EndRAT is a remote access trojan (RAT) that grants attackers complete control over infected Windows systems through a command-and-control infrastructure. This threat belongs to the broader category of information-stealing malware designed to exfiltrate sensitive data, monitor user activity, and maintain persistent backdoor access to compromised machines. First documented in late 2022, EndRAT has been distributed through phishing campaigns, malicious email attachments, and compromised software downloads targeting both home users and small business networks.

EndRAT Malware — cybersecurity illustration
Photo by John (Giannis) Tekeridis on Pexels

The malware operates silently in the background while establishing encrypted communication channels with remote servers, allowing threat actors to execute arbitrary commands, capture screenshots, log keystrokes, and deploy additional payloads. EndRAT's modular architecture makes it particularly dangerous, as attackers can customize its capabilities based on their objectives — from cryptocurrency wallet theft to corporate espionage.

Think you're infected right now? Disconnect your computer from the internet immediately (unplug Ethernet or disable Wi-Fi). Do not enter any passwords or access sensitive accounts until the system is cleaned. Call us at (770) 667-9487 or bring your machine to our Roswell shop for same-day analysis. EndRAT can capture everything you type, including credentials and financial information.

Threat Profile

Attribute Details
Threat Classification Remote Access Trojan (RAT), Backdoor, Information Stealer
Family EndRAT (standalone family with modular components)
Known Aliases End-RAT, EndpointRAT, TR/EndRat.A (varies by security vendor)
Platforms Affected Windows 7, 8, 8.1, 10, 11 (32-bit and 64-bit)
First Documented Late 2022, with increased activity throughout 2023-2024
Primary Distribution Phishing emails, malicious Office macros, trojanized installers, drive-by downloads
Persistence Mechanisms Registry Run keys, scheduled tasks, Windows services, startup folder entries
Core Capabilities Remote desktop control, keylogging, screen capture, file exfiltration, webcam access, command execution, credential harvesting
Network Behavior Encrypted C2 communication over HTTP/HTTPS (ports 80, 443), DNS tunneling observed in variants
Typical File Locations %APPDATA%, %LOCALAPPDATA%, %TEMP% subdirectories with randomized folder names
Indicators of Compromise Unexpected network connections to foreign IPs, new scheduled tasks with random names, suspicious processes in Task Manager
Removal Difficulty Moderate to High — requires safe mode cleaning, registry editing, and thorough scanning

How It Spreads

EndRAT primarily reaches victims through social engineering tactics that exploit human trust and curiosity. The most common infection vector involves phishing emails crafted to appear legitimate — invoices from known vendors, shipping notifications, tax documents, or urgent security alerts. These emails contain malicious attachments (typically Microsoft Office documents with embedded macros or ZIP archives containing executables disguised as PDFs) or links to compromised websites hosting exploit kits.

Another significant distribution method involves trojanized software downloads from unofficial sources. Users searching for cracked versions of commercial software, pirated games, or "free" premium tools may download installers that bundle EndRAT alongside the expected application. File-sharing networks, torrent sites, and warez forums serve as prime distribution channels for these infected packages. The malware installer often executes silently in the background while the legitimate application appears to install normally, giving victims no immediate indication of compromise.

Additional infection pathways include:

  • Malicious Office macros: Excel or Word documents that prompt users to "Enable Content" or "Enable Editing," which executes VBA scripts that download and install EndRAT
  • Compromised websites: Legitimate sites that have been hacked to serve drive-by download exploits targeting browser or plugin vulnerabilities
  • Malvertising campaigns: Poisoned advertisements on otherwise reputable websites that redirect to exploit kits or fake software download pages
  • Software update impersonation: Fake browser update prompts, Flash Player installers, or codec packs that deliver the trojan
  • USB drives and removable media: AutoRun-enabled infections spreading through shared storage devices
  • RDP brute-forcing: In business environments with exposed Remote Desktop Protocol services, attackers may gain access through weak credentials and manually install EndRAT

What It Does On Your Machine

Once EndRAT executes, it immediately establishes persistence mechanisms to survive system reboots and casual detection attempts. The malware typically copies itself to a hidden subdirectory within the user's AppData folder, creating a randomly named executable file designed to blend with legitimate system processes. It then modifies Windows Registry Run keys or creates scheduled tasks that ensure automatic execution every time the system starts or when specific triggers occur (such as user login or hourly intervals).

The trojan's core functionality revolves around establishing a secure communication channel with its command-and-control server. EndRAT initiates encrypted connections to remote servers controlled by the attackers, sending an initial "beacon" that registers the infected machine and reports system information including computer name, username, Windows version, installed security software, and public IP address. This registration allows the attackers to catalog compromised systems and prioritize high-value targets for further exploitation.

After establishing control, EndRAT operates as a silent observer and executor of remote commands. The malware continuously monitors user activity, capturing keystrokes through a hidden keylogger that records everything typed — including passwords, credit card numbers, private messages, and search queries. Many variants include screen capture functionality that periodically takes screenshots or records video of the desktop, allowing attackers to see exactly what the victim sees. If a webcam is connected, EndRAT can activate it without triggering the indicator light on some models, enabling covert surveillance.

The trojan also serves as a file manager for the attackers, granting full read/write access to the entire filesystem. Threat actors can browse directories, upload new malicious payloads (such as ransomware or cryptocurrency miners), download sensitive documents, or delete files to cover their tracks. EndRAT's command execution capability means attackers can run PowerShell scripts, launch additional malware, modify system settings, create new user accounts, or disable security software — essentially performing any action that the logged-in user could perform, and often more through privilege escalation techniques.

Typical EndRAT Filesystem and Registry Artifacts
C:\Users\\AppData\Roaming\{37E4A2C9-8F1D-4B3E-9A7C-1D5F8E2B4A6E}\svchost.exe C:\Users\\AppData\Local\Temp\tmp8A2F.tmp\update.exe C:\Windows\Tasks\{System Update Check}.job # Registry persistence keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsDefender = "C:\Users\\AppData\Roaming\{GUID}\svchost.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemBoot = "C:\Windows\System32\Tasks\MicrosoftUpdate.exe" # Scheduled task (view with: schtasks /query /FO LIST /V | findstr EndRAT) Task Name: \Microsoft\Windows\SystemUpdate Task To Run: C:\Users\\AppData\Local\{GUID}\client.exe

Manual Removal — Step by Step

01

Disconnect from the Internet Immediately

Before attempting any removal steps, physically disconnect your computer from the network. Unplug the Ethernet cable or turn off Wi-Fi through the physical hardware switch. This prevents EndRAT from receiving new commands, exfiltrating additional data, or downloading supplementary payloads while you work on removing it. Do not reconnect until the removal process is complete and verified.

02

Boot into Safe Mode with Networking

Restart your computer and enter Safe Mode, which loads Windows with minimal drivers and prevents most malware from automatically starting. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart, and select option 5 (Safe Mode with Networking). This environment makes the malware inactive and easier to remove, though you'll need networking capability later for downloading security tools.

03

Identify and Terminate Malicious Processes

Open Task Manager (Ctrl+Shift+Esc) and examine running processes for suspicious entries. Look for unfamiliar executables running from AppData folders, processes with random names or impersonating legitimate Windows components (like "svchost.exe" running from user directories instead of System32), or any process consuming unusual network bandwidth. Right-click suspicious processes, select "Open file location" to note the path, then "End task" to terminate them.

04

Remove Persistence Mechanisms

Open Registry Editor (type "regedit" in Start menu) and navigate to persistence locations where EndRAT plants its autostart entries. Check HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for unfamiliar entries pointing to AppData or Temp folders. Delete suspicious values. Then open Task Scheduler (taskschd.msc) and look for recently created tasks with random names or suspicious descriptions — delete any that point to the malware's file locations you identified earlier.

05

Delete Malware Files and Folders

Navigate to the file locations you identified in Task Manager and Registry Editor. Common locations include subdirectories within %APPDATA% (C:\Users\YourName\AppData\Roaming), %LOCALAPPDATA% (C:\Users\YourName\AppData\Local), and %TEMP% folders. Delete the entire parent folder containing the malicious executable. You may need to enable "Show hidden files" in File Explorer options. If Windows prevents deletion claiming the file is in use, reboot back into Safe Mode and try again.

06

Run Comprehensive Malware Scans

Reconnect to the internet (still in Safe Mode) and download Malwarebytes Free from the official website. Run a full system scan, which typically takes 30-60 minutes. Malwarebytes excels at detecting RAT components, keyloggers, and persistence mechanisms that manual removal might miss. Quarantine all detected threats. Follow up with a scan using your installed antivirus if it's from a reputable vendor (Windows Defender, Norton, Kaspersky, etc.). Consider running a secondary scanner like HitmanPro for confirmation.

07

Reset Web Browsers to Default Settings

EndRAT variants sometimes install browser extensions to monitor web activity or inject content. Open each installed browser and reset it to factory defaults. In Chrome, go to Settings > Advanced > Reset settings. In Firefox, type "about:support" in the address bar and click "Refresh Firefox." In Edge, navigate to Settings > Reset settings > Restore settings to their default values. This removes potentially malicious extensions, clears cookies that might identify you to the attacker's tracking infrastructure, and eliminates injected scripts.

08

Change All Passwords from a Clean Device

Because EndRAT includes keylogging capabilities, assume every password you entered while infected has been compromised. Using a different computer, tablet, or smartphone that was definitely not infected, change passwords for all critical accounts: email, banking, shopping sites, social media, work accounts, and any service with stored payment information. Enable two-factor authentication wherever available. Do NOT change passwords on the infected machine until you're certain it's fully cleaned and verified.

09

Reboot Normally and Monitor System Behavior

Restart your computer into normal mode and observe its behavior for several hours. Monitor Task Manager for suspicious processes reappearing, check network activity for unexpected connections (use Resource Monitor or TCPView), and verify that your antivirus software is running and up-to-date. Watch for signs like unusual slowdowns, unexpected network traffic, programs launching at startup that shouldn't be there, or webcam indicator lights activating spontaneously.

10

Consider Professional Verification

Remote access trojans are sophisticated threats that often install rootkit components or hide in firmware where consumer antivirus tools can't reach. If you handle sensitive business data, financial information, or if you're not confident the infection is completely eliminated, bring your machine to our shop for forensic-level verification. We use specialized tools to check boot records, firmware, and hidden system areas that manual removal and standard scanners might miss.

Prevention

  1. Maintain healthy skepticism toward email attachments and links. Never open attachments from unexpected senders, even if they appear to come from known contacts (compromised accounts send infected emails). Verify unexpected invoices, shipping notices, or urgent requests by contacting the sender through a different communication channel. Hover over links before clicking to preview the actual destination URL.
  2. Disable Office macros by default. Configure Microsoft Office to disable all macros or set them to require explicit approval. Legitimate businesses almost never send documents requiring macro execution. If a document prompts you to "Enable Content" or "Enable Editing" to view it properly, treat it as suspicious and verify its legitimacy before complying.
  3. Download software only from official sources. Avoid third-party download sites, torrent networks, and "free crack" websites entirely. These are primary distribution channels for trojanized software bundles. Purchase or download applications directly from the developer's official website or through legitimate app stores (Microsoft Store for Windows applications, for example).
  4. Keep Windows and all applications fully updated. Enable automatic updates for Windows, web browsers, PDF readers, Java, and other commonly targeted software. Many malware distribution campaigns exploit known vulnerabilities that have already been patched. Regular updates close these security holes before attackers can exploit them.
  5. Use reputable security software and keep it active. Install a quality antivirus/anti-malware solution (Windows Defender is adequate for most users if kept updated) and ensure real-time protection remains enabled. Configure it to scan downloaded files automatically and schedule regular full system scans. Don't disable your antivirus "temporarily" to install questionable software.
  6. Implement standard user accounts for daily use. Create a separate administrator account for installing software and system changes, but use a standard user account for everyday computing. This limits malware's ability to install system-wide persistence mechanisms or modify protected system areas without your explicit administrative approval.
  7. Enable two-factor authentication on critical accounts. Add an extra authentication layer to email, banking, shopping, and work accounts. Even if EndRAT captures your password, attackers won't be able to access accounts protected by 2FA without also compromising your phone or authentication device.
  8. Back up important data regularly to offline storage. Maintain recent backups of critical files on external drives that remain disconnected when not actively backing up. If you discover an infection, you can restore clean data without paying ransom or losing irreplaceable files. Test your backups periodically to ensure they actually work when needed.
Our 90-Day Warranty
When we remove EndRAT or any malware from your system, the job is backed by our 90-day warranty. If the same infection returns within three months — or if we missed something during the initial cleaning — we'll fix it at no additional charge. That's our commitment to doing the job right the first time.

Bring It In

Removing a remote access trojan like EndRAT requires thorough attention to detail and specialized diagnostic tools that go beyond what consumer antivirus software provides. The manual steps outlined above can work for technically confident users, but RATs are designed to hide, persist, and evade detection. One missed registry key or overlooked scheduled task means the infection remains active, continuing to steal your information and provide backdoor access to attackers.

Computer Repair Roswell has cleaned hundreds of RAT infections from both home computers and business systems. We perform deep forensic scans that check boot sectors, firmware, hidden partitions, and system areas that standard tools ignore. Our technicians will verify complete removal, harden your system against reinfection, help you assess what data may have been compromised, and guide you through the password reset process. Same-day service is available for most malware removals — call us at (770) 667-9487 or visit our shop at 1750 Hembree Road, Suite 100, Roswell, GA 30076. We're open Monday through Saturday and can usually have your system cleaned, verified, and returned to you within 24 hours.