Police Seize Netwire RAT Malware Framework, Detains Admin

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Mar 10, 2023 02:54 am PST

After seizing the website and bringing down the infrastructure used by criminals connected to the NetWire remote access malware, international law enforcement authorities have declared another triumph over cybercriminals (RAT).

A guy who allegedly ran the worldwiredlabs website, which has long sold the NetWire malware, was detained by Croatian police on Tuesday. Swiss law enforcement confiscated the server hosting the NetWire RAT infrastructure on the same day. At the same time, a US judge approved a search warrant enabling US officials in Los Angeles to seize the internet domain.

The malware, which was initially found in 2012, is frequently concealed in malicious files. The RAT is a favorite among cybercrime gangs and organizations with state support, and phishing attempts are commonly used to spread it. After infecting a victim’s laptop or smartphone, the RAT’s capabilities include keylogging, password theft, and remote control of the device.

In a statement, Donald Alway, The Los Angeles field office of the FBI’s assistant director, said that by getting rid of the NetWire RAT, the FBI had a negative impact on the criminal cyber ecosystem.

“The international alliance that resulted in the arrest in Croatia also eliminated a common tool used to hijack computers in order to perpetuate international fraud, data breaches, and network assaults by threat organizations and cybercriminals,” Alway continued.

In 2020, the Los Angeles field office of the FBI began looking into the malware distributor. According to the affidavit supporting the seizure warrant, undercover agents participated by setting up website accounts, purchasing subscriptions, and building customized instances of the NetWire RAT using the product’s Builder Tool.

Verisign forwarded the worldwiredlabs domain to FBI-controlled servers, as detailed in a warrant [PDF]. Both the US and Croatian governments withheld the suspect’s identity. According to infosec journalist Brian Krebs, Mario Zanko of Zapresic, Croatia, has been the domain’s owner since 2012.

Croatian police say the malware vendor reportedly sold NetWire licenses for $10 to $1,200; they still need to calculate the total amount of money made illegally from selling the RAT. They stated that other crooks who purchased the software utilized NetWire to attack banks and healthcare facilities.

How RAT Malware Operates

RATs malware frequently escapes detection by cybersecurity teams since they aren’t typically listed in listings of running processes or programs. RATs frequently carry out tasks that are identical to those of legitimate programs. Also, an attacker will control the resource usage such that there is no performance degradation, making it more challenging to detect the threat.

A RAT assault may put at risk certain users, businesses, or even entire populations in the following ways:

  • Blackmail and spying are possible when an attacker uses RAT to access a user’s device’s cameras and microphones. They can use the images to conduct more complex assaults or to blackmail the user. They can capture pictures of the user and their surroundings.
  • Attackers can launch distributed denial-of-service (DDoS) attacks by using user devices infected with RATs to flood a target server with fictitious traffic. Although a DDoS assault might degrade network speed, users frequently aren’t aware that their devices are being exploited for this purpose.
  • Attackers may use a RAT to mine Bitcoin or other cryptocurrencies on a user’s computer. They can make large profits by expanding their business over numerous devices.
  • Attackers can use RAT to store illegal content on the devices of unwary victims through remote file storage. As a result of the attacker’s data being saved on devices owned by genuine users, authorities are unable to block access to their account or storage server.
  • Attackers can compromise industrial systems using RAT, including large-scale public utilities like water and power. The attacker can ruin these systems, potentially halting vital services for large regions and inflicting extensive damage to industrial equipment.


The accused administrator of the NetWire remote access trojan has been detained, and the service’s web domain and hosting server was seized as a result of an international law enforcement operation involving the FBI and law enforcement organizations around the world. A remote access trojan called NetWire was marketed as a reliable tool for managing a Windows PC from a distance.

Users could subscribe to the service for as little as $10 a month, which included support, on the website www.worldwiredlabs.com. Yet, since at least 2014, NetWire has been a preferred tool in a variety of nefarious operations, such as phishing assaults, BEC campaigns, and corporate network breaches. Threat actors could use the Netwire RAT to remotely take screenshots, download and upload files, run commands, or download other programs to execute on infected Windows systems. NetWire plans are advertised on the website.

The seizure warrant was authorized on March 3rd and carried out on Tuesday as part of a planned international law enforcement operation to stop the NetWire service, according to a statement released today by the U.S. Attorney’s Office for the Central District of California. Police from the Croatia Ministry of the Interior Criminal Police Directorate, Zurich Cantonal Police, Australian Federal Police, the United States Attorney’s Office for the Central District of California, Europol, and the FBI participated in this operation.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x