The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.


Jun 2, 2023 2:04:00 PM / by The Hivemind

AhRATRelated Families: AhMyth

Executive Summary

AhRAT, an Android RAT, was disguised as the iRecorder app. This malicious version of the iRecorder app is capable of recording audio and exfiltrating files from a victim’s device.

Key Takeaways

  • AhRAT is an Android RAT based on AhMyth.
  • AhRAT was disguised as the iRecorder application.
  • The iRecorder application was initially released in 2021 as a legitimate app, and malicious functionality was added in an update almost a year later. 
  • AhRAT is capable of exfiltrating files and recording audio on a victim's device. 

What is AhRAT?

ESET recently reported on AhRAT, an Android RAT based on AhMyth. AhRAT is capable of exfiltrating files and recording audio on a victim's device.

AhRAT is delivered via a trojanized version of the iRecorder app, which was available on the Google Play store. To date, the app has over 50,000 installs.

AhRAT is a malicious spy app, capable of recording surrounding audio from the victim device’s microphone. It can upload both recorded audio and multiple file types to the threat actor’s C2, including saved webpages, images, audio, video, documents, and compressed file types. ESET researchers note this seems to indicate that AhRAT is part of an espionage campaign. However, they did not associate the malware with a particular threat actor or group. While AhRAT is based on AhMyth RAT, it includes only a fraction of the functionality available in AhMyth RAT.

While the original iRecorder app was not malicious and has been available since late 2021, the malicious functionality appears to have been added in August 2022. Whatever privileges and access the victim had already granted to the clean version of the app still applied to the updated, malicious version of the app, whether the victim manually or automatically updated the app. Since the malicious version of the app did not request additional permissions, victims were less likely to become suspicious of the app. ESET researchers noted it is unusual for developers to release a clean version of an app and follow up with an update containing malicious functionality almost a year later.

Google has removed the iRecorder app from the Google Play store.

PolySwarm Findings

PolySwarm’s research team discovered additional AhRAT samples, including several samples First Seen on PolySwarm. Our researchers noted that the app versions containing the malware element include versions 1.4.0, 1.4.2, and 2.0. While the original source report mentioned the hxxp[:]//80876dd5[.]shop C2, our researchers found the malware also communicating over port 22223. AhRAT is currently featured on our portal in Emerging Threats.


PolySwarm has multiple samples of AhRAT.


2abf26d779ea1afa4dcc7147563907573e07fa9051ae4319cb864bdf752fa054 (First Seen)


24efa31f8e61e0d0f4761533dd86c967c07c15835b900b3d28712ec9840f81e5 (First Seen)

27ecadbcfaf249bec2ed0f1ad5f8471a4562175ed5dbea7008674401d65725ac (First Seen)






You can use the following CLI command to search for all AhRAT samples in our portal:

$ polyswarm link list -f AhRAT


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports


Topics: Espionage, Android, RAT, AhMyth, AhRAT

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts