NonEuclid RAT exploits UAC bypass and AMSI evasion for stealthy cyberattacks

NonEuclid RAT exploits UAC bypass and AMSI evasion for stealthy cyberattacks

Cybersecurity researchers have uncovered a sophisticated new remote access trojan (RAT) named ‘NonEuclid’, which allows attackers to seize control of compromised Windows systems while evading detection with advanced techniques.

Developed in C# for the .NET Framework 4.8, NonEuclid leverages features like antivirus bypass, privilege escalation, anti-detection mechanisms, and ransomware encryption.

NonEuclid is a highly advanced malware designed for unauthorized remote access, featuring mechanisms to evade antivirus tools and security measures while targeting critical files with ransomware encryption, said cybersecurity firm Cyfirma in a technical analysis.

NonEuclid has been advertised on underground forums and social platforms like Discord and YouTube since November 2024, rapidly gaining traction among cybercriminals.

The malware’s functionality, include dynamic DLL loading and AES encryption to secure malicious payloads, anti-VM checks to detect virtual or sandboxed environments, terminating execution if found, Microsoft Defender Antivirus exclusions, preventing detection by the built-in security tool, ransomware capabilities to encrypt files with extensions such as .CSV, .TXT, and .PHP, appending the extension .NonEuclid.

Upon execution, NonEuclid begins by running a client application and conducting a series of checks to evade detection. It sets up a TCP socket for communication with a designated IP and port while continuously monitoring processes commonly used for malware analysis, such as:

NonEuclid employs Windows API calls to enumerate processes. Depending on its configuration, it either terminates the detected processes or shuts down its client application to avoid exposure.

Persistence is achieved through scheduled tasks and Windows Registry modifications, while User Account Control (UAC) bypass is exploited to elevate privileges and execute commands without user intervention.

A relatively unusual aspect of NonEuclid is its ability to act as ransomware. It encrypts specific file types and renames them with the .NonEuclid extension, locking victims out of their critical data.


Back to the list

Latest Posts

Cyber Security Week in Review: April 4, 2025

Cyber Security Week in Review: April 4, 2025

In brief: New Ivanti zero-day exploited by Chinese hackers, police shut down the Kidflix CSAM platform, and more.
4 April 2025
UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

This activity has been ongoing since at least the fall of 2024.
3 April 2025
Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

As a result of the operation, 79 arrests were made, 1,393 suspects identified, and over 3,000 electronic devices seized.
2 April 2025