LTS Secure Warning: Cardinal RAT Comes Back To Haunt Fintech & Cryptocurrency Trading Companies

Cardinal RAT has surfaced again, after being in the shadows for nearly two years & this time it is targeting companies in the Fintech & Cryptocurrency Trading sector.


Technical Details

The RAT is spread via a downloader dubbed “Carp“. It makes use malicious macros in Microsoft Excel documents to compile the embedded source code into an executable, which then deploys the RAT on the victim device.

This variant of the RAT make use of various obfuscation techniques like:-

  • Steganography
  • Bitmap (BMP) file technique
  • Its functions, methods, and variables have been renamed to MD5 hashes

This makes the task of analyzing the underlying code very difficult.



  • It captures real time as well as offline keystrokes.
  • Upload & executing malicious files on the infected machines.
  • Stealing system information and Login Credentials from victim device.
  • Capture screenshots.
  • Updating & uninstalling itself at will.


Recommended Actions

  • Always update your anti-virus software with the latest releases.
  • Ensure that your devices are always up-to-date with the latest patches released.
  • Avoid Opening emails & attachments from unknown senders.
LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013