Researchers with Resecurity shared screenshots of a Remote Access Trojan (RAT) called Escanor, which is actively being sold via a Telegram channel by the same name, operated by a Telegram user account called HAX_CRYPT.
There are two versions of the RAT: one which targets Windows and a mobile version known as Esca RAT that targets Android devices. The Windows RAT is delivered via malicious Microsoft Word, Excel, PDF, or HTML5 files to install a Hidden VNC (HVNC) client, allowing the malware operator to interact with the victim computer remotely through a full graphical remote desktop. The Android RAT can track the victim’s device location, activate the camera, and capture one-time-password (OTP) codes sent by banks or other institutions over text messages to protect customer logins.
The same threat actor who sells Escanor has also sold cracked versions of other hacking tools, including Venom RAT, Cobalt Strike 4.6, and Security Killer HVNC.