Rust-Written SpankRAT Hijacks Windows Explorer to Evade Detection

SpankRAT starts with a familiar Windows trick and a Rust twist. Security researchers at ANY.RUN identified a two-component remote access trojan toolkit, built in Rust, that leans on explorer.exe to stay hidden and keep running. The loader, SpankLoader, pulls down the main payload over unencrypted HTTP, drops a malicious DLL, and injects it into Windows Explorer, a process that has become one of the most abused living-off-the-land binaries in malware tradecraft.

That choice matters because explorer.exe sits in plain sight on countless systems and blends into normal user activity. Once SpankLoader gets its code into that process, it sets a scheduled task named RmmAgentCore to preserve persistence. The result is a chain that depends less on noisy custom malware behavior and more on legitimate Windows machinery, which makes reputation-based and signature-based defenses easier to miss.

The embedded payload then opens a WebSocket-based command-and-control channel and speaks in JSON, a design that keeps traffic structured and flexible while looking ordinary enough to slip past some network filters. The campaign reportedly supports 18 distinct server commands, covering session management, remote command execution, file operations, process control, and registry manipulation. That range gives an operator enough reach to move from basic access to hands-on control without changing tooling.

The early samples also showed very low detection rates on VirusTotal, which is the part that should make defenders pause. Rust is not the story because it is malicious. Rust is the story because it gives attackers the same advantages legitimate systems developers prize: speed, reliability, portability, and fine-grained control over low-level behavior. In the wrong hands, those traits can make a payload easier to harden against analysis and harder to catch with aging detection stacks.

The Explorer angle is not new, either. SentinelOne previously found that explorer.exe was the top initial living-off-the-land binary in an analysis of 27,510 malicious LNK samples, appearing in 87.2% of cases. SpankRAT fits that pattern closely, showing how often attackers return to the same trusted Windows process when they want longer dwell time and less friction. For Rust developers, the lesson is clear: the same capabilities that make the language attractive for infrastructure, tooling, and performance-sensitive software also make it valuable to adversaries looking for stealth on Windows.