HiatusRAT was first discovered in March 2023 during a cybersecurity investigation that detected unusual activity on corporate networks. This malware allows attackers to remotely control infected devices, intercept communications and use routers as access points for malicious activities.

HiatusRAT’s main objective is to infiltrate networks using vulnerable routers and turn them into spying and anonymization tools.

HiatusRAT was initially noted for targeting DrayTek Vigor 2960 and 3900 routers, commonly used in small and medium-sized businesses. By exploiting known vulnerabilities in these devices and taking advantage of weak passwords or default settings, it managed to infect approximately a hundred systems in regions such as North America, Europe and Latin America.

Part of its evolution has been its broadening scope, adapting to new architectures such as ARM and x86, reflecting the increasing sophistication of the actors behind the malware. This Trojan not only compromises the integrity of infected devices, but also poses serious risks to the privacy and security of the networks to which they are connected.

HiatusRAT is a clear illustration of how attackers are turning their attention to network devices that have historically been underappreciated in terms of security. Its emergence underscores the need to strengthen defenses around routers and IoT devices, which often represent vulnerable entry points into modern infrastructures.

Attack Methods

Malware attack methods can be divided into three main categories: exploitation of vulnerabilities, abuse of insecure configurations and manipulation of network traffic.

Vulnerability Exploitation

One of the main strategies is to exploit known vulnerabilities in network devices. This includes weaknesses in the firmware of routers and IoT devices, many of which have been previously documented but have not been patched by administrators.

The actors behind HiatusRAT search for exposed devices using automated scans across large segments of IP addresses. Once they find vulnerable devices, they inject malware to gain persistent access.

Abuse of Weak Passwords and Default Settings

HiatusRAT also leverages default or weak passwords to gain initial access to devices. Many routers and IoT devices come configured with default passwords, such as “admin” or “123456”, which are often not changed by users.

The malware performs brute-force attacks targeting these insecure configurations, allowing it to establish an initial connection without the need to exploit more advanced vulnerabilities. This method is especially effective against small businesses or home users who do not implement basic security measures.

Manipulation and Control of Network Traffic

Once HiatusRAT compromises a device, it implements a number of functions designed to intercept, analyze and redirect network traffic. These functions include:

• SOCKS5 Proxy Configuration: The malware sets up proxy servers on compromised devices, allowing attackers to redirect malicious traffic through them to hide its origin. This creates covert proxy networks that can be used for illegal activities, such as malware distribution or DDoS attacks.
• Live Traffic Capture: HiatusRAT can monitor traffic passing through the compromised device, allowing attackers to capture sensitive data, such as login credentials or confidential information transmitted without encryption.
• Persistence and Lateral Movements: Through its control of traffic, malware can also identify other devices on the network that could be vulnerable, extending its reach within an organization.

Use of Malicious Scripts and Automation

HiatusRAT includes automated scripts that simplify the installation and configuration of the malware. This reduces the need for manual intervention by attackers and allows malware to be rapidly deployed to a large number of devices.

Evolution and Recent Activity

Since its first identification in March 2023, HiatusRAT has proven to be a persistent and adaptable threat. This remote access Trojan, initially designed to compromise enterprise-grade routers, has evolved in both its targets and technical scope. The following is a chronology of its activity and the strategies employed by the malicious actors behind this malware.

March 2023: Discovery and First Attacks

HiatusRAT was detected by cybersecurity researchers while attacking DrayTek Vigor 2960 and 3900 routers, devices popular among small and medium-sized businesses for their robustness and functionality. At this early stage:

• Geographical scope: The attacks were focused on Latin America, Europe and North America.
• Number of compromised devices: Approximately 100 routers.
• Purpose: The attackers used the malware to eavesdrop on communications and divert network traffic, as well as using the compromised routers as covert proxies.

June to August 2023: Adaptation and New Goals

In the summer of 2023, HiatusRAT showed a remarkable breakthrough in its technical development. Cybercriminals introduced new versions of the malware to extend its attack capabilities:

• Extended compatibility: Versions were compiled for additional architectures such as ARM, Intel 80386 and x86-64, allowing a wider range of devices to be compromised.
• Change in targets: The attacks included high-profile targets such as a U.S. military procurement system and organizations in Taiwan, suggesting a possible interest in strategic cyber espionage activities.
• Advanced techniques: Attackers used the malware to establish more sophisticated espionage networks, highlighting its ability to adapt quickly.

March 2024: Focus on IoT Devices

The most recent HiatusRAT activity reveals a strategic shift towards the IoT device ecosystem, exploiting specific vulnerabilities and weak security configurations. During this period, researchers identified:

• New areas of attack: IoT devices such as webcams and digital video recorders (DVRs), particularly those of Chinese brands, became the main targets.
• Expanded geography: Scanning campaigns targeted devices in the United States, Australia, Canada, New Zealand and the United Kingdom.
• Exploitation of known vulnerabilities: Exploited flaws include:
  • CVE-2017-7921: Unauthenticated remote access on Dahua devices.
  • CVE-2018-9995: Authentication bypass in DVRs.
  • CVE-2021-36260: Remote code execution vulnerability in Hikvision cameras.
• Use of default passwords: Attackers also exploited basic security settings, such as the use of default credentials, to compromise devices on a massive scale.

Safety Recommendations

HiatusRAT, like other remote access Trojans, represents a significant threat to enterprise network and IoT devices. The following are best practices for protecting against this malware and minimizing the impact in the event of compromise.

Updating and Patching Devices

Keeping devices up to date is one of the most effective defenses. Manufacturers often release patches to address known vulnerabilities. Organizations should:

• Identify all network devices in use, including routers and IoT devices.
• Apply the latest security patches available.
• Consider replacing devices that are no longer supported by the manufacturer.

For example, routers compromised in previous attacks (such as DrayTek Vigor) may have benefited from critical firmware updates to block malware access.

Strong and Unique Passwords

HiatusRAT has exploited default and weak passwords to compromise devices. To mitigate this risk:

• Immediately change default passwords on all network and IoT devices.
• Create complex passwords that include combinations of letters, numbers and symbols.
• Implement password rotation policies for sensitive administrative accounts.

A practical example would be to use password management tools to generate and store secure credentials.

Multifactor Authentication (MFA)

Multifactor authentication adds an additional layer of security, making it more difficult for attackers to gain access even if they have compromised a password. Recommended:

• Enable MFA on all supported systems and devices.
• Use authenticator applications or physical devices (such as tokens) instead of SMS text messages, which are more vulnerable.

Network Monitoring

A proactive monitoring system can identify anomalous behavior associated with HiatusRAT, such as proxy configuration or traffic capture. Organizations should:

• Implement network monitoring tools such as SIEM (Security Information and Event Management).
• Set up automatic alerts for suspicious activity, such as traffic to unknown IP addresses.
• Regularly inspect logs for signs of compromise.

For example, proxies configured by HiatusRAT can generate unusual traffic patterns that a good monitoring system could detect.

Network Segmentation

Network segmentation is an effective strategy for containing the scope of an attack. This approach can limit the lateral movement of malware and protect critical devices. Key recommendations include:

• Split the network into separate segments according to function (e.g., separate IoT from the core network).
• Use access control lists (ACLs) to restrict traffic between segments.
• Enforce least privilege policies so that devices have only the necessary access.

IoT Device Security

IoT devices are particularly vulnerable to this type of attack. Organizations should:

• Choose devices from manufacturers that prioritize security and provide ongoing support.
• Disable unnecessary services or functions to reduce the attack surface.
• Isolate IoT devices on a dedicated network, separate from the enterprise infrastructure.

Training and Awareness

Finally, employees must be trained to recognize threats such as HiatusRAT. Regular cybersecurity training programs can include:

• Identification of phishing emails attempting to compromise credentials.
• Best practices for network device management.
• Attack simulations to assess and improve organizational preparedness.

These measures, implemented together, can significantly strengthen the security of infrastructures against advanced threats such as HiatusRAT, protecting both organizations and end users.

Conclusion

The emergence and evolution of HiatusRAT highlights a growing challenge in the cybersecurity landscape: the vulnerability of networked devices and the Internet of Things (IoT). This malware has not only proven capable of exploiting technical flaws, but also of quickly adapting to new architectures and targets. Its ability to capture traffic, establish covert proxy networks and compromise critical infrastructure underscores the importance of strengthening our cyber defenses.

The HiatusRAT case reminds us that cybersecurity is not static. Malicious actors are constantly innovating, using advanced tools to breach systems that are often overlooked, such as routers and IoT devices. This requires a proactive approach from organizations and users, which should include regular updates, implementation of strong passwords, adoption of multi-factor authentication (MFA) and continuous network monitoring.

In addition, HiatusRAT is a wake-up call for hardware manufacturers to prioritize security in their product design. As the IoT continues to expand, the pressure to ensure security from the development phase will only increase.

The future of cyber attacks is inextricably linked to technological evolution. While tools such as HiatusRAT pose a significant threat, they are also an opportunity for the technical, government and business communities to collaborate in creating stronger standards, better security policies and greater public awareness.

Ultimately, the best defense against threats like HiatusRAT is a combination of robust technology, proper training and adopting a proactive security mindset. This not only protects our networks and data, but also contributes to a safer digital environment for all.