You are working on an important project. Your computer slows down. The cursor moves on its own. Files open and close without you touching the mouse.

You are not imagining things. Someone else is controlling your computer from thousands of miles away.

This is what a Remote Access Trojan (RAT) does. ModeloRAT is one of the most dangerous examples of this type of malware.

I'll explain how ModeloRAT operates: how it infects computers, and how to avoid being infected by it. 

What Is ModeloRAT

ModeloRAT is considered a type of malware, specifically classified as a Remote Access Trojan (RAT). As such, it provides attackers with complete control over infected machines.

When ModeloRAT is installed on a machine, the remote attacker has almost all of the same capabilities that you have as the user of that machine. This means that they can view any files on that machine, download any documents, access and record through the webcam (video or still), and use the information captured by your keystrokes to create new information. 

The name "ModeloRAT" comes from the mixture of "remote access trojan" and the word "modelo" in Spanish, which means "sample" or "reference model." The aim of developing this malware was to provide hackers with an easy way to create their version of a RAT. 

ModeloRAT can be particularly impactful because it is developed using Python. Python is generally regarded as a very adaptive programming language. 

Therefore, when an attacker creates their instance of a RAT, they can alter the programming and add other capabilities so that they can bypass traditional virus scanning software without rebuilding the RAT altogether.

This type of flexibility represents a significant attraction for cybercriminals. It is used by initial access brokers, ransomware gangs, and individual hackers who want to take control of victims' computers.

How ModeloRAT Infects Computers

ModeloRAT does not magically appear on your computer. It needs to be delivered through some method. Attackers use several common techniques to infect victims.

Infection Method 1: Phishing Emails

One of the most frequently used ways for ModeloRAT to make its way to your machine is through phishing emails. You receive what seems to be a legitimate email from your IT department, shipping company, or software vendor, among others.

The email contains either an attachment (Word document, PDF, or matter how) or a link. If you click on a link, it may take you somewhere else that is made to look like a legitimate site.

Once you open the attachment from an email or click on a link in an email, ModeloRAT will download and install itself on your computer. You won't see anything happening as it's operating quietly in the background.

Look for phishing emails that use non-urgent or pseudo-urgent language; "Your account will be closed if you do not respond immediately" or "another way." Look for emails containing attachments or hyperlinks with strange name extensions like 'invoice.exe', or 'document.docm' (you can identify odd names/extensions by using the '.' (dot) before the extension) There may also be subtle misspellings in hyperlinks (for example using 'giff' instead of 'gif.').

Infection Method 2: Fake Software Downloads

You want to get a free program. A PDF Converter, Video Editing Software, Password Cracking Program, Game Cheats. You find a site that says they offer that type of software for free.

You download and install the program. It may even work as expected; however, buried inside the installer is ModeloRAT. It will install alongside the legit software, and you will not be aware of its hidden presence.

This kind of activity occurs most often with: Cracked versions of software and keygen programs (programs that create forest keys to allow access/registration). Free versions of paid software available from non-official websites. Cheating/hacking programs related to online games. Fake update alerts while you browse the web.

Infection Method 3: Malicious Ads (Malvertising)

You go to an established website (news site, forum, blog, etc), and you do NOT click on anything. However, an advertisement on that page may contain hidden, malicious code.

An advertisement that contains the code will automatically download ModeloRAT and install it onto your machine; you did not take any action to do this. You merely visited that site and became infected.

How to Protect Yourself: Use an ad blocker software in your web browser, keep your web browser and operating system updated, disable automatic downloads in your web browser settings.

Infection Method 4: USB Drives or Other Removable Media.

Someone who has physical access to your system might be able to copy and paste the files designated as ModeloRAT to a USB stick, after which this person can plug the USB back into your machine or a different one. Certain variations of the ModeloRAT files will automatically open as soon as the USB is inserted into the operating system.

Infection Method 5: Remote Desktop Protocol (or RDP) Attacks.

If your system has RDP functionality enabled, an attacker can locate systems with publicly exposed RDP ports through Internet scanner utilities, attempting to connect to them through brute force using common passwords such as "password" and "admin". Once connected, the cockroach (ModeloRAT) can be installed manually.

What Happens After ModeloRAT Infects Your Computer

Once ModeloRAT is installed, it does not sit idle. It immediately begins working to maintain access and steal information.

Stage 1: Persistence Installation

ModeloRAT seeks to maintain its presence on the target computer even after the computer has been restarted, therefore it utilizes a variety of techniques in order to persist through reboots and in an attempt to eliminate any efforts to remove it.

Some of the methods that it may use include adding itself to the Windows Registry Run key, which tells the operating system to launch This malware program each time the victim logs into their computer. Another example could be creating a copy of itself in the victim's Startup folder, which is also used to launch other programs each time the victim starts up his/her computer.

Certain versions of ModeloRAT may create a scheduled task so that it runs at predetermined times or based on pre-defined frequency. If the malware file is deleted from the primary location where the malware file was found first, that scheduled task may restore the malware file from another location when that task runs.

Stage 2: Establishing Communication With the Attacker

Once ModeloRAT has successfully identified a target, it must communicate with the contact to relay instructions and provide them with stolen information. To accomplish this, the malware will establish a connection to a command & control (C2) server which is under the control of the attacker.

To avoid detection, ModeloRAT utilizes standard internet ports that are inconspicuous when added to normal internet traffic. An example of this is that many malicious programs will utilize the same ports that are commonly used by malware, such as port 443.  Port 443 looks like secure web browsing, and therefore, firewall rules are generally set to allow this traffic to exit to the internet without inspection.

In an effort to conceal its command communication, some strains of ModeloRAT use encrypted communication to hide their command information from antivirus software.

Stage 3: Reconnaissance

Once the connection between ModeloRAT and the Command and Control server is established, ModeloRAT will gather the following information from the victim's computer:
1. Operating system version
2. Installed software
3. Active processes
4. Network configuration
5. User account information

This information would then serve the attacker to define what kind of system has been compromised.

Stage 4: Waiting For Commands

After the ModeloRAT has completed its reconnaissance and the information has been sent to the attacker, ModeloRAT will wait for the attacker to send them commands. Once the attacker sends the command, ModeloRAT will follow the instructions given.

Common instructions sent by the attacker to ModeloRAT include:
1. Upload and download files from the victim's computer
2. Run other malware programs (such as ransomware or keyloggers)
3. Take screenshots of your desktop. Record audio from your microphone. 
4. Turn on your webcam. Log your keystrokes to capture passwords. 
5. Use your computer to attack other systems.

Signs Your Computer May Be Infected with ModeloRAT

ModeloRAT is designed to be stealthy, but it cannot hide everything. 

Look for these warning signs:

1.When a computer is slow without the application being run it usually indicates a problem with the computer relative to the usage of resources (CPU and memory) by ModeloRAT.

2. If your computer is sending and/or receiving data via the Internet when you’re not browsing or using the Internet, you might have malware on your system. You can check your network activity to see if your network activity is high when you have no Internet activity by checking the Network Activity tab in Task Manager.

3. One of the most clear indicators that a RAT is installed on your system is that your cursor (mouse pointer) moves or clicks when you haven’t touched your mouse (pointing device). This is definitive proof that someone else is remotely accessing (hacking) your computer and controlling it.

4. A good indication that your computer has been compromised by an intruder is if applications are opening and closing by themselves with no user input.

5. If the indicator light on your webcam turns on without your permission or knowledge, this can be indicative of an attack.

6. Your antivirus is disabled. Some malware disables Windows Defender or other security software to protect itself. If you cannot turn your antivirus back on, you may be infected.

How to Remove ModeloRAT

If you suspect your computer is infected, take these steps immediately:

Step 1: Disconnect from Internet

Disconnects your network cable / wireless router/modem from home internet. This will stop the hacker from accessing your computer while removing the virus, plus it will prevent modeloRat from getting any other types of viruses.

Step 2: Full antiviruses Scan with pronto Antiviruses.

Use MS Windows built-in MS Defender antivirus; or another reputable anti-virus program to perform a complete system scan (not a quick one). This scan can take a while; however, it is part of cleaning your computer (be sure to restart your PC after the antivirus is done scanning).

Step 3: Delete Faster Scans with Different Anti-Virus Software

Since no virus protection program will find every virus, run malwarebytes free (or other popular free anti-malware software) on a clean computer and copy it to your infected computer using USB flash drive and run another FULL SCAN; This is meant to capture any viruses that were missed previous scan.

Step 4: Verify Existence of Persistence Mechanism

After removing the Modelo RAT from your system, check and see if any remnants of the malware remain on your device in the form of a task or registry entry that may reinstall it when you reboot the machine. 

To identify whether there are remnants of the malware, do the following:
1. Open "Task Manager" and click on the "Startup" tab and disable any suspicious items from starting at startup.
2. Open "Task Scheduler" and search for autorun tasks with random names or from vendors that are unknown to you.
3. Open "Registry Editor" and navigate to the "Run" Registry Key, and ensure there are no entries pointing to the \Temp or \AppData folders.

Step 5: Change All Your Passwords

Assuming the attacker had total access to everything on your device; therefore, you should change all passwords associated with your email, banking, social media and all other accounts of importance to you using a non-infected computer. Additionally, it is strongly recommended to utilize the two-factor authentication option for all accounts that provide such support.

Step 6: Reinstall Windows If Unsuccessful In Removal

If your computer is still behaving adversely after performing scanning to remove the malware or you were not successful at removing the malware, you will need to backup all personal files, including photos and documents, and then complete a full reinstallation of Windows on your machine. This is the only way to be absolutely sure the malware is gone.

Do not back up programs or system files. Only copy your personal documents. Malware can hide in program files and restore itself when you copy them back.

How to Prevent ModeloRAT Infections

You can protect yourself from ModeloRAT and similar malware with these habits:

1. Avoid opening attachments from unknown sources! If you get an unexpected email with an attachment – no matter who it’s from – Confirm with the sender first! It is possible their account has been hacked.

2. Disable Macros! Macros are commonly used by malware distribution files to execute the code. These settings would be found under File > Options > Trust Center > Trust Center Settings > Macro Settings - and you should choose to “Disable all macros with notification”.

3. Show extensions to your files on Windows! By default Windows will hide the extensions of files (the ending part of a file name after the period), therefore allowing attackers to use confusing names such as invoice.pdf.exe that appear as just invoice.pdf. To display the extensions, go into File Explorer, click on View and check the box for File Name Extensions.

4. Keep your Software Up-To-Date! Software updates are released to fix security flaws that attackers exploit on vulnerable software to install malware. Enable your auto-updates on Windows, your browser and any other installed software.

5. Always use a standard user account - not an administrator account. Use the administrator account only when necessary to make necessary changes to the system; otherwise, use your standard account for day-to-day tasks such as web browsing, emailing etc... If malware is executed under a standard user account, it cannot make any changes throughout the system unless you enter your admin password/token.

6. Avoid downloading software from untrustworthy sites or through cracked software (such as keygens) or through "free" versions of paid software (as these will generally contain malware). Only download programs from official websites.

7. Do use an ad blocker to take precautions against the possibility that you will click on a malicious ad and become infected with malware. Use uBlock Origin or another credible ad blocker that is located in the browser you use to access the internet.

8. Disable remote desktop if you do not require it to access your computer remotely. If you do not need to use the remote desktop feature on your computer, it should be turned off. To turn off the remote desktop feature, go to settings and select System, and then toggle off Remote Desktop.

9. Create a backup of your data regularly. In the event that you do become infected with malware on your computer, you should be able to reload your operating system and restore your information from a backup. For best practices with backups, keep them stored on a detachable drive that is not always plugged into your computer.

The Bottom Line

ModeloRAT is an extremely harmful remote access trojan that can take complete control over someone’s computer. It is often spread through methods such as phishing emails, fake software downloads, malicious ads and various other common ways.

When it has been installed on the targeted system, it can hide itself from detection, communicate back to the attacker and then remain waiting for a command such as capturing or stealing files that are desired, view through the victims webcam, record keystrokes and perform an attack on another victim by using the target system.

To protect yourself from becoming a victim of this type of attack, you should use extra caution when opening email attachments, only download software from official sources, use an ad blocker to keep your system free from malware, continuously update your system to receive the latest patches and backup your data regularly.

If you have already been infected, immediately remove any internet connection, run a complete antivirus scan, change any passwords and if nothing else works, then reinstall Windows.

Do not ignore signs of a RAT infection. A RAT infection is not just an inconvenience; it provides attackers open access to your entire digital life.

FAQ Section

Does any antivirus software detect ModeloRAT?

Most modern AVs will flag known samples of ModeloRAT. However, attackers often change the code to avoid detection; therefore, you should run several scanners and make sure you are updating your AV on a regular basis.

What separates ModeloRAT from other RATs?

ModeloRAT is coded in Python which allows attackers to easily change and customize it. One of the reasons it has many different persistence methods and redundant C2s, thus making it much harder to completely eliminate and stop.

Is it possible for ModeloRAT to spread on my network to additional computers?

Yes. If an attacker has control over your PC, they would be able to use that PC to scan your local network and infect other devices on that same network, which is why you should immediately disconnect any infected systems from your network.

Is ModeloRAT compatible with Mac or Linux computers?

ModeloRAT has primarily been developed for Windows operating systems; however, as ModeloRAT is based on Python, it is conceivable that could be adapted for operation within various other platforms. Nevertheless, the majority of hacking attempts to date have been directed toward hacking Windows systems.

How can I verify I'm currently being remotely controlled? 

The most common indication you may have been compromised is a cursor moving or clicking without user input. Other hints of a compromise include unexplained/excessive opening/closing of various software applications, a randomly illuminated webcam, inordinate amount of time taken to complete tasks on a PC (i.e. slow system response) or unresponsive system.