Skip to content

Hide Navigation Hide TOC

Cardinal (cb23f563-a8b9-4427-9884-594e8d3cc836)

Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it.

Cluster A Galaxy A Cluster B Galaxy B Level
Cardinal (cb23f563-a8b9-4427-9884-594e8d3cc836) RAT EVILNUM (e1ca79eb-5629-4267-bb37-3992c7126ef4) Tool 1
EVILNUM (e1ca79eb-5629-4267-bb37-3992c7126ef4) Tool Cardinal RAT (1d9fbf33-faea-40c1-b543-c7b39561f0ff) Tool 2
Cardinal RAT (1d9fbf33-faea-40c1-b543-c7b39561f0ff) Tool Cardinal RAT (3d3da4c0-004c-400c-9da6-f83fd35d907e) Malpedia 3