Kaspersky has revealed the discovery of GriffithRAT, a new and sophisticated malware used in campaigns targeting fintech companies, online trading platforms, and betting firms worldwide, including in the UAE, Egypt, Turkiye and South Africa.
Distributed via Skype and Telegram channels, GriffithRAT is typically disguised as files containing financial trend analysis or investment advice. These deceptive tactics target both organisations and individual traders who unknowingly download the malware.
Once downloaded, it enables attackers to steal login credentials, capture screenshots/webcam stream, log keystrokes, and monitor user activity. The stolen data can be exploited in a variety of ways, ranging from gathering competitive business intelligence to tracking individuals or valuable assets – highlighting the broad potential for misuse.
Kaspersky researchers have been monitoring GriffithRAT for over a year and link it to cyber mercenary operations, where threat actors are contracted by third parties to conduct targeted attacks – often driven by motives such as corporate espionage.
This connection is reinforced by technical analysis, which shows strong similarities between GriffithRAT and DarkMe intrusions, a known remote access Trojan (RAT) commonly used in mercenary-led cyber campaigns.
“This discovery highlights the growing sophistication and commercialisation of cyberthreats,” says Maher Yamout, lead security researcher at Kaspersky. “GriffithRAT is not the work of random hackers, it is a maintained piece of malware and part of a broader trend where cyber mercenaries are hired to collect sensitive information, often for financial or strategic advantage.
“The data harvested could offer visibility into the inner workings of major organisations, provide unethical competitive advantage, and may also be sold on the dark web. It is a reminder that in today’s threat landscape, cybercrime is increasingly professional, targeted, and persistent.”