0.3,0-0.6-0.3-0.6-0.6c0-0.3,0.3-0.6,0.6-0.6h5.1c0.3,0,0.6,0.3,0.6,0.6 C12.1,11.5,11.8,11.7,11.5,11.7z M15.8,3H4.2C3.5,3,3,3.5,3,4.2V17l2.8-2.3h10c0.6,0,1.2-0.5,1.2-1.2V4.2C17,3.5,16.5,3,15.8,3 L15.8,3z"></path> </svg> </div> <span class="top-nav-link-text top-nav-more-text"> Media </span> </span> </div> <input class="sub-nav-trigger" id="media-sub-trigger" type="checkbox"> <label class="sub-nav-trigger-label" for="media-sub-trigger"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75"> <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle> <g> <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle> </g> </svg> </div> </label> <div class="sub-nav sub-nav-multiple-list sub-nav-multiple-list-middle"> <div class="sub-nav-multiple-wrapper"> <div class="sub-nav-list-top-of-mobile-wrapper"> <h1 class="sub-nav-list-header sub-nav-list-top-of-mobile">Media</h1> <ul class="sub-nav-list"> <li class="desktop-hide"> <label class="subnav-back-button" for="media-sub-trigger">BACK</label> </li> </ul> </div> <div class="sub-nav-list-item-wrapper"> <span class="sub-nav-desktop-header uppercase">Media</span> <ul class="sub-nav-list"> <li> <a href="https://blog.talosintelligence.com"><span>Talos Intelligence Blog</span> </a></li> <li> <a href="https://blog.talosintelligence.com/category/threat-source-newsletter/"><span>Threat Source Newsletter</span> </a></li> <li> <a href="https://talosintelligence.com/podcasts/shows/beers_with_talos"><span>Beers with Talos Podcast</span> </a></li> <li> <a href="https://talosintelligence.com/podcasts/shows/talos_takes"><span>Talos Takes Podcast</span> </a></li> <li> <a target="_blank" href="https://www.youtube.com/channel/UCPZ1DtzQkStYBSG3GTNoyfg/featured"><span>Talos Videos</span> </a></li> </ul> </div> </div> </div> <div class="desktop-hide subnav-overlay"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" width="25px" height="25px" style="enable-background:new 0 0 20 20;" xml:space="preserve"> <style type="text/css"> .sticoncomment{fill-rule:evenodd;clip-rule:evenodd;fill:#FFFFFF;} </style> <path class="sticoncomment" d="M13.6,7.1H6.4c-0.3,0-0.6-0.3-0.6-0.6c0-0.3,0.3-0.6,0.6-0.6l7.2,0c0.3,0,0.6,0.3,0.6,0.6 C14.2,6.8,13.9,7.1,13.6,7.1L13.6,7.1z M13.6,9.4H6.4c-0.3,0-0.6-0.3-0.6-0.6s0.3-0.6,0.6-0.6l7.2,0c0.3,0,0.6,0.3,0.6,0.6 C14.2,9.2,13.9,9.4,13.6,9.4L13.6,9.4z M11.5,11.7H6.4c-0.3,0-0.6-0.3-0.6-0.6c0-0.3,0.3-0.6,0.6-0.6h5.1c0.3,0,0.6,0.3,0.6,0.6 C12.1,11.5,11.8,11.7,11.5,11.7z M15.8,3H4.2C3.5,3,3,3.5,3,4.2V17l2.8-2.3h10c0.6,0,1.2-0.5,1.2-1.2V4.2C17,3.5,16.5,3,15.8,3 L15.8,3z"></path> </svg> </div> </li> <li class="nav-item"> <div class="more-link-wrapper more-link-wrapper-mobile"> <span class="more-nav-link"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="25px" height="25px" viewBox="0 0 55 55"> <g> <g class="mobile-nav-home"> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M45.201,12.343c0.378,0.48,0.758,0.925,1.096,1.401 c2.975,4.207,4.543,8.876,4.494,14.044c-0.05,5.452-1.643,10.386-5.186,14.593c-3.484,4.133-7.929,6.73-13.182,7.895 c-6.313,1.398-12.216,0.275-17.695-3.131c-0.441-0.273-0.847-0.6-1.266-0.904c-0.11-0.078-0.208-0.174-0.337-0.287 c0.127-0.141,0.246-0.27,0.366-0.398c0.887-0.949,1.765-1.904,2.663-2.844c0.114-0.119,0.321-0.217,0.485-0.217 c3.658-0.006,7.318,0,10.975,0.008c3.458,0.006,6.913,0.02,10.369,0.02c0.957,0,1.871-0.193,2.62-0.844 c0.797-0.693,1.157-1.596,1.157-2.643c0.001-7.533,0.003-15.067-0.005-22.601c-0.002-0.309,0.088-0.524,0.3-0.743 C43.098,14.598,44.127,13.49,45.201,12.343"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M41.402,8.822c-0.99,1.027-1.994,2.021-2.935,3.072 c-0.312,0.35-0.616,0.416-1.036,0.415c-6.98-0.009-13.957-0.007-20.938-0.007c-2.039,0-3.561,1.514-3.561,3.557 c0,6.504,0.002,13.008,0.006,19.512c0.002,0.973,0.011,1.943,0.004,2.914c0,0.133-0.04,0.301-0.127,0.393 c-1.069,1.162-2.15,2.314-3.229,3.469c-0.021,0.023-0.052,0.039-0.109,0.08c-0.159-0.188-0.323-0.369-0.471-0.562 c-2.535-3.348-4.119-7.102-4.605-11.268c-0.61-5.229,0.194-10.229,2.835-14.839c2.669-4.664,6.655-7.805,11.618-9.75 c3.205-1.257,6.533-1.852,9.977-1.621c4.478,0.298,8.553,1.754,12.227,4.325c0.101,0.072,0.197,0.151,0.291,0.229 C41.364,8.755,41.374,8.778,41.402,8.822"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M39.799,12.47c0.873-0.911,1.749-1.829,2.676-2.797 c0.605,0.564,1.195,1.112,1.816,1.691c-0.941,0.985-1.817,1.903-2.703,2.83c-0.276-0.339-0.511-0.688-0.807-0.975 C40.492,12.941,40.145,12.728,39.799,12.47"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M10.35,43.279c0.969-1.016,1.885-1.977,2.76-2.893 c0.213,0.369,0.376,0.762,0.639,1.072c0.265,0.312,0.627,0.539,0.98,0.832c-0.853,0.891-1.713,1.791-2.624,2.746 C11.513,44.445,10.939,43.869,10.35,43.279"></path> </g> </g> </svg> </div> <span class="top-nav-link-text top-nav-more-text"> Company </span> </span> </div> <input class="sub-nav-trigger" id="company-sub-trigger" type="checkbox"> <label class="sub-nav-trigger-label" for="company-sub-trigger"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75"> <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle> <g> <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle> </g> </svg> </div> </label> <div class="sub-nav sub-nav-multiple-list sub-nav-multiple-list-right"> <div class="sub-nav-multiple-wrapper"> <div class="sub-nav-list-top-of-mobile-wrapper"> <h1 class="sub-nav-list-header sub-nav-list-top-of-mobile">Company</h1> <ul class="sub-nav-list"> <li class="desktop-hide"> <label class="subnav-back-button" for="company-sub-trigger">BACK</label> </li> </ul> </div> <div class="sub-nav-list-item-wrapper"> <span class="sub-nav-desktop-header uppercase">Company</span> <ul class="sub-nav-list"> <li> <a href="https://talosintelligence.com/about"><span>About Talos</span> </a></li> <li> <a href="https://talosintelligence.com/careers"><span>Careers</span> </a></li> </ul> </div> </div> </div> <div class="desktop-hide subnav-overlay"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="25px" height="25px" viewBox="0 0 55 55"> <g> <g class="mobile-nav-home"> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M45.201,12.343c0.378,0.48,0.758,0.925,1.096,1.401 c2.975,4.207,4.543,8.876,4.494,14.044c-0.05,5.452-1.643,10.386-5.186,14.593c-3.484,4.133-7.929,6.73-13.182,7.895 c-6.313,1.398-12.216,0.275-17.695-3.131c-0.441-0.273-0.847-0.6-1.266-0.904c-0.11-0.078-0.208-0.174-0.337-0.287 c0.127-0.141,0.246-0.27,0.366-0.398c0.887-0.949,1.765-1.904,2.663-2.844c0.114-0.119,0.321-0.217,0.485-0.217 c3.658-0.006,7.318,0,10.975,0.008c3.458,0.006,6.913,0.02,10.369,0.02c0.957,0,1.871-0.193,2.62-0.844 c0.797-0.693,1.157-1.596,1.157-2.643c0.001-7.533,0.003-15.067-0.005-22.601c-0.002-0.309,0.088-0.524,0.3-0.743 C43.098,14.598,44.127,13.49,45.201,12.343"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M41.402,8.822c-0.99,1.027-1.994,2.021-2.935,3.072 c-0.312,0.35-0.616,0.416-1.036,0.415c-6.98-0.009-13.957-0.007-20.938-0.007c-2.039,0-3.561,1.514-3.561,3.557 c0,6.504,0.002,13.008,0.006,19.512c0.002,0.973,0.011,1.943,0.004,2.914c0,0.133-0.04,0.301-0.127,0.393 c-1.069,1.162-2.15,2.314-3.229,3.469c-0.021,0.023-0.052,0.039-0.109,0.08c-0.159-0.188-0.323-0.369-0.471-0.562 c-2.535-3.348-4.119-7.102-4.605-11.268c-0.61-5.229,0.194-10.229,2.835-14.839c2.669-4.664,6.655-7.805,11.618-9.75 c3.205-1.257,6.533-1.852,9.977-1.621c4.478,0.298,8.553,1.754,12.227,4.325c0.101,0.072,0.197,0.151,0.291,0.229 C41.364,8.755,41.374,8.778,41.402,8.822"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M39.799,12.47c0.873-0.911,1.749-1.829,2.676-2.797 c0.605,0.564,1.195,1.112,1.816,1.691c-0.941,0.985-1.817,1.903-2.703,2.83c-0.276-0.339-0.511-0.688-0.807-0.975 C40.492,12.941,40.145,12.728,39.799,12.47"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M10.35,43.279c0.969-1.016,1.885-1.977,2.76-2.893 c0.213,0.369,0.376,0.762,0.639,1.072c0.265,0.312,0.627,0.539,0.98,0.832c-0.853,0.891-1.713,1.791-2.624,2.746 C11.513,44.445,10.939,43.869,10.35,43.279"></path> </g> </g> </svg> </div> </li> </ul> <div class="nav-search-wrapper"> <button class="search-button" data-ghost-search> <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path></svg> </button> </div> </div> </div> </nav> <main id="site-main"> <div class="container-fluid"> <div class="row main-content-row"> <div class="col"> <div class="post-full-content"> <article class="post tag-covid-19 tag-rat "> <div class="feature-image-wrapper my-5"> <figure> <img src="/content/images/-Nt6HzUPYagU/XpiFEYsTlpI/AAAAAAAAAt0/prXLbpEEhmYK4YpwXlO_K-weAIeTSYg8wCLcBGAsYHQ/w1200-h630-p-k-no-nu/image4.png" alt="" class="img-fluid" /> </figure> </div> <h1 class="text-center">PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors</h1> <div class="text-center m-1"> <div class="post-author"> <span>By </span> <a href="https://blog.talosintelligence.com/author/warren-mercer/">Warren Mercer</a> </div> <br/> <time class="post-datetime" datetime="April 16, 2020 13:52"> Thursday, April 16, 2020 13:52 </time> <div class="m-3"> <a href="/category/covid-19/" class="category primary-category"> COVID-19 </a> <a href="/category/rat/" class="category primary-category"> RAT </a> </div> </div> <section class="post-content-wrapper mt-5"> <div class="post-content"> <p>By <a href="https://twitter.com/SecurityBeard/">Warren Mercer</a>, <a href="https://twitter.com/r00tbsd?lang%3Den">Paul Rascagneres</a> and <a href="https://twitter.com/_vventura">Vitor Ventura</a>.</p><h2 id="news-summary">News summary</h2><ul><li>Azerbaijan government and energy sector likely targeted by an unknown actor.</li><li>From the energy sector, the actor demonstrates interest in SCADA systems related to wind turbines.</li><li>The actor uses Word documents to drop malware that allows remote control over the victims.</li><li>The new remote access trojan, dubbed PoetRAT, is written in Python and is split into multiple parts.</li><li>The actor collects files, passwords and even images from the webcam, using other tools that it deploys as needed.</li></ul><h2 id="executive-summary-cisco-talos-has-discovered-a-new-malware-campaign-based-on-a-previously-unknown-family-we-re-calling-poetrat-at-this-time-we-do-not-believe-this-attack-is-associated-with-an-already-known-threat-actor-our-research-shows-the-malware-was-distributed-using-urls-that-mimic-some-azerbaijan-government-domains-thus-we-believe-the-adversaries-in-this-case-want-to-target-citizens-of-the-country-azerbaijan-including-private-companies-in-the-scada-sector-like-wind-turbine-systems-the-droppers-are-microsoft-word-documents-that-deploy-a-python-based-remote-access-trojan-rat-we-named-this-malware-poetrat-due-to-the-various-references-to-william-shakespeare-an-english-poet-and-playwright-the-rat-has-all-the-standard-features-of-this-kind-of-malware-providing-full-control-of-the-compromised-system-to-the-operation-for-exfiltration-it-uses-ftp-which-denotes-an-intention-to-transfer-large-amounts-of-data-">Executive summary <br> Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling "PoetRAT." At this time, we do not believe this attack is associated with an already known threat actor. Our research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus we believe the adversaries in this case want to target citizens of the country Azerbaijan, including private companies in the SCADA sector like wind turbine systems. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data.</h2><p>The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically. Besides these, there are keyloggers, browser-focused password stealers, camera control applications, and other generic password stealers.</p><p>In addition to the malware campaigns, the attacker performed phishing a campaign on the same infrastructure. This phishing website mimics the webmail of the Azerbaijan Government webmail infrastructure.</p><h3 id="what-s-new-this-was-a-previously-undiscovered-rat-it-uses-two-components-to-avoid-detection-by-a-single-component-the-dropper-uses-an-old-trick-in-a-new-way-it-appends-the-rat-to-a-word-document-upon-opening-the-document-a-macro-is-executed-that-will-extract-the-malware-and-execute-it-the-operation-seems-to-be-manual-but-it-s-streamlined-to-deploy-additional-tools-as-needed-and-to-avoid-unnecessary-steps-">What's new? <br> This was a previously undiscovered RAT. It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it. The operation seems to be manual, but it's streamlined to deploy additional tools as needed and to avoid unnecessary steps.</h3><h3 id="how-did-it-work-the-initial-foothold-is-established-by-sending-the-malicious-word-document-it-s-not-clear-at-this-time-how-the-adversary-distributes-the-document-however-given-that-it-is-available-for-download-from-a-basic-url-it-wouldn-t-be-surprising-if-the-victims-were-being-tricked-into-downloading-it-by-an-email-or-social-media-network-message-">How did it work? <br> The initial foothold is established by sending the malicious Word document. It's not clear at this time how the adversary distributes the document. However, given that it is available for download from a basic URL, it wouldn't be surprising if the victims were being tricked into downloading it by an email or social media network message.</h3><h3 id="so-what-this-threat-actor-is-highly-motivated-and-focused-on-the-victims-it-targets-they-target-the-public-and-the-private-sectors-as-well-as-scada-systems-the-quantity-and-diversification-of-tools-available-in-its-toolkit-denote-a-carefully-planned-attack-">So what? <br> This threat actor is highly motivated and focused on the victims it targets. They target the public and the private sectors as well as SCADA systems. The quantity and diversification of tools available in its toolkit denote a carefully planned attack.</h3><h2 id="malware-campaigns-we-identified-multiple-campaigns-we-believe-target-the-azerbaijan-public-and-private-sectors-especially-the-energy-sector-during-our-investigation-talos-identified-the-interest-of-this-threat-actor-for-scada-systems-mainly-wind-turbines-">Malware campaigns <br> We identified multiple campaigns we believe target the Azerbaijan public and private sectors, especially the energy sector. During our investigation, Talos identified the interest of this threat actor for SCADA systems — mainly wind turbines.</h2><h3 id="campaign-no-1-february-2020">Campaign No. 1: February 2020</h3><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-2mEHVvlRW4w/XpiFT-iKoeI/AAAAAAAAAt4/tTVbI6cDU5MAaYCYeyAcB14kdlNhtyxRwCLcBGAsYHQ/s640/image6.png" class="kg-image" alt loading="lazy"></figure><p>Decoy document <br> Once opened in Microsoft Office, the document is blurred. This can't be fixed — the document is composed of blurred pictures with no real text. The logo seems to be the logo of the DRDO, the Defense R&G Organisation of the Ministry of Defence of India. We have no evidence that India is targeted by this actor.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-YPySlYMUBmg/XpiFc37ng3I/AAAAAAAAAuA/_88iPJVnt-YP1aXvJ9Wr2cWDN3Wp9Iw3ACLcBGAsYHQ/s400/image13.png" class="kg-image" alt loading="lazy"></figure><p>DRDO Logo <br> The file was located on hxxp://govaz[.]herokuapp[.]com/content/section_policies.docx</p><h3 id="campaign-no-2-april-2020-c19-docx">Campaign No. 2: April 2020 — C19.docx</h3><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-F5_Vbh-m-wA/XpiFwSKL81I/AAAAAAAAAuI/U1wPm0KETNIpqPdbOVqSXW99N1ucG6PHACLcBGAsYHQ/s640/image5.png" class="kg-image" alt loading="lazy"></figure><p>Document image <br> The file, in this case, was named "C19.docx," probably a reference to the COVID-19 pandemic, but without readable content.</p><h3 id="campaign-3-april-2020-coronavirus-theme-the-decoy-document-evolved-to-look-more-realistic-the-initial-stage-is-a-word-document-written-in-russian-posing-as-an-azerbaijan-government-document-">Campaign #3: April 2020 — Coronavirus theme <br> The decoy document evolved to look more realistic. The initial stage is a Word document written in Russian posing as an Azerbaijan government document.</h3><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-N1iJBw2sixI/XpiGFBoRYTI/AAAAAAAAAuQ/z4G4AQ_QnMcMrkzIG_Ku8f1T75_8YyedgCLcBGAsYHQ/s640/image14.png" class="kg-image" alt loading="lazy"></figure><p>Document image</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-8EL_JIFWrV4/XpiGLREj1kI/AAAAAAAAAuU/cTjxKQzJPiAz9rgqF6a4UkKBekyPqQnnQCLcBGAsYHQ/s640/image1.png" class="kg-image" alt loading="lazy"></figure><p>Document image <br> Both original file names are "Azerbaijan_special[.]doc," which is a dropper that can be found at hxxps://gov-az[.]herokuapp[.]com/content/Azerbaijan_special[.]doc.</p><h2 id="phishing-campaign-on-the-same-server-we-identified-a-phishing-campaign-against-the-webmail-of-the-azerbaijan-government-">Phishing campaign <br> On the same server, we identified a phishing campaign against the webmail of the Azerbaijan government:</h2><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-F_mARsu5P6U/XpiGzb2_NkI/AAAAAAAAAug/HM_FdWudU5YI3NF57T_uIouflDx3oNZdACLcBGAsYHQ/s640/image3.png" class="kg-image" alt loading="lazy"></figure><p><br> This phishing website was available on "hxxps://gov-az[.]herokuapp[.]com/azGovaz.php?login=" during the malware campaigns. The purpose was obviously to steal credentials.</p><h2 id="malware-we-will-present-the-infection-vector-of-the-most-recent-document-the-other-documents-are-not-exactly-the-same-using-dde-but-the-final-goal-is-the-same-">Malware <br> We will present the infection vector of the most recent document. The other documents are not exactly the same (using DDE) but the final goal is the same.</h2><h3 id="dropper-the-word-document-is-a-dropper-as-happens-so-many-times-it-contains-a-visual-basic-script-that-will-execute-the-malicious-activities-this-one-however-appears-to-be-more-innovative-it-starts-by-loading-its-own-document-into-memory-afterward-it-copies-7-074-638-bytes-from-the-end-of-the-file-and-writes-the-remaining-bytes-back-to-the-disk-">Dropper <br> The Word document is a dropper. As happens so many times, it contains a Visual Basic script that will execute the malicious activities. This one, however, appears to be more innovative. It starts by loading its own document into memory. Afterward, it copies 7,074,638 bytes from the end of the file and writes the remaining bytes back to the disk.</h3><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-C03tT2osSxc/XpiG4JDgm0I/AAAAAAAAAuk/bsXmGzOnUAwNFfJZtBHaoFKnzxHLmZ4cACLcBGAsYHQ/s1600/image8.png" class="kg-image" alt loading="lazy"></figure><p>RAT extraction <br> The file written to the disk is actually a ZIP file. The actors appended the ZIP at the end of the word document "smile.zip."</p><p>This ZIP file contains a Python interpreter and Python script that is actually the RAT. The Word macro will unzip and execute the main script called "launcher.py." The launcher script is responsible for checking the environment that the doc is currently being opened in. It assumes that all sandboxes will have hard drives smaller than 62GB. If it's in a sandbox environment, it will overwrite the malware scripts with the contents of the file "License.txt" and exit, thus deleting itself.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-YLi5OYxEJZg/XpiG_tOTx2I/AAAAAAAAAus/Z-J8iHw62XU-cBIVksQwlP5lmve3BhaHQCLcBGAsYHQ/s640/image11.png" class="kg-image" alt loading="lazy"></figure><p>Anti-sandbox code <br> If it determines that it is not running in a sandbox environment, it will generate a unique ID, that is then replaced directly with the Python source code of the main scripts before executing it.</p><h3 id="rat-the-rat-is-composed-of-two-main-scripts-that-need-to-work-together-one-called-frown-py-is-responsible-for-the-communications-with-the-command-and-control-c2-it-uses-tls-to-encrypt-the-communication-that-occurs-on-port-143-with-a-successful-connection-it-will-send-the-word-almond-the-server-should-reply-either-with-who-or-ice-the-rat-will-answer-the-who-command-with-a-string-that-contains-the-username-computer-name-and-the-previously-generated-uuid-the-ice-command-simply-makes-the-rat-finish-the-connection-procedure-">RAT <br> The RAT is composed of two main scripts that need to work together. One, called "frown.py," is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. With a successful connection, it will send the word "almond" The server should reply either with "who" or "ice." The RAT will answer the "who" command with a string that contains the username, computer name and the previously generated UUID. The "ice" command simply makes the RAT finish the connection procedure.</h3><p>The other script is called "smile.py." This is responsible for the interpretation and execution of the C2 commands. The available commands are:</p><ul><li>ls - listing files</li><li>cd - change current directory</li><li>sysinfo - get information about the system</li><li>download - upload file into the C2 using ftp</li><li>upload - download from C2 file into the victim from</li><li>shot - takes a screenshot and uploads it to the C2 using ftp</li><li>cp - copies files</li><li>mv - moves files</li><li>link - creates links between files</li><li>register - makes changes in the registry</li><li>hide - hides a file or unhides it depending on its current state</li><li>compress - compresses files using zip function</li><li>jobs - performs actions, like kill, clear, terminate on processes. By default will list all processes.</li><li><os command to be executed> - this will be executed if none of the above are executed.</li></ul><p>Some features need additional credentials (shot, upload, download). These credentials are not hardcoded on the sample. For each FTP usage, the credentials are provided by the C2 server during the request.</p><p>There is a normal usage of the Windows registry to provide a method of persistence for this RAT by adding in a registry key in the RUN hive which will execute the Python script "launcher.py." During our investigation, we witnessed several registry modifications that resulted in the malware skipping the sandbox evasion checks and carrying out the execution by using a "police" keyword.</p><p>"C:\Users\Public\Python37\pythonw.exe" "C:\Users\Public\Python37\launcher.py" "police"s\0</p><p>In launcher.py, the police keyword will skip the sandbox checks and initialization process. This could be used for hosts already infected to ensure they do not re-check this environment.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-wiBYdrhPjY0/XpiHuFkmxzI/AAAAAAAAAu8/TkJK7xms5iUmD8WC2qpZQb9CYaTXXsT1gCLcBGAsYHQ/s640/image2.png" class="kg-image" alt loading="lazy"></figure><p>Start routine<br> The communication between the scripts is done via a file called "Abibliophobia23" Commands and results are written into the file using a custom encryption scheme. The "23" at the end of the file is different depending on the variant of the RAT.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-JT0uu8vPNPg/XqBE0P8tOaI/AAAAAAAAAms/2ESufEWhF6gO6pjd-8ln7pKmLIwMpm4HQCK4BGAYYCw/s640/image15.png" class="kg-image" alt loading="lazy"></figure><p>Obfuscation algorithm <br> It uses a char substitution cipher where the new char code is obtained after performing mathematical operations on the char code to be encrypted using the key parameters.</p><h2 id="post-exploitation-tools-during-the-campaign-the-operator-deployed-additional-tools-on-the-targeted-systems-in-this-section-we-will-describe-a-few-of-these-tools-">Post-exploitation tools <br> During the campaign, the operator deployed additional tools on the targeted systems. In this section, we will describe a few of these tools.</h2><h3 id="dog-quickly-after-the-initial-compromise-the-operator-deploys-a-tool-named-dog-exe-this-malware-is-written-in-net-and-its-purpose-is-to-monitor-hard-drive-paths-and-to-exfiltrate-the-information-via-an-email-account-or-an-ftp-depending-on-the-configuration-">Dog <br> Quickly after the initial compromise, the operator deploys a tool named "dog.exe." This malware is written in .NET and its purpose is to monitor hard drive paths and to exfiltrate the information via an email account or an FTP, depending on the configuration.</h3><p>The configuration file is named dconf.json. It is pushed by the operator with the binary. Here is the format:</p><pre><code>{ "FileSize": 50, "BasePath": "C:/ProgramData/", "MyPath": "TARGET_Dog/", "UploadType": "ftp", "FtpUsername": "username1", "FtpPassword": "password1", "FtpUri": "ftp://ftp.ftpserver/repo/", "SmtpHost": "smtp.servermail.com", "EmailUser": "username2@servermail.com", "EmailPass": "password2", "Paths": "C:/Users/User/Desktop/,C:/Users/User/Downloads/,C:/Users/User/Documents/" }</code></pre><p><br></p><ul><li>FileSize defines the max size of the file to be exfiltrated (50MB in our example).</li><li>The working directory is defined by the concat of BasePath and MyPat ("C:/ProgramData/ TARGET_Dog/" in our example).</li><li>UploadType is the exfiltration method. It can be "ftp" or "email."</li><li>FtpUsername, FtpPassword and FtpUri define the FTP parameters for exfiltration.</li><li>SmtpHost, EmailUser and EmailPass define the email parameters for exfiltration.</li><li>Paths define the path to monitor on the compromised system.</li></ul><p>The binary uses a file system watcher in order to generate an event each time a file is modified in one of the directories in the "Paths" variable of the configuration file.</p><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-_6ef3R0Red0/XpiIHQpOHYI/AAAAAAAAAvE/7kg-2mJ7TQA4pdeJ-quSvdckRoAoTamrACLcBGAsYHQ/s640/image9.png" class="kg-image" alt loading="lazy"></figure><p>Filesystem monitoring routine <br> Once a file is available, the Dog.exe binary exfiltrates it, using email or FTP depending on the configuration.</p><h3 id="bewmac-the-attacker-has-a-short-python-script-to-record-the-victim-s-webcam-">Bewmac <br> The attacker has a short Python script to record the victim's webcam.</h3><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-DZBDrIuD9VA/XpiIuEhl0QI/AAAAAAAAAvM/ycAdq7Cl6SsulQMrYIqPujFG7SEpv-18gCLcBGAsYHQ/s640/image7.png" class="kg-image" alt loading="lazy"></figure><p>Camera image capturing routine. <br> The script uses the OpenCV library, taking a sequence of 10 captures each time it is executed. The images are stored on the filesystem and there is no automatic exfiltration.</p><h3 id="additional-tools-during-our-investigation-we-identified-a-couple-of-additional-tools-mainly-in-python-and-compiled-for-windows-">Additional tools <br> During our investigation, we identified a couple of additional tools mainly in Python and compiled for Windows:</h3><ul><li>Klog.exe: A keylogger using an output file called "System32.Log."</li></ul><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-2Ww-W1wPTg4/XpiIzgTXrPI/AAAAAAAAAvQ/jYbYBkjQ_MYlaGyykzEVZ8alg2HkWnhuACLcBGAsYHQ/s640/image12.png" class="kg-image" alt loading="lazy"></figure><p>Keylogger special key map <br></p><ul><li>"Browdec.exe": A browser credential-stealer</li><li>"voStro.exe": A compiled pypykatz that'ss a full Python implementation of Mimikatz, a well-known credential-stealer.</li><li>"Tre.py": A script used to create the file with the files/directories tree.</li><li>WinPwnage: An open-source framework of privilege escalation.</li><li>Nmap: An open-source pentesting and network-scanning tool.</li></ul><h2 id="conclusion-during-this-investigation-we-observed-an-actor-using-multiple-tools-and-methodologies-to-carry-out-their-full-attack-chain-talos-identified-multiple-lure-documents-during-this-campaign-which-all-made-use-of-visual-basic-macros-and-then-python-to-carry-out-their-attacks-on-victims-the-adversaries-targets-are-very-specific-and-appear-to-be-mostly-azerbaijan-organizations-in-the-public-and-private-sectors-specifically-ics-and-scada-systems-in-the-energy-industry-">Conclusion <br> During this investigation, we observed an actor using multiple tools and methodologies to carry out their full attack chain. Talos identified multiple lure documents during this campaign which all made use of Visual Basic macros and then Python to carry out their attacks on victims. The adversaries' targets are very specific and appear to be mostly Azerbaijan organizations in the public and private sectors, specifically ICS and SCADA systems in the energy industry.</h2><p>The actor monitored specific directories, signaling they wanted to exfiltrate certain information on the victims. The attacker wanted to gain a full picture of the victim by using a keylogger, browser credential stealers and Mimikatz and pypykatz for further credential harvesting. Based on our research, the adversaries may have wanted to obtain important credentials from officials in Azerbaijan's government. The malware attempts to obtain pictures of the victim and utilizes a mail platform targeting the Azerbaijan government. The attacker wanted not only specific information obtained from the victims but also a full cache of information relating to their victim. They would have been able to gain potentially very important credentials and information using these techniques given their victimology. By using Python and other Python-based tools during their campaign, the actor may have avoided detection by traditional tools that have whitelisted Python and Python execution techniques.</p><h2 id="coverage-ways-our-customers-can-detect-and-block-this-threat-are-listed-below-">Coverage <br> Ways our customers can detect and block this threat are listed below.</h2><figure class="kg-card kg-image-card"><img src="https://blog.talosintelligence.com/content/images/-9Jniz2A7A9Y/XpiI_2GFOTI/AAAAAAAAAvY/3teuUYZTILs8iN-M2x8txvjiTAAJM5lfACLcBGAsYHQ/s1600/image10.png" class="kg-image" alt loading="lazy"></figure><p><br> Advanced Malware Protection (<a href="https://www.cisco.com/c/en/us/products/security/advanced-malware-protection">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such as this automatically.</p><p>Cisco Cloud Web Security (<a href="https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html">CWS</a>) or<a href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html"> Web Security Appliance (WSA</a>) web scanning prevents access to malicious websites and detects malware used in these attacks.</p><p><a href="https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html">Email Security</a> can block malicious emails sent by threat actors as part of their campaign.</p><p>Network Security appliances such as Next-Generation Firewall (<a href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html">NGFW</a>), Next-Generation Intrusion Prevention System (<a href="https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html">NGIPS</a>),<a href="https://www.cisco.com/c/en/us/products/routers/branch-routers/index.html"> Cisco ISR</a>, and<a href="https://meraki.cisco.com/products/appliances">Meraki MX</a> can detect malicious activity associated with this threat as sids 53689-53691.</p><p><a href="https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html">AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.</p><p><a href="https://umbrella.cisco.com/">Umbrella</a>, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.</p><p>Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on<a href="https://www.snort.org/products"> Snort.org</a>.</p><h2 id="iocs">IOCs</h2><h3 id="osquery">OSQuery</h3><p>Cisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat.</p><p>For specific OSqueries on this threat, click below: <a href="https://github.com/Cisco-Talos/osquery_queries/blob/master/win_malware/malware_poetrat_filepath.json">PoetRAT filepath</a><br> <a href="https://github.com/Cisco-Talos/osquery_queries/blob/master/win_malware/malware_poetrat_registry.json">PoetRAT registry</a></p><h3 id="hosts-c2-dellgenius-hopto-org">Hosts C2 -<br> dellgenius[.]hopto[.]org</h3><p>Phishing<br> gov-az[.]herokuapp[.]com<br> govaz[.]herokuapp[.]com</p><p>Urls</p><p>hxxps://gov-az[.]herokuapp[.]com/azGovaz.php?login=</p><p>Samples</p><p>208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407<br> 252c5d491747a42175c7c57ccc5965e3a7b83eb5f964776ef108539b0a29b2ee<br> 312f54943ebfd68e927e9aa95a98ca6f2d3572bf99da6b448c5144864824c04d<br> 31c327a3be44e427ae062c600a3f64dd9125f67d997715b63df8d6effd609eb3<br> 37118c097b7dbc64fa6ac5c7b28ebac542a72e926d83564732f04aaa7a93c5e3<br> 4eb83253e8e50cd38e586af4c7f7db3c4aaddf78fb7b4c563a32b1ad4b5c677c<br>5f1c268826ec0dd0aca8c89ab63a8a1de0b4e810ded96cdee4b28108f3476ce7<br> 66679d83d3993ae79229b1ccff5350e083d6631190eeeb3207fa10c3e572ca75<br> 746fbdee1867b5531f2367035780bd615796ebbe4c9043134918d8f9240f98b9<br> 970793967ecbe58d8a6b54f5ec5fd2551ce922cb6b3584f501063e5f45bdd58a<br> a3405cc1fcc6b6b96a1d6604f587aee6aafe54f8beba5dcbaa7322ac8589ffde<br> a703dc8819dca1bc5774de3b6151c355606e7fe93c760b56bc09bcb6f928ba2d<br> ac4e621cc5895f63a226f8ef183fe69e1ae631e12a5dbef97dd16a6dfafd1bfc<br>b14a8bf8575e46b5356acf3d19667278002935b21b7fc9f62e0957cc1e25209d<br> b1e7dc16e24ebeb60bc6753c54e940c3e7664e9fcb130bd663129ecdb5818fcd<br> ca8492139c556eac6710fe73ba31b53302505a8cc57338e4d2146bdfa8f69bdb<br> d4b7e4870795e6f593c9b3143e2ba083cf12ac0c79d2dd64b869278b0247c247<br> d5d7fad5b745fa04f7f42f61a1db376f9587426c88ce276f06de8ea6889dfae8<br> d605a01e42d5bb6bca781b7ba32618e2f2870a4624b50d6e3d895e8e96adee6a<br> F842354198cfc0a3296f8d3c6b38389761674f1636129836954f50c2a7aab740<br>e4e99dc07fae55f2fa8884c586f8006774fe0f16232bd4e13660a8610b1850a2</p> </div> </section> <div class="social-media-wrapper"> <h5>Share this post</h5> <ul class="social-media-share-list"> <li> <a class="share-facebook" title="Share this on Facebook" data-text="PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors" data-href="https://blog.talosintelligence.com/poetrat-covid-19-lures/" rel="nofollow" target="_blank" href="https://www.facebook.com/sharer.php?u=https://blog.talosintelligence.com/poetrat-covid-19-lures/"></a> </li> <li> <a class="share-x" title="Post This" data-text="PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors" data-href="https://blog.talosintelligence.com/poetrat-covid-19-lures/" rel="nofollow" target="_blank" href="https://x.com/share?url=https://blog.talosintelligence.com/poetrat-covid-19-lures/"></a> </li> <li> <a class="share-linkedin" title="Share this on LinkedIn" data-text="PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors" data-href="https://blog.talosintelligence.com/poetrat-covid-19-lures/" rel="nofollow" target="_blank" href="https://www.linkedin.com/sharing/share-offsite/?url=https://blog.talosintelligence.com/poetrat-covid-19-lures/"></a> </li> <li> <a class="share-reddit" title="Reddit This" data-text="PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors" data-href="https://blog.talosintelligence.com/poetrat-covid-19-lures/" rel="nofollow" target="_blank" href="https://www.reddit/submit?url=https://blog.talosintelligence.com/poetrat-covid-19-lures/"></a> </li> <li> <a class="share-email" title="Email This" href="mailto:?body=PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectorshttps://blog.talosintelligence.com/poetrat-covid-19-lures/"></a> </li> </ul> </div></article> </div> </div> <div class="col-lg alt-layout-row-dk sidebar" id="side-bar"> <h4>Related Content</h4> <div class="sidebar-snippet-wrapper"> <a href="/talos-takes-ep-56-first-security-steps/"> <h3>Talos Takes Ep. #56: The first security steps you should take when you return to the office</h3> <span class="preview-attributes">June 11, 2021 09:16</span> <p>The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page. We started out the COVID-19 pandemic by thinking we'd be away from the office for a month — maybe two. More than</p> </a> </div> <div class="sidebar-snippet-wrapper"> <a href="/talos-takes-ep-51-covid-and-tax-day/"> <h3>Talos Takes Ep. #51: COVID and Tax Day have perfectly aligned for spammers</h3> <span class="preview-attributes">April 30, 2021 10:00</span> <p>The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page. We see tax scams every year — people offering to do your taxes for you, finding a larger return, etc. But this year is</p> </a> </div> <div class="sidebar-snippet-wrapper"> <a href="/threat-source-newsletter-for-april-30-2020/"> <h3>Threat Source newsletter for April 30, 2020</h3> <span class="preview-attributes">April 30, 2020 14:00</span> <p>Newsletter compiled by Jon Munshaw. Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week. Our newest research post focuses on the Aggah campaign. Threat actors are pushing Aggah to victims via malicious Microsoft Word documents, eventually</p> </a> </div> </div> </div> </div> </main> <footer id="footer"> <div class="row footer_nav_wrapper"> <div class="col-xl-10 col-12"> <div class="multi-col-list-wrapper"> <ul class="footer-parent-list"> <li class="footer-links-group"> <ul> <li> <h6><a href="https://talosintelligence.com/reputation">Intelligence Center</a></h6> </li> <li><a href="https://talosintelligence.com/reputation_center">Intelligence Search</a></li> <li><a href="https://talosintelligence.com/reputation_center/email_rep">Email & Spam Trends</a></li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6><a href="https://talosintelligence.com/vulnerability_info">Vulnerability Research</a></h6> </li> <li><a href="https://talosintelligence.com/vulnerability_reports">Vulnerability Reports</a></li> <li><a href="https://talosintelligence.com/ms_advisories">Microsoft Advisories</a></li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6><a href="https://talosintelligence.com/incident_response">Incident Response</a></h6> </li> <li> <a href="https://talosintelligence.com/incident_response/services#reactive-services">Reactive Services</a> </li> <li> <a href="https://talosintelligence.com/incident_response/services#proactive-services">Proactive Services</a> </li> <li> <a href="https://talosintelligence.com/incident_response/contact">Emergency Support</a> </li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6>Security Resources</h6> </li> <li><a href="https://talosintelligence.com/software">Open Source Security Tools</a></li> <li><a href="https://talosintelligence.com/categories">Intelligence Categories Reference</a></li> <li><a href="https://talosintelligence.com/secure-endpoint-naming">Secure Endpoint Naming Reference</a></li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6>Media</h6> </li> <li><a href="https://blog.talosintelligence.com">Talos Intelligence Blog</a></li> <li><a href="https://blog.talosintelligence.com/category/threat-source-newsletter/">Threat Source Newsletter</a></li> <li><a href="https://talosintelligence.com/podcasts/shows/beers_with_talos">Beers with Talos Podcast</a></li> <li><a href="https://talosintelligence.com/podcasts/shows/talos_takes">Talos Takes Podcast</a></li> <li><a target="_blank" href="https://www.youtube.com/channel/UCPZ1DtzQkStYBSG3GTNoyfg/featured">Talos Videos</a></li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6>Support</h6> </li> <li><a href="https://support.talosintelligence.com">Support Documentation</a></li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6>Company</h6> </li> <li><a href="https://talosintelligence.com/about">About Talos</a></li> <li><a href="https://talosintelligence.com/careers">Careers</a></li> <li><a target="_blank" href="https://www.cisco.com/c/en/us/products/security/product-listing.html">Cisco Security</a></li> </ul> </li> </ul> </div> </div> <div class="col-xl-2 col-12 connect_social"> <div class="connect-footer-section-wrapper"> <h6>Follow us</h6> <ul> <li> <a target="_blank" href="https://x.com/talossecurity"><div class="footer-media-icon" id="footer-media-icon-x"></div> </a></li> <li> <a target="_blank" href="https://www.youtube.com/channel/UCPZ1DtzQkStYBSG3GTNoyfg/featured"><div class="footer-media-icon" id="footer-media-icon-youtube"></div> </a></li> <li> <a target="_blank" href="https://www.linkedin.com/company/cisco-talos-intelligence-group/"><div class="footer-media-icon" id="footer-media-icon-linkedin"></div> </a></li> </ul> </div> </div> </div> <div class="row"> <div class="col-12 footer_corporate"> <a target="_blank" href="http://tools.cisco.com/security/center/home.x"><img alt="Cisco" src="https://blog.talosintelligence.com/assets/images/logo_cisco_white.svg"> </a><p class="copyright"> © <span id='current-year'></span> Cisco Systems, Inc. and/or its affiliates. All rights reserved. View our <a target="_blank" class="underline" href="http://www.cisco.com/web/siteassets/legal/privacy_full.html">Privacy Policy.</a> </p> </div> </div> </footer>  <script src="https://blog.talosintelligence.com/assets/js/jquery-3.6.0.min.js?v=f6330d1ebe"></script> <script src="https://blog.talosintelligence.com/assets/js/popper.min.js?v=f6330d1ebe"></script> <script src="https://blog.talosintelligence.com/assets/js/bootstrap.bundle.min.js?v=f6330d1ebe"></script> <script src="https://blog.talosintelligence.com/assets/js/date.js?v=f6330d1ebe"></script> <script src="https://blog.talosintelligence.com/assets/js/prism.js?v=f6330d1ebe"></script> <script src="https://cdn.jsdelivr.net/npm/ghost-theme-utils@latest/dist/js/ghost-theme-utils.min.js" async defer></script> </body> </html>

CINXE.COM

PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors