HOMETHREATSVyveva RAT
APT / THREAT GROUP

Vyveva RAT

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.

It uses a simple XOR for encryption of its configuration and network traffic.

It sends detailed information about the victim's environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.

It supports more than 20 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.

It has MPRD.dll as the internal DLL name, and a single export SamIInitialize.

Vyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.

Threat Analysis

Vyveva RAT is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

Vyveva RATwin.vyveva

External Intelligence

Malpedia: win.vyveva

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.