By rssfeeds-admin 
The malware, known for espionage operations targeting Indian military and government entities, continues to evolve, with advanced evasion and data exfiltration capabilities.
Multi-Platform Espionage and Stealth Tactics
GravityRAT has been active since at least 2015 and continues to be developed. It enables attackers to gain remote access to compromised systems and steal confidential data, including documents, photos, and encrypted WhatsApp backups from mobile devices.
Researchers at ANY.RUN report that the malware now uses digital signatures and multiple programming languages (.NET, Python, and Electron) to disguise itself as legitimate file-sharing or messaging applications.
The malware employs seven distinct anti-virtual-machine detection techniques to evade analysis in sandboxes or emulators.
One of its notable features is querying CPU temperature via Windows Management Instrumentation (WMI) a capability that exposes most virtual environments, as hypervisors such as VMware, VirtualBox, and Hyper-V can’t simulate hardware temperature sensors.
If the system fails this test, GravityRAT halts its activity to evade detection. On Windows systems, GravityRAT often arrives via spear‑phishing emails that contain Office documents with malicious macros.
When macros are enabled, the hidden script extracts an executable file, sets up scheduled tasks for persistence, and connects to a remote command-and-control (C2) server using dynamic domain-rotation techniques.
For Android infections, it appears as a fake chat app, such as BingeChat or SoSafe Chat, promoted via social media or third‑party websites.
Targeted Attacks and Defense Recommendations
The malware infrastructure, managed through a custom GravityAdmin control panel, enables operators to coordinate multiple campaigns targeting defense, government, and police organizations in India.
Specific campaign codenames, such as FOXTROT, CHATICO, and CRAFTWITHME, have been associated with separate infection chains executed via Android and Windows loaders, including HeavyLift.
Recent samples detonated in ANY.RUN’s interactive sandbox shows the Android variant collecting SIM details, call logs, and SMS messages before encrypting and exfiltrating them over HTTPS. The malware also deletes evidence from the device after transmission to hide its tracks.
To counter such threats, cybersecurity experts recommend enforcing strict email and mobile application policies and deploying endpoint detection and response (EDR) tools with behavioral monitoring capabilities.
Restricting the execution of macro-enabled documents and using cloud‑based sandboxes such as ANY.RUN enables security teams to analyze suspicious files safely and trace IOCs through its Threat Intelligence Lookup tool, thereby helping detect GravityRAT activity across enterprise networks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
The post GravityRAT Expands Remote Access Attacks to Windows, Android, and macOS appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.