RatonRAT Unmasked: Inside a $15-$80 MaaS Platform With 120 Commands, 10 OPSEC Failures, and a Secret v4.0 Branch
First public investigation of RatonRAT — developer "silly" left a trail across GitHub, Codeberg, Telegram, and Discord
A 92KB executable uploaded to MalwareBazaar on March 22. Five samples. One shared import hash. That's all it took to unravel a fully operational Malware-as-a-Service platform with three pricing tiers, three C2 servers across three countries, a marketing website, a Discord community, a public SDK with developer documentation, and a threat actor whose operational security can only be described as nonexistent.
This is the story of RatonRAT -- a previously undocumented .NET RAT with 120+ commands including ransomware, cryptocurrency theft, HVNC, and DDOS capabilities, sold by a developer who left breadcrumbs on every platform they touched. It is the first public investigation of this malware family.
The Upload That Started Everything
On March 22, 2026, a sample tagged RatonRAT appeared on MalwareBazaar. Signature: new. Vendor detections: sparse. Public reporting: zero.
The binary was a 2.86MB .NET executable -- client.exe -- compiled against .NET Framework 4.7.2 and packed with Costura Fody 6.0.0, which embeds dependencies like MessagePackLib directly into the assembly. MessagePack serialization over TCP with TLS. A custom C2 protocol.
We pulled the sample and extracted the embedded configuration. The C2 address was right there in the .NET string table: 66[.]85[.]26[.]91, port 3132, password llApravA79iKwcm3Jc2xaBO. But that wasn't the only string that jumped out.
Every single compiled sample contained the same hardcoded Telegram URL in its User Strings:
hxxps://t[.]me/sillyisafed
The developer had baked their own contact information into the malware. Not as a config value. Not as an optional callback. As a permanent, immutable string compiled into every binary they'd ever shipped.
We followed the link.
Meet "silly"
The Telegram handle @sillyisafed belongs to the developer and primary operator of RatonRAT. They also go by sillycs, sillyok, and simply silly. And they are everywhere.
The same alias -- sillycs -- appears on GitHub (account created February 27, 2026), Codeberg (created February 26), Telegram (two handles: @sillycs for sales and @sillyisafed for operations), Discord (two invite links: discord.gg/KmNrUQJRkv and discord.gg/EuQG3J6Zhr), and a marketing website at raton[.]lol registered through Porkbun on March 14 and hosted on -- you guessed it -- GitHub Pages from the sillycs account.
The website is polished. Dark theme. Feature cards for HVNC, ransomware, credential theft. A pricing table. A fundraising tracker. A page dedicated to the developer's profile: raton[.]lol/silly.html. And full plugin developer documentation at raton[.]lol/docs.html, because when you're building a malware ecosystem, you want third-party developers to contribute.
The Codeberg repository at codeberg.org/sillycs/notratonupdates (the name is not subtle) hosts the release binaries. Codeberg's API exposes download statistics per release. So we queried every one.
1,668 Downloads. Ten Releases. One Month.
The version history tells the story of rapid iteration:
| Version | Date | Downloads |
|---|---|---|
| v3.5.2 | Feb 26 | 30 |
| v3.5.3 | Feb 27 | 56 |
| v3.5.4 | Feb 27 | 52 |
| v3.5.5 | Feb 28 | 20 |
| v3.5.6 | Feb 28 | 282 |
| v3.6.0 | Mar 6 | 222 |
| v3.6.9 | Mar 14 | 217 |
| v3.7.0 | Mar 14 | 169 |
| v3.7.1 | Mar 16 | 163 |
| v3.8.0 | Mar 22 | 457 |
| Total | 1,668 |
From 30 downloads on the first release to 457 on the latest. The growth curve is unmistakable: RatonRAT is gaining traction. The jump at v3.5.6 (282 downloads) suggests it hit a distribution channel -- likely a Telegram group or Discord server -- and the audience kept growing from there.
The release archives are password-protected. The password for each? The version string itself. v3.8.0 opens v3.8.0. Security through mild inconvenience.
The $15/$30/$80 Business Model
RatonRAT runs a tiered MaaS pricing structure that wouldn't look out of place on a legitimate SaaS landing page:
| Tier | Price | What You Get |
|---|---|---|
| Raton Free | $0 | Base RAT |
| Raton Deluxe | $15 | Premium features |
| Deluxe Plugins | $30 | Plugin ecosystem access |
| Full Package | $80 | Everything |
The fundraising tracker on raton[.]lol shows $1,000 raised toward a $1,500 goal. We can see their revenue. They published it on their website. The developer is crowdfunding their malware development with the transparency of a Kickstarter campaign.
Sales are handled via Telegram DM (@sillycs). The Discord servers function as community hubs where customers can request features, report bugs, and interact with the developer. It is, in every functional sense, a startup -- just one that sells ransomware.
120+ Commands: Everything, Including the Kitchen Sink
The command set we extracted from binary analysis is staggering in scope. RatonRAT doesn't specialize. It does everything.
Remote Access: RemoteDesktop, HVNC (Hidden Virtual Network Computing), Shell, CommandPrompt, Webcam, screen capture, process monitoring, keylogging, audio recording, clipboard interception, and a port scanner. HVNC alone -- the ability to run a hidden Windows desktop session invisible to the victim -- is typically a premium feature in RAT ecosystems. Here it's included in the base package.
Credential Theft: Browsers (passwords, cookies, autofill, credit cards, session tokens, masked IBANs), plus dedicated modules for Discord, Firefox, Roblox, Minecraft, Xbox, Riot Games, Steam, Epic Games, Mullvad VPN, AnyDesk, Telegram, cryptocurrency wallets, RDP sessions, and WiFi passwords. Fifteen platforms, one command.
Cryptocurrency Clipper: Monitors the clipboard for wallet addresses and silently replaces them with attacker-controlled addresses. Supports BTC, ETH, LTC, XMR, and SOL. The operator gets a notification when a swap occurs. Passive income while the RAT runs.
Ransomware: A Jigsaw-style module with Encrypt, Decrypt, ChangePassword, and the ominous Jigsaw command. The Jigsaw variant is known for deleting files on a timer if the ransom isn't paid -- a pressure mechanism borrowed from the 2016 original.
Network Weapons: HTTP flood DDOS, a SOCKS5 proxy (turning victims into proxy nodes), and a port scanner. Every infected machine becomes both a surveillance target and an attack platform.
System Destruction: Shutdown, restart, forced BSOD, process termination, UAC bypass, Windows Defender disabling, a "BotKiller" that eliminates competing malware, registry manipulation, and the ability to disable Task Manager and CMD on the victim's machine.
Trollware: Because the developer is, by all indications, young. Beeping, mouse trapping, taskbar hiding, screen inversion, forced wallpaper changes, a "Screamer" command, text-to-speech, and a command simply called Cat. There's a Family Guy reference buried in the codebase.
Plugin System: A .NET Class Library architecture with a PluginInfoAttribute decorator. The developer published a full SDK with documentation so that other malware authors can write RatonRAT plugins. The attribute requires Provider = "Raton" -- branding, enforced at the code level.
On-Victim Compilation: The Compiler command can compile C# and VB.NET code directly on the victim's machine. The operator can write, upload, and execute arbitrary .NET code without ever touching their own build environment. This is a development environment weaponized.
The v4.0.0 Branch
The public Codeberg releases stop at v3.8.0. But two samples on MalwareBazaar -- dreamyware.exe and 1121212.exe -- revealed something the public doesn't see: version 4.0.0.
These samples connect to a different C2 server (194[.]31[.]223[.]177, port 25163) with different passwords. The v4.0.0 binary is leaner at 92KB compared to the 2.86MB v3.8.0 builds, suggesting a refactored stub that pulls additional modules post-infection rather than shipping everything embedded. The C2 hostname resolves through snapix[.]p7z[.]ru -- a Russian domain, and a departure from the .localto.net and .bestburger.store hostnames used in earlier versions.
This is the private branch. The "Deluxe" version that isn't on Codeberg. The one you pay for via Telegram DM. And it's already deployed and active on a live C2 server.
Three C2 Servers, Three Countries, Zero Prior Documentation
We extracted C2 configurations from all five MalwareBazaar samples and correlated them with infrastructure reconnaissance:
Server 1: 143[.]47[.]53[.]106 -- Oracle Cloud, Netherlands. The oldest C2, associated with v3.4.0. Tunneled through LocalToNet (ou592x4hi[.]localto[.]net) on port 5895. Seventeen open ports including a Kestrel (ASP.NET Core) management panel on 8060, VNC on 5900, and an RDP proxy on 3388. Apache 2.4.65 and OpenSSH 9.6p1. This is likely the developer's own test server -- the port profile suggests someone who uses the machine for both development and C2 operations. Oracle Cloud free tier.
Server 2: 66[.]85[.]26[.]91 -- CrownCloud US LLC, Wilmington, Delaware. The v3.8.0 C2. Minimal exposure with only WinRM (port 5985) visible alongside the C2 port. Hostname gbh46jyu45h[.]bestburger[.]store -- a nonsense subdomain on a dead domain, likely auto-generated. Budget VPS provider popular in low-tier cybercrime for its low KYC requirements.
Server 3: 194[.]31[.]223[.]177 -- play2go International Limited, Germany. The v4.0.0 C2. nginx 1.29.5 on 443, NetBIOS on 139. Upstream transit through MNT-NETERRA, a Bulgarian ISP. This is the newest infrastructure, purpose-deployed for the private branch. The hostname snapix[.]p7z[.]ru routes through a Russian domain -- the first Russian-language indicator in the investigation.
None of these servers had been reported to any public threat intelligence platform before this investigation. No VirusTotal community notes. No ThreatFox entries. No abuse complaints that we could identify. Three active C2 servers operating in the open.
Ten OPSEC Failures
We catalogued every operational security mistake the developer made. There are ten.
1. Universal alias reuse. The name "silly" or "sillycs" appears on GitHub, Codeberg, Telegram (twice), Discord (twice), and as the mutex name (silly21) in every compiled binary. One search ties everything together.
2. Marketing website on GitHub Pages. raton[.]lol is hosted through GitHub Pages from the sillycs account. The CNAME record points directly to GitHub's infrastructure, and the repository is publicly accessible. The developer's malware marketing site is hosted on their own GitHub account.
3. Telegram handle in every binary. hxxps://t[.]me/sillyisafed is compiled into the .NET User Strings table of every sample. It cannot be removed by customers. It is permanent forensic evidence linking every infection to the developer.
4. Public plugin SDK. The developer published complete documentation for writing RatonRAT plugins, including class structure, required attributes, and integration patterns. This is a reverse engineer's gift -- it documents the plugin loading mechanism, the expected interfaces, and the internal architecture.
5. Public download statistics. Codeberg exposes download counts per release via its API. We can track adoption over time, identify which versions gained traction, and estimate the customer base. The developer either didn't know or didn't care.
6. Fundraising on the marketing website. The $1,000/$1,500 progress bar on raton[.]lol tells us their approximate revenue, their financial goals, and the pace of their growth. Most malware operators don't publish their income.
7. Git commit email exposure. The GitHub noreply format 264461403+sillycs@users.noreply.github.com reveals the numeric account ID (264461403) and the username. This is a persistent identifier even if the account is renamed.
8. Personality leaks in compiled code. A "SILLY IS MAD" string appears as an easter egg. Family Guy references are embedded in command handlers. These are personality markers that persist across alias changes.
9. Zip password equals version string. Every Codeberg release archive uses the version number as its password. v3.8.0 opens v3.8.0.zip. This is not encryption. This is a speed bump.
10. Default configuration strings in samples. The MalwareBazaar samples ship with the developer's own C2 addresses and authentication passwords. Customers are apparently expected to reconfigure before deployment, but the defaults reveal the developer's own infrastructure.
Persistence: Five Layers Deep
Once RatonRAT executes, it doesn't leave easily.
- Scheduled Task: Created via
schtasks /create /tn /sc ONLOGON /rl HIGHEST /f-- runs at highest privilege on every logon. - Registry Run Key: Writes to
HKCU\Software\Microsoft\Windows\CurrentVersion\Runfor user-level persistence. - Critical Process: Sets itself as a critical system process. Terminating it causes a Blue Screen of Death. The victim can't kill the RAT without crashing their machine.
- Defender Exclusion: Executes
Add-MpPreference -ExclusionProcessto whitelist itself in Windows Defender. - USB Spreading: Copies itself to removable drives for lateral movement to air-gapped or shared systems.
The hosts file modification command is protected by a hardcoded password: 123ratonpro. The developer's idea of access control.
What This Means
RatonRAT is not sophisticated. It is not the work of an APT group or a seasoned cybercrime syndicate. It is the product of what appears to be a young, technically capable individual who learned C# well enough to build a comprehensive RAT but hasn't learned the first thing about operational security.
And that's exactly what makes it worth tracking.
The MaaS model means the developer's OPSEC failures don't necessarily reflect the operators'. The 1,668 downloads represent 1,668 potential deployments by individuals who may exercise far better tradecraft than the person who sold them the tool. The crypto clipper generates passive income for every operator. The ransomware module lowers the barrier to extortion. The DDOS capability turns every infection into a potential botnet node.
The v4.0.0 branch tells us the developer is investing in a premium product line. The growing download numbers tell us the market is responding. The fundraising tracker tells us they're reinvesting. This is a malware business in its growth phase, and we are documenting it at inception.
The developer "silly" will likely burn these accounts once this report publishes. The GitHub will go private or get deleted. The Codeberg releases may disappear. The Discord servers will migrate. But the C2 infrastructure is harder to move, the import hash persists across samples, the mutex is compiled in, and the Telegram handle is baked into every binary already in the wild.
We have the thread. Now we pull it.
Indicators of Compromise
C2 Servers
| IP Address | Provider | Location | Port | Version | Status |
|---|---|---|---|---|---|
| 143[.]47[.]53[.]106 | Oracle Cloud | Netherlands | 5895 | v3.4.0 | LIVE |
| 66[.]85[.]26[.]91 | CrownCloud US | United States | 3132 | v3.8.0 | LIVE |
| 194[.]31[.]223[.]177 | play2go Intl | Germany | 25163 | v4.0.0 | LIVE |
C2 Hostnames
ou592x4hi[.]localto[.]net
gbh46jyu45h[.]bestburger[.]store
snapix[.]p7z[.]ru
Developer Infrastructure
raton[.]lol
codeberg[.]org/sillycs/notratonupdates
github[.]com/sillycs
discord[.]gg/KmNrUQJRkv
discord[.]gg/EuQG3J6Zhr
t[.]me/sillyisafed
t[.]me/sillycs
File Hashes (SHA256)
| Hash | Filename | Version |
|---|---|---|
| 88d541eceb31d21c154521bf785d8647db4871d8c5d460d96cffaa6f4995ddd4 | test.exe | v3.4.0 |
| e6d1376ef19f9995b16284474a0844f8a45e5e7a4ae554d2375cf890087d2387 | client.exe | v3.8.0 |
| 21fb5e039247e3b506be23d5a6b370dd5ca6a84d7ce77fd09e97a3af770909b7 | ratonClient.exe | v3.8.0 |
| ddf39cc82dff3cd3cb7060d175e1bfe6b282be5165d0d7c2e3948389ff07ec26 | dreamyware.exe | v4.0.0 |
| c7d57e221b4a2d6410c83b35d31d2d790dc5489dc82ec947807954f723d9a564 | 1121212.exe | v4.0.0 |
Import Hash
f34d5f2d4577ed6d9ceec516c1f5a744
Behavioral Indicators
| Indicator | Value |
|---|---|
| Mutex | silly21 |
| Registry key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
| Scheduled task | /sc ONLOGON /rl HIGHEST |
| Defender evasion | Add-MpPreference -ExclusionProcess |
| Hosts file password | 123ratonpro |
| Assembly GUID | 5CDF2C82-841E-4546-9722-0CF74078229A |
| Costura marker | costura.messagepacklib.dll.compressed |
| Plugin attribute | PluginInfoAttribute, Provider = "Raton" |
MITRE ATT&CK
| Tactic | Technique | ID |
|---|---|---|
| Execution | User Execution: Malicious File | T1204.002 |
| Execution | PowerShell | T1059.001 |
| Persistence | Scheduled Task | T1053.005 |
| Persistence | Registry Run Keys | T1547.001 |
| Privilege Escalation | UAC Bypass | T1548.002 |
| Defense Evasion | Disable Windows Defender | T1562.001 |
| Defense Evasion | Costura Fody Embedding | T1027.009 |
| Credential Access | Browser Credential Theft | T1555.003 |
| Credential Access | Keylogging | T1056.001 |
| Credential Access | Token Theft | T1528 |
| Collection | Screen Capture | T1113 |
| Collection | Audio Capture | T1123 |
| Collection | Clipboard Data | T1115 |
| Lateral Movement | USB Spreading | T1091 |
| C2 | TCP/TLS + MessagePack | T1071 |
| C2 | SOCKS5 Proxy | T1090 |
| C2 | Dynamic DNS | T1568 |
| Exfiltration | Over C2 Channel | T1041 |
| Impact | Ransomware | T1486 |
| Impact | System Shutdown/BSOD | T1529 |
| Impact | HTTP Flood DDOS | T1498 |
| Impact | Crypto Clipper | T1657 |
Detection
Block the three C2 IPs and associated hostnames at your perimeter. Hunt for the mutex silly21 on endpoints. The import hash f34d5f2d4577ed6d9ceec516c1f5a744 will match all known samples. The Costura Fody marker costura.messagepacklib.dll.compressed in embedded resources is a strong signal for this family. Monitor the Codeberg repository for new releases -- the developer ships updates weekly.
This investigation was produced by Breakglass Intelligence's autonomous GHOST investigation system. All evidence was captured via passive and semi-passive methods. Five samples were sourced from MalwareBazaar. Infrastructure reconnaissance was conducted against publicly accessible services.
This is the first public investigation of the RatonRAT malware family.
Breakglass Intelligence | April 1, 2026