DinodasRAT—also tracked as XDealer by some security vendors—is a sophisticated remote access trojan (RAT) that gives attackers complete control over Windows computers. First observed in targeted campaigns against government and telecom sectors, this malware has increasingly appeared in broader attacks affecting home users and small businesses. Once installed, DinodasRAT operates silently in the background while collecting sensitive data, monitoring your activities, and maintaining a persistent backdoor for the attackers.

DinodasRAT — cybersecurity illustration
Photo by cottonbro studio on Pexels

Unlike simpler malware that focuses on a single goal like ransomware or cryptomining, DinodasRAT is a full-featured espionage tool. It can capture screenshots, log keystrokes, steal files, execute commands, and deploy additional malicious payloads—all while actively hiding from antivirus software. We've seen several infected systems at our Roswell shop in recent months, and the damage varies widely depending on how long the infection goes undetected.

Think you're infected right now? Disconnect from the internet immediately—unplug the Ethernet cable or disable Wi-Fi. Do not attempt to log into any financial accounts or enter passwords until the system is professionally cleaned. DinodasRAT can capture everything you type and see everything on your screen. Call us at (770) 744-9550 or bring the machine to our Roswell location at 1755 Woodstock Rd. We can typically isolate and remove this threat within 24-48 hours.

Threat Profile

Threat NameDinodasRAT (XDealer)
CategoryRemote Access Trojan (RAT)
PlatformWindows (all versions)
File TypeWindows PE executable
First Documented2020 (active campaigns continue)
PrevalenceMedium — targeted campaigns with spillover into general attacks
Detection NamesXDealer, DinodasRAT, Backdoor.Win32.DinodasRAT, Trojan.DinodasRAT, various generic RAT detections
Primary TargetsOriginally government/telecom; now includes SMBs and individual users
Persistence MethodsRegistry Run keys, scheduled tasks, service installation
Command & ControlCustom encrypted protocol over HTTP/HTTPS
Removal DifficultyModerate to High — requires thorough system analysis and registry cleaning
Data at RiskPasswords, financial data, documents, screenshots, keystrokes, system credentials

How It Spreads

DinodasRAT typically arrives through targeted phishing campaigns disguised as legitimate business correspondence. The attackers research their targets and craft convincing emails that appear to come from known contacts, suppliers, or industry organizations. The malicious payload is usually delivered as an email attachment—often a ZIP archive containing what appears to be an invoice, contract, or delivery notification in PDF or Office document format. When the victim opens the file, embedded macros or exploit code silently install the RAT.

We've also observed DinodasRAT distributed through watering hole attacks, where legitimate websites frequented by target industries are compromised to serve malware. In some cases, the trojan arrives bundled with pirated software or through software update mechanisms that have been hijacked. Once initial access is gained on one machine in a network, the attackers may use lateral movement techniques to spread to other systems, though DinodasRAT itself doesn't self-replicate like a worm.

Common distribution vectors include:

  • Spear-phishing emails with malicious Office documents (Word/Excel files with macros)
  • ZIP or RAR archives containing trojanized executables disguised as document viewers or plugins
  • Compromised legitimate websites (watering holes) that exploit browser vulnerabilities
  • Supply chain attacks through compromised software installers or update mechanisms
  • USB drives and removable media left in targeted locations (less common but documented)
  • Remote Desktop Protocol (RDP) brute-force followed by manual installation by the attackers
  • Bundled with other malware delivered by initial-access brokers

What It Does On Your Machine

Upon execution, DinodasRAT immediately establishes persistence on the infected system by creating multiple registry entries and scheduled tasks. The malware typically copies itself to a Windows system directory with a filename designed to blend in with legitimate Windows processes—names like "winsvchost.exe" or "syswow64service.exe" are common. It then modifies registry Run keys to ensure it launches every time Windows starts, and may install itself as a Windows service for even deeper system-level access.

The trojan contacts its command and control (C2) server using encrypted communications over standard HTTP or HTTPS protocols, making detection by network monitoring more difficult. Once the connection is established, the attackers have a full remote control panel for your computer. DinodasRAT includes modules for keystroke logging, screen capture, file system browsing and manipulation, process management, and arbitrary command execution. It can disable security software, modify Windows Defender settings, and tamper with firewall rules to maintain its access.

One particularly concerning capability is DinodasRAT's credential theft functionality. The malware can dump passwords from browsers, email clients, and Windows credential stores. It monitors clipboard contents to capture copied passwords and cryptocurrency wallet addresses. In business environments, we've seen it used to steal VPN credentials, allowing attackers to access corporate networks even after the initial infected machine is cleaned.

// Typical DinodasRAT file system artifacts (observed in sandbox) C:\Windows\System32\winsvchost.exe ← malicious executable C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\sysconfig.dat ← encrypted config file C:\ProgramData\WinSysLog\ ← directory for stolen data staging // Registry persistence entries (observed in sandbox) HKCU\Software\Microsoft\Windows\CurrentVersion\Run "WindowsUpdate" = "C:\Windows\System32\winsvchost.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SystemService" = "C:\Windows\System32\winsvchost.exe" // Network indicators (observed in sandbox) Outbound HTTPS connections to rotating C2 domains DNS queries for DGA-generated domains as fallback C2 User-Agent strings mimicking legitimate Windows Update traffic

The stolen data is typically staged in hidden directories before being exfiltrated to attacker-controlled servers. DinodasRAT is designed for long-term covert operation rather than immediate, noisy activity—many infections go undetected for weeks or months while the attackers quietly collect intelligence and credentials.

Manual Removal — Step by Step

01

Disconnect from the Network

Before attempting any removal steps, completely disconnect the infected computer from the internet and local network. Unplug the Ethernet cable and disable Wi-Fi. This prevents DinodasRAT from receiving commands, exfiltrating additional data, or spreading to other network devices. Keep the system offline throughout the entire cleaning process.

02

Boot into Safe Mode with Networking

Restart the computer and boot into Safe Mode with Networking. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and select Safe Mode with Networking. This prevents most malware components from loading automatically, making removal significantly easier.

03

Document Running Processes

Open Task Manager (Ctrl+Shift+Esc) and carefully review all running processes. DinodasRAT often uses names similar to legitimate Windows processes but with slight variations. Look for suspicious entries running from unusual locations like user AppData folders or the System32 directory with non-standard names. Take screenshots or write down anything suspicious before proceeding.

04

Run Multiple Malware Scanners

Download and run at least two reputable anti-malware tools—we recommend Malwarebytes and Emsisoft Emergency Kit. Run full system scans with both tools, as no single scanner catches everything. Let each scan complete fully before moving to the next. Quarantine or delete all detected threats. Restart in Safe Mode again after the scans complete.

05

Manually Check Startup Locations

Open the Registry Editor (regedit.exe) and navigate to all common startup locations: HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and the corresponding RunOnce keys. Look for entries pointing to suspicious executables. Also check Task Scheduler (taskschd.msc) for scheduled tasks that launch unknown programs. Delete any entries that reference suspicious files.

06

Search and Delete Malicious Files

Using the file locations identified by your scans and process review, manually verify that the malicious files have been deleted. Check common hiding spots: C:\Windows\System32\, C:\Users\[Username]\AppData\Roaming\, and C:\ProgramData\. Enable "Show hidden files and folders" in File Explorer options. Delete any remaining suspicious executables, DLL files, or data directories.

07

Reset Browsers and Clear Cache

RATs often install browser extensions or modify browser settings. For each installed browser (Chrome, Edge, Firefox), reset to default settings and clear all browsing data including cache, cookies, and saved passwords. Check installed extensions and remove anything you don't recognize. This removes credential-stealing components and clears any data the malware may have injected into browser sessions.

08

Change All Passwords from a Clean Device

This is critical: assume that all passwords entered on the infected machine have been compromised. Using a different, known-clean device (phone, tablet, or another computer), change passwords for all important accounts—email, banking, social media, work systems, and especially any accounts with payment information. Enable two-factor authentication wherever possible.

09

Monitor for Persistence Mechanisms

Restart the computer normally (not in Safe Mode) and monitor for 24-48 hours. Watch Task Manager for suspicious processes reappearing. Some RAT variants create multiple persistence mechanisms that reinfect the system even after initial removal. If suspicious activity returns, a complete Windows reinstall may be necessary.

10

Consider Professional Verification

RAT infections are complex, and DIY removal carries risks of incomplete cleaning. If you have any doubts about whether the system is truly clean—or if the computer contains sensitive business or financial data—professional verification is strongly recommended. Our shop uses forensic tools to verify complete removal and can often recover systems without requiring a full reinstall.

Prevention

  1. Be extremely cautious with email attachments, especially Office documents from unexpected sources. Enable Microsoft Office's "Protected View" feature and never enable macros unless you're absolutely certain of the document's legitimacy. When in doubt, contact the supposed sender through a different communication channel to verify.
  2. Keep all software updated including Windows itself, web browsers, Adobe Reader, Java, and other commonly exploited applications. Enable automatic updates where possible. Many DinodasRAT infections exploit known vulnerabilities in outdated software that have patches available.
  3. Use a reputable endpoint security solution beyond Windows Defender. Business-grade products from vendors like ESET, Kaspersky, or Bitdefender offer better detection of sophisticated threats like RATs. Keep the software updated and perform regular full system scans.
  4. Implement proper network segmentation if you're running a small business. Don't allow every device direct access to your entire network. Use VLANs or separate networks for guest devices, and limit administrative access to only those who genuinely need it.
  5. Disable RDP if you don't need it, or at minimum, require strong passwords and consider using a VPN for remote access. Many RAT infections begin with attackers brute-forcing weak RDP credentials. If you must expose RDP to the internet, use non-standard ports and implement account lockout policies.
  6. Educate employees and family members about phishing tactics. The human element is often the weakest link. Regular, informal security awareness training helps people recognize suspicious emails, fake software updates, and social engineering attempts.
  7. Maintain regular backups stored offline or on a separate network segment. While RATs aren't typically designed to destroy data like ransomware, having clean backups gives you the option of a complete system restore if removal proves difficult. Test your backups periodically to ensure they actually work.
  8. Monitor your network traffic if you have the technical capability. Unusual outbound connections, especially to foreign countries or newly registered domains, can indicate C2 communications. Even basic network monitoring tools can help detect RAT activity before significant damage occurs.
Our Removal Guarantee: When Computer Repair Roswell removes DinodasRAT or any malware from your system, the work comes with a 90-day warranty. If the same infection returns within that period due to incomplete removal, we'll re-clean your computer at no additional charge. We use professional-grade forensic tools and manual verification methods that go far beyond what consumer antivirus software can accomplish.

Bring It In

DinodasRAT represents one of the more serious infections we handle—it's not a simple virus or adware that can be removed with a quick scan. This type of threat requires careful analysis to ensure complete removal of all components, persistence mechanisms, and backdoors. If you're dealing with a confirmed or suspected DinodasRAT infection, we strongly recommend professional service. The risk of incomplete removal—leaving the attackers with continued access to your system—far outweighs the cost of proper professional cleaning.

We're located at 1755 Woodstock Rd in Roswell, just north of Atlanta. Our technicians have dealt with sophisticated RAT infections across hundreds of systems over the years, and we understand both the technical removal process and the necessary follow-up steps to secure your accounts and data. Most malware removal services are completed within 24-48 hours, and we'll walk you through the password changes and security measures needed after cleaning. Call us at (770) 744-9550 or stop by—we're here to help get your computer secure again.