FBI FLASH – Identification and Disruption of the Warzone Remote Access Trojan (RAT)

The FBI has published a TLP:CLEAR FLASH to disseminate indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the Warzone Remote Access Trojan (RAT), also identified as “Ave Maria” through open-source reporting and FBI investigation.

On 7 February 2024, the FBI and international partners executed a coordinated operation to disrupt Warzone RAT infrastructure worldwide. The FBI is releasing this product to maximize awareness on the service and to seek additional reporting from victims.

Beginning in October 2018, the Warzone service offered a malware-as-a-service (MaaS) remote access trojan, along with other malware products and attracted a customer database of over 7,000 users. The products were used by cyber criminals and nation state actors to engage in remote control, keylogging, data theft, or other methods of discovering and collecting victim system information. Warzone has been adept at exploiting old vulnerabilities from 2017 and 2018 on Microsoft components/devices left unpatched.

The FBI includes technical details in the FLASH report and has also established a dedicated page for organizations or victims of the Warzone RAT to report key findings using their Warzone RAT Victim Reporting Form. See the attached FLASH report below.