Bot: Ratty

Attackers love naming malware cute or funny things. "Ratty" lowers your guard. You think you are downloading a macro tool for Roblox or Discord , but you are actually handing the keys to your digital life to a stranger.

The culture inside the Ratty community is one of toxic exclusivity. They celebrate "devastation"—screenshots of carts showing 50+ items purchased while a legitimate customer sees a "Sold Out" sign. Ratty Bot

Use Sysmon (Event ID 19-21) to alert on WMI event consumer creations. Any new permanent WMI subscription should be treated as a red alert. Tools like WMITools from Microsoft can list active bindings: wmic /namespace:\\root\subscription PATH __EventFilter GET . Attackers love naming malware cute or funny things

The name "Ratty" is a double entendre. First, it is a nod to its function as a Remote Access Trojan (R.A.T.). Second, it refers to the bot’s behavioral pattern: like a rat, it stays hidden in the basement (kernel level) of the operating system, chews through data wires (network protocols), and reproduces rapidly across network shares. The culture inside the Ratty community is one