MALWARE FAMILY💰 FINANCIALHIGH

LimeRAT

Internal ID: win.limerat
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

## Description

Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves.

---

## Main Features

- **.NET**

- Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0

- **Connection**

- Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports

- **Plugin**

- Using plugin system to decrease stub's size and lower the AV detection

- **Encryption**

- The communication between server & client is encrypted with AES

- **Spreading**

- Infecting all files and folders on USB drivers

- **Bypass**

- Low AV detection and undetected startup method

- **Lightweight**

- Payload size is about 25 KB

- **Anti Virtual Machines**

- Uninstall itself if the machine is virtual to avoid scanning or analyzing

- **Ransomware**

- Encrypting files on all HHD and USB with .Lime extension

- **XMR Miner**

- High performance Monero CPU miner with user idle\active optimizations

- **DDoS**

- Creating a powerful DDOS attack to make an online service unavailable

- **Crypto Stealer**

- Stealing Cryptocurrency sensitive data

- **Screen-Locker**

- Prevents user from accessing their Windows GUI

- **And more**

- On Connect Auto Task

- Force enable Windows RDP

- Persistence

- File manager

- Passowrds stealer

- Remote desktop

- Bitcoin grabber

- Downloader

- Keylogger

Threat Analysis

LimeRAT is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

Financially motivated threat actors like LimeRAT prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, LimeRAT is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

External References

Quick Facts

TypeMalware Family
Motivation💰 financial
Sophisticationhigh
Aliases1

Also Known As

win.limerat

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
LimeRAT — Malware Family | Threat Intelligence | CTIWATCH.COM