Home > List all groups > List all tools > List all groups using tool 3102 RAT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: 3102 RAT

Names3102 RAT
TypeBackdoor, Info stealer
Description(Palo Alto) On May 6 and May 11, 2015, Unit 42 observed two targeted attacks, the first against the U.S. government and the second on a European media company. Threat actors delivered the same document via spear-phishing emails to both organizations. The actors weaponized the delivery document to install a variant of the ‘9002 RAT’ Trojan called ‘3102’ that heavily relies on plugins to provide functionality needed by the actors to carry out on their objectives.

The 3102 payload used in this attack also appears to be related to the EvilGrab RAT payload delivered in the watering hole attack hosted on the President of Myanmar’s website in May 2015. Additionally, we uncovered ties between the C2 infrastructure and individuals in China active in online hacking forums that claim to work in Trojan development.

Last change to this tool card: 19 April 2020

Download this tool card in JSON format

All groups using tool 3102 RAT


APT groups

 Nightshade Panda, APT 9, Group 27China2013-Sep 2016 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key