Ratting out the rats

At the recent Cyber Security Weekend hosted by Kaspersky in Thailand for the Middle East, Turkiye, and Africa (META) region, one of the most striking revelations was the discovery of a sophisticated new malware threat known as GriffithRAT. Kaspersky researchers unveiled detailed findings on this remote access trojan, which has been used in targeted cyber campaigns against fintech companies, online trading platforms, and betting firms across the globe, including prominent cases in the United Arab Emirates, Egypt, Turkiye, and South Africa.

Attending the event in Thailand provided a unique opportunity to engage directly with cybersecurity experts and analysts from across the region. The conversations were eye-opening, particularly when Kaspersky’s team broke down how GriffithRAT operates. The level of detail and real-world implications of this malware made it clear that we are not dealing with amateur threats, but with a new breed of commercial cybercrime that is calculated and persistent.

GriffithRAT is typically distributed through channels like Skype and Telegram. Victims are lured in by files masquerading as financial trend reports or investment advice, seemingly legitimate resources for professionals in finance or trading. Once these files are opened, the malware installs itself and begins a range of surveillance activities. It can steal login credentials, record keystrokes, capture screenshots and webcam feeds, and monitor user activity extensively. The data collected can be exploited in numerous ways, including corporate espionage, competitive intelligence gathering, and even personal tracking.

Kaspersky researchers have been following the evolution of GriffithRAT for over a year. Their analysis strongly suggests that this malware is being used by cyber mercenaries, hackers for hire who are contracted by third parties to carry out highly targeted attacks. These mercenary-led operations are often driven by financial or strategic motivations, particularly in competitive sectors like finance and tech.

What further underscores this connection is the technical overlap between GriffithRAT and another known malware called DarkMe. DarkMe has been identified in several cyber mercenary campaigns and shares several code structures and operational behaviours with GriffithRAT. This reinforces the theory that these malware tools are part of a larger, organised ecosystem of cybercrime.

Maher Yamout, Lead Security Researcher at Kaspersky, emphasised during the conference that this development illustrates the increasing sophistication and professionalisation of cyber threats. “GriffithRAT is not the work of opportunistic hackers,” he said. “It is a carefully maintained tool, designed for long-term exploitation. The data it collects can reveal the inner workings of major corporations, offer an unethical advantage to competitors, or even be sold on underground markets.”

For anyone working in finance, tech, or any sector that depends heavily on digital platforms, this should serve as a serious reminder: today’s cyberthreats are not only more targeted, but they are also part of a growing marketplace of digital espionage. Being at the conference and hearing these findings firsthand made the scale and professionalism of these threats impossible to ignore.

* Sheryl Goldstuck is general manager of World Wide Worx and editor of GadgetWheels. Follow her on Bluesky on @crazycatbuzz.bsky.social.