Threat Profile
| Characteristic | Details |
|---|---|
| Threat Name | Tiger RAT |
| Malware Type | Remote Access Trojan (RAT), Third-Stage Backdoor |
| Platform | Windows (WIN), both x86 and x64 architectures |
| File Type | Windows PE executable (Portable Executable) |
| Common Disguise | Internet Explorer or Google Chrome icons with corresponding browser file names |
| Encryption Method | 16-byte XOR key for base64-encoded embedded payload |
| Deployment Stage | Third-stage payload (requires prior compromise via first and second stage malware) |
| Threat Actor Attribution | Andariel group (documented in Kaspersky research) |
| Primary Target Geography | South Korea, with capabilities applicable globally |
| Interactive Operation | Yes—attackers manually control deployment and execution |
| Intelligence Last Updated | 2026-06-18 (Malpedia) |
| Detection Difficulty | High—disguised as legitimate software, encrypted payload, targeted deployment |
How It Spreads
Tiger RAT does not spread through traditional mass-distribution channels like phishing emails or drive-by downloads. Instead, it represents the final payload in a multi-stage intrusion operation. Attackers first compromise your system through initial access malware, then deploy secondary loaders, and finally introduce Tiger RAT once they've established a foothold and identified high-value targets within the network. The infection chain typically begins weeks or even months before Tiger RAT appears on your machine. Initial compromise vectors used by the Andariel group and similar operators include spear-phishing campaigns with weaponized documents, exploitation of unpatched vulnerabilities in internet-facing services, or supply-chain compromises targeting specific organizations. The first-stage malware performs reconnaissance, then downloads a second-stage loader that creates the environment for Tiger RAT deployment. Distribution methods for the broader infection chain include: - **Targeted spear-phishing emails** with malicious attachments tailored to specific individuals or departments - **Watering hole attacks** on websites frequented by the target organization - **Exploitation of vulnerabilities** in VPN gateways, web servers, or other perimeter devices - **Supply-chain compromises** where legitimate software updates are trojanized - **Lateral movement** from already-compromised systems within the same network - **Credential theft and reuse** allowing attackers to deploy payloads with legitimate administrative accessWhat It Does On Your Machine
Once executed, Tiger RAT decrypts its embedded payload at runtime using a hardcoded 16-byte XOR key. The malware takes the base64-encoded payload stored within itself, applies the XOR decryption algorithm, and loads another portable executable file directly into memory. This technique allows the malware to avoid writing the actual backdoor code to disk in unencrypted form, making detection more difficult for traditional antivirus scanners that rely on file-based signatures. The decrypted payload establishes a command-and-control channel that gives attackers comprehensive remote access to your system. Unlike automated botnets, Tiger RAT operations involve human operators who interactively explore your system, exfiltrate specific documents, install additional tools, and move laterally to other machines on your network. The attackers can execute arbitrary commands, capture screenshots, log keystrokes, enumerate files and running processes, and essentially perform any action you could perform while sitting at the keyboard. Because Tiger RAT disguises itself with browser icons and file names, victims often mistake the malicious executable for a legitimate shortcut or installation file. The malware may appear in download folders, temporary directories, or locations where users expect to find browser-related files. When double-clicked, it executes silently without obvious indicators of compromise, running quietly in the background while providing attackers with persistent access.Manual Removal — Step by Step
Isolate the infected system immediately
Physically disconnect the network cable or disable Wi-Fi before proceeding. Tiger RAT provides live remote access—attackers may observe your removal attempts and take countermeasures. Work offline for all subsequent steps. If this is a business network, notify your IT department or security team immediately as other systems may be compromised.
Boot into Safe Mode with Networking
Restart the computer and press F8 repeatedly during boot (or hold Shift while clicking Restart in Windows 10/11, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart > option 5). Safe Mode loads minimal drivers and prevents most malware from launching automatically. You'll need networking enabled to download security tools in subsequent steps.
Identify suspicious processes disguised as browsers
Open Task Manager (Ctrl+Shift+Esc) and examine running processes carefully. Look for iexplore.exe, chrome.exe, or similar browser names running from unusual locations like AppData\Local\Temp or ProgramData folders. Legitimate browsers run from Program Files. Right-click suspicious processes, select "Open file location," and note the full path. Do not terminate processes yet.
Run a comprehensive malware scan with updated definitions
Download Malwarebytes or a reputable anti-malware tool on a clean computer, transfer via USB drive to the infected system. Update definitions while still in Safe Mode, then perform a full system scan. Tiger RAT's encryption techniques may evade some scanners, so use multiple tools if possible. Quarantine all detected threats but document file paths before removal for forensic review.
Manually delete identified malicious executables
Navigate to the file locations identified in Step 3. Delete the disguised browser executables and any associated folders in AppData\Local\Temp or ProgramData directories. Check your Downloads folder for recently downloaded files with browser names but unusual sizes (Tiger RAT executables are typically several hundred KB to a few MB, different from legitimate installers).
Examine startup locations and scheduled tasks
Open Task Scheduler (taskschd.msc) and review all scheduled tasks for unfamiliar entries. Check startup folders at C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup and the system-wide C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. Remove any references to the malicious executables you identified. Use Autoruns from Microsoft Sysinternals for comprehensive startup enumeration.
Reset all passwords from a known-clean device
Tiger RAT likely harvested credentials stored on your system. From a different computer or smartphone, immediately change passwords for all accounts accessed from the infected machine—email, banking, corporate networks, cloud storage. Enable two-factor authentication on all critical accounts. Do not reuse passwords across different services.
Check for additional compromised systems on your network
Tiger RAT infections often indicate broader network compromise. Scan all computers and devices that share the same network. Review router logs for unusual outbound connections. If this is a business environment, consider engaging a professional incident response team to assess the full scope of the breach and identify the initial entry point.
Monitor system behavior after removal
Reboot normally and observe for several days. Watch for unexpected network activity, new unknown processes, or system slowdowns. Use Process Explorer to examine running processes and their network connections. Tiger RAT's multi-stage nature means secondary loaders may attempt to re-download the payload if cleanup was incomplete.
Consider full system reinstallation for critical machines
Given Tiger RAT's sophisticated deployment and the advanced threat actors behind it, the most secure remediation is a complete operating system reinstall from trusted media. Back up critical data files (not executables or system files), wipe the drive, reinstall Windows from official sources, and restore only verified clean data. This is especially important for business systems or machines containing sensitive information.
Prevention
- Maintain comprehensive patch management: Keep Windows, all applications, and firmware updated. Tiger RAT operators exploit known vulnerabilities to gain initial access. Enable automatic updates where possible and prioritize patches for internet-facing services, VPNs, and remote access tools.
- Implement network segmentation: Divide your network into zones with restricted communication between them. Limit lateral movement opportunities by ensuring workstations cannot directly access other workstations, and apply principle of least privilege to all network access rules.
- Deploy endpoint detection and response (EDR) solutions: Traditional antivirus struggles with encrypted, multi-stage malware like Tiger RAT. EDR tools monitor behavioral indicators—unusual process execution chains, memory injection, suspicious network connections—that reveal threats even when file signatures are unknown.
- Enforce application whitelisting on critical systems: Configure Windows AppLocker or similar tools to allow only approved executables to run. This prevents disguised malware from executing even if downloaded to the system, though it requires careful management to avoid disrupting legitimate work.
- Train users to recognize targeted attacks: Educate staff about spear-phishing techniques specific to your industry. Tiger RAT infections begin with highly personalized social engineering. Establish procedures for verifying unexpected attachments or requests, especially those urging immediate action.
- Monitor for indicators of multi-stage infections: Watch for unusual downloaded executables, especially those disguised as familiar software. Enable Windows SmartScreen and configure browsers to warn about downloaded files. Review security logs for base64 encoding/decoding activities and XOR operations, which often signal decryption routines.
- Implement robust backup and recovery procedures: Maintain offline backups that malware cannot access. Test restoration procedures regularly. Andariel group operations have included ransomware deployment via Tiger RAT, making recoverable backups essential for business continuity.
- Conduct regular security assessments: Perform periodic vulnerability scans and penetration tests to identify weaknesses before attackers do. Review access logs for anomalous activity, especially during non-business hours. Consider threat hunting exercises specifically looking for signs of staged intrusions.