RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)

RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. (Citation: ZimperiumGupta_RatMilad_Oct2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Data Destruction - T1662 (9ef14445-6f35-4ed0-a042-5024f13a9242)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	1
Clipboard Data - T1414 (c4b96c0b-cb58-497a-a1c2-bb447d79d692)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	1
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	2
Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2