RokRAT (also known as DOGCALL) is a sophisticated backdoor trojan that first appeared in targeted campaigns against Korean-speaking users but has since spread to other regions. Unlike typical malware that relies on traditional command-and-control servers, RokRAT cleverly abuses legitimate cloud storage services like Dropbox, Box, and Yandex to communicate with attackers and store stolen data. This makes it harder for security software to detect and harder for network administrators to block. If you suspect your Windows PC has been compromised by this threat, immediate action is required to prevent further data theft.

RokRAT — cybersecurity illustration
Photo by John (Giannis) Tekeridis on Pexels
Think you're infected right now? Disconnect from the internet immediately (unplug Ethernet or disable Wi-Fi). Do not log into any online accounts or enter passwords until the infection is removed. RokRAT actively logs keystrokes and can capture your credentials in real-time. Call Computer Repair Roswell at (770) 428-9555 for same-day emergency removal service.

Threat Profile

Threat Name RokRAT (DOGCALL)
Threat Type Backdoor Trojan / Remote Access Tool (RAT)
Platform Windows (all versions)
File Type Windows PE executable (typically delivered encoded/encrypted)
Distribution Method Weaponized documents (HWP, Office), malicious email attachments
First Observed 2016 (targeted campaigns), wider distribution 2017-present
Primary Payload Keylogger, screen capture, file exfiltration, remote command execution
Command & Control Cloud storage APIs (Dropbox, Box, pCloud, Yandex)
Detection Names Trojan.RokRAT, Backdoor.DOGCALL, Trojan.Win32.Agent (varies by vendor)
Evasion Techniques Anti-VM checks, encoded binaries, legitimate cloud service abuse
Risk Level High (data theft, credential harvesting, persistent access)
Last Updated 2026-06-18 (Malpedia intelligence)

How It Spreads

RokRAT typically arrives through highly targeted spear-phishing campaigns. Attackers send emails that appear to come from legitimate sources—government agencies, business partners, or trusted organizations—with document attachments that exploit vulnerabilities in document readers. The initial infection vector is usually a weaponized HWP file (a Korean word processor format) or a Microsoft Office document containing malicious macros or embedded exploits.

When you open the infected document, it exploits a vulnerability or tricks you into enabling macros. This triggers shellcode that downloads an encoded binary file from a remote server. The shellcode then decodes and executes the RokRAT payload directly in memory, often without ever writing a traditional executable file to your hard drive. This "fileless" approach helps the malware evade antivirus detection during the initial infection stage.

Common distribution vectors include:

  • Spear-phishing emails with attachments disguised as invoices, contracts, meeting minutes, or government notices
  • Weaponized HWP documents exploiting Hangul Office vulnerabilities (CVE-2017-8291 and similar)
  • Microsoft Office documents with malicious macros that require you to click "Enable Content"
  • Compromised websites hosting exploit kits that deliver the payload through browser vulnerabilities
  • USB drives and network shares in targeted environments (less common but observed)
  • Supply chain attacks where legitimate software update mechanisms are compromised

What It Does On Your Machine

Once RokRAT establishes itself on your system, it operates as a full-featured backdoor with extensive surveillance capabilities. The malware begins by gathering system information—your computer name, username, operating system version, installed software, running processes, and network configuration. This reconnaissance data is packaged and uploaded to the attacker's cloud storage account, establishing your machine as a compromised asset in their inventory.

The keylogging component activates immediately, recording every keystroke you make. This includes passwords, credit card numbers, private messages, search queries, and confidential business communications. The malware also takes periodic screenshots of your desktop, capturing whatever you're viewing even if you're not typing. These screenshots and keystroke logs are systematically uploaded to cloud storage services, making the data exfiltration appear as normal user activity to network monitoring tools.

RokRAT includes anti-analysis mechanisms that detect whether it's running inside a virtual machine or sandbox environment. If it detects analysis tools, debuggers, or virtualization software, it may terminate itself or remain dormant to avoid revealing its capabilities to security researchers. This cat-and-mouse behavior makes it particularly challenging for automated malware analysis systems to properly characterize the threat.

Typical RokRAT System Modifications (observed in sandbox) C:\Users\[username]\AppData\Local\Temp\~tmp####.exe // Initial dropper executable (randomly named) C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityUpdate.lnk // Persistence mechanism via Startup folder HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Name: "WindowsUpdate" Data: C:\Users\[username]\AppData\Local\svchost.exe Network Connections api.dropbox.com // File upload/download for C2 communication api.box.com // Alternative cloud storage backend webdav.yandex.com // Data exfiltration channel content.dropboxapi.com // Command retrieval and data upload

The malware maintains persistence through multiple mechanisms, creating registry entries and startup shortcuts that ensure it runs every time Windows boots. Because it uses legitimate cloud storage APIs for communication, your firewall sees normal HTTPS traffic to well-known services rather than suspicious connections to unknown command servers. This allows RokRAT to operate undetected for extended periods, continuously harvesting your sensitive information.

Manual Removal — Step by Step

01

Disconnect from the Internet Immediately

Unplug your Ethernet cable or disable Wi-Fi before proceeding. This prevents RokRAT from uploading additional data or receiving new commands from its cloud storage infrastructure. Work offline throughout the entire removal process.

02

Boot into Safe Mode with Networking

Restart your computer and press F8 (or Shift+F8 on Windows 10/11) during boot. Select "Safe Mode with Networking" from the menu. This loads only essential Windows components and prevents most malware from automatically starting. If you cannot access Safe Mode, the infection may have modified your boot configuration—bring your machine to our shop immediately.

03

Identify Suspicious Processes

Press Ctrl+Shift+Esc to open Task Manager. Look for unfamiliar processes, especially those named after legitimate Windows services (like "svchost.exe" or "WindowsUpdate.exe") running from unusual locations such as AppData\Local or AppData\Roaming. Note the exact file location of any suspicious processes. Right-click and select "End Task" but understand the malware may restart itself.

04

Check and Clean Startup Locations

Press Windows+R and type "shell:startup" to open your Startup folder. Delete any suspicious shortcuts, particularly those created recently. Next, run "msconfig" from the Run dialog, navigate to the Startup tab (or open Task Manager > Startup tab on Windows 10/11), and disable any unrecognized entries. Pay special attention to items with vague names or those pointing to temporary directories.

05

Examine Registry Run Keys

Press Windows+R and type "regedit" to open Registry Editor. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries with suspicious names (especially "WindowsUpdate", "SecurityUpdate", or random character strings) that point to executables in AppData folders. Right-click and delete these entries, but create a registry backup first (File > Export) in case of mistakes.

06

Delete Malicious Files

Navigate to the file locations you identified in Task Manager and registry entries. Common hiding places include C:\Users\[username]\AppData\Local\, C:\Users\[username]\AppData\Roaming\, and C:\Users\[username]\AppData\Local\Temp\. Delete the executable files. RokRAT may have set files as hidden or system files, so enable "Show hidden files" in File Explorer options and uncheck "Hide protected operating system files" before searching.

07

Run Multiple Antimalware Scans

Install and run at least two reputable anti-malware tools. We recommend Malwarebytes and HitmanPro for RokRAT detection. Run full system scans with both programs and quarantine everything they find. Do not rely on a single security product—RokRAT's anti-detection features may fool one scanner but not others. This step requires internet connectivity, so reconnect only long enough to download tools and definition updates.

08

Clear Temporary Files and Browser Data

Run Disk Cleanup (search for "Disk Cleanup" in the Start menu) and select all categories, especially "Temporary files" and "Temporary Internet Files." Additionally, clear all browser caches, cookies, and download history in Chrome, Firefox, Edge, and any other browsers you use. RokRAT may have deposited encoded payloads in these locations.

09

Change All Passwords from a Clean Device

Do not change passwords on the infected machine—the keylogger may still be active. Use a different computer, tablet, or smartphone to change passwords for email, banking, social media, and any accounts you accessed while infected. Enable two-factor authentication wherever possible. Assume that any credential you entered during the infection period has been compromised.

10

Monitor for Re-infection

Restart normally and observe system behavior for several days. Watch for unexpected network activity, new unfamiliar processes, or system slowdowns. Run periodic scans with your security software. If any symptoms return, the infection likely persists at a deeper level (bootkit or firmware) and requires professional intervention. Do not assume you're clean just because obvious symptoms disappear.

Prevention

  1. Never enable macros in unsolicited documents. If a document asks you to "Enable Content" or "Enable Editing" to view it properly, delete it immediately unless you absolutely trust the sender and were expecting the file. Call the sender through a known phone number (not one in the email) to verify legitimacy before opening.
  2. Keep all software patched and updated. RokRAT exploits known vulnerabilities in document readers, particularly older versions of Hangul Office and Microsoft Office. Enable automatic updates for Windows, Office, Adobe Reader, and all other installed applications. Replace end-of-life software that no longer receives security patches.
  3. Use comprehensive endpoint protection. Install reputable antivirus software with behavioral detection capabilities, not just signature-based scanning. Products that monitor process behavior and network connections have better chances of catching RokRAT's cloud-based command infrastructure. Keep definitions updated daily.
  4. Implement email filtering and scanning. Use email services or security appliances that scan attachments for malicious content before they reach your inbox. Configure filters to quarantine or block HWP files and Office documents with macros from external senders. Most businesses have no legitimate need to receive these file types from strangers.
  5. Practice the principle of least privilege. Don't use an administrator account for everyday activities like web browsing and email. Create a standard user account for daily work. Many malware infections, including RokRAT, can be contained to a single user profile if the malware doesn't have administrative rights to modify system-wide settings.
  6. Monitor cloud storage access. If you use Dropbox, Box, or similar services, periodically review connected applications and API access tokens in your account settings. Revoke access for any applications you don't recognize. While this won't prevent infection, it may help you detect compromise earlier.
  7. Back up important data offline. Maintain encrypted backups on external drives that you disconnect from your computer when not actively backing up. RokRAT doesn't typically encrypt files like ransomware, but if you need to wipe your system for complete remediation, having clean backups ensures you don't lose critical information.
  8. Educate yourself and employees about phishing. Most RokRAT infections start with a convincing email. Learn to recognize urgency tactics, requests to bypass security warnings, and messages that impersonate authority figures. When in doubt, verify through independent channels before opening any attachment.
Our 90-Day Warranty
When Computer Repair Roswell removes RokRAT from your system, we guarantee our work for 90 days. If the same malware returns within that period through no fault of your own (not from re-infection via unsafe behavior), we'll fix it again at no charge. We also provide a written report documenting what we found and removed, which can be valuable for insurance or legal purposes.

Bring It In

RokRAT represents a serious threat that goes beyond typical malware. Its use of legitimate cloud infrastructure, anti-analysis techniques, and comprehensive surveillance capabilities means that incomplete removal leaves you vulnerable to ongoing data theft. While the manual steps above can work, they require technical knowledge and thoroughness that most computer users understandably lack. Missing even one persistence mechanism means the malware can reinstall itself and resume operations.

Computer Repair Roswell has successfully removed RokRAT and similar sophisticated threats from hundreds of systems throughout the Roswell and metro Atlanta area. We use professional forensic tools to identify all components of the infection, including encoded payloads and registry modifications that standard antivirus misses. We'll also examine your system for the initial infection vector, check for any additional malware that may have been installed alongside RokRAT, and configure your defenses to prevent re-infection. Call us at (770) 428-9555 or bring your computer to our shop at 1090 Alpharetta Street. Same-day service is available for urgent cases, and we'll have you back up and running securely—usually within 24 hours.