Noodle RAT: The New Stealthy Cross-Platform Malware Targeting Windows and Linux
Noodle RAT: The New Threat in Cyber Espionage Unveiled
A previously undocumented cross-platform malware, codenamed Noodle RAT, has been used by Chinese-speaking threat actors for years, according to new research. Trend Micro security researcher Hara Hiroaki has identified this malware as a distinct entity, separate from known variants like Gh0st RAT and Rekoobe, classifying it as a new type altogether.
Noodle RAT, also referred to as ANGRYREBEL and Nood RAT, has both Windows and Linux versions and is believed to have been in use since at least July 2016. While Gh0st RAT, a predecessor first seen in 2008 from the China-based C. Rufus Security Team, has been widely used in various campaigns, Noodle RAT represents a new level of sophistication in cyber espionage and cybercrime.
The Windows version of Noodle RAT is an in-memory modular backdoor utilized by hacking groups such as Iron Tiger and Calypso. It is deployed via a loader and supports commands to download and upload files, run additional malware, act as a TCP proxy, and self-delete. Attackers have employed at least two loader types, MULTIDROP and MICROLOAD, in operations targeting Thailand and India.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
The Linux counterpart of Noodle RAT has been used by cybercrime and espionage clusters linked to China, including Rocke and Cloud Snooper. This version can launch reverse shells, download and upload files, schedule executions, and initiate SOCKS tunneling. These attacks typically exploit known security flaws in public-facing applications to breach Linux servers and deploy web shells for remote access and malware delivery.
Despite the differences in backdoor commands, both versions share identical code for command-and-control (C2) communications and use similar configuration formats. Analysis of Noodle RAT artifacts shows that while it reuses plugins from Gh0st RAT and shares some code with Rekoobe, it remains a novel threat.
Trend Micro researchers also accessed a control panel and builder for Noodle RAT’s Linux variant. Release notes written in Simplified Chinese detailed bug fixes and improvements, suggesting that the malware is developed, maintained, and sold to specific customers. This aligns with the findings from the I-Soon leaks, which revealed a significant hack-for-hire industry in China, connecting private sector firms with state-sponsored cyber actors.
Trending: Offensive Security Tool: PingRAT
These tools appear to be part of a sophisticated supply chain within China’s cyber espionage ecosystem, sold and distributed commercially to both private sector and government entities engaged in malicious activities. “Noodle RAT is likely shared or sold among Chinese-speaking groups,” Hiroaki stated. “It has been misclassified and underrated for years.”
This discovery comes as the China-linked Mustang Panda group, also known as Fireant, has been implicated in a spear-phishing campaign targeting Vietnamese entities. Using tax- and education-themed lures, the campaign aims to deliver Windows Shortcut (LNK) files designed to deploy the PlugX malware, highlighting the ongoing threat from Chinese cyber espionage groups.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
