RDAT can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.^[1]

RDAT can use email attachments for C2 communications.^[1]

RDAT has used DNS to communicate with the C2.^[1]

RDAT has executed commands usingcmd.exe /c.^[1]

RDAT has created a service when it is installed on the victim machine.^[1]

RDAT can communicate with the C2 via base32-encoded subdomains.^[1]

RDAT can communicate with the C2 via subdomains that utilize base64 with character substitutions.^[1]

RDAT has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2.^[1]

RDAT can process steganographic images attached to email messages to send and receive C2 commands.RDAT can also embed additional messages within BMP images to communicate with theRDAT operator.^[1]

RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions.RDAT can also download data from the C2 which is split into 81,920-byte portions.^[1]

RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.^[1]

RDAT has used AES ciphertext to encode C2 communications.^[1]

RDAT can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.^[1]

RDAT has used HTTP if DNS C2 communications were not functioning.^[1]

RDAT can issue SOAP requests to delete already processed C2 emails.RDAT can also delete itself from the infected system.^[1]

RDAT can download files via DNS.^[1]

RDAT has used Windows Video Service as a name for malicious services.^[1]

RDAT has masqueraded as VMware.exe.^[1]

RDAT can also embed data within a BMP image prior to exfiltration.^[1]

RDAT can take a screenshot on the infected system.^[1]

^[1]