WindowsAudit Backdoor: Inside a .NET RAT That Hides in Discord

Profero IRT

April 28, 2026

Advisory: Profero has observed this campaign active across multiple environments, and based on observed patterns and tradecraft, it may be positioning for escalation toward a broader ransomware operation. Profero has notified the Israeli National Cyber Directorate (INCD) of this activity. Organizations that identify any of the indicators of compromise (IOCs) listed below in their environments are encouraged to take prompt investigative action. If you would like to confirm whether your organization appears among the environments where this activity has been observed, or to discuss the IOCs further, please contact our team at contact@profero.io.

Executive Summary

In April 2026, Profero IRT identified a .NET 8 backdoor named WindowsAudit.exe on a victim host. The binary is a modular C# RAT (version v1.5.77) that uses Discord as its primary C2 channel, MQTT as a secondary, and Telegram as an optional fallback. It runs as a Windows Service under LocalSystem, drops a companion persistence binary (WinSATSvc / WinSATTemp.exe), and covers credential theft, Active Directory abuse, Safe Mode EDR removal, WireGuard tunneling, screen and webcam capture, and keylogging.

Binary: unsigned, 101 MB, .NET single-file bundle, compiled 19 March 2026.

What Happened

Profero IRT recovered WindowsAudit.exe from a victim host and reverse engineered it. The binary is a .NET native apphost — a statically-linked native loader that stages and runs an embedded managed DLL with its dependencies. Extracting and decompiling WindowsAudit.dll to C# yielded a ~28,000-line remote administration framework with clean separation between command dispatch, C2 transports, and feature modules.

On startup the agent:

Patches Windows Defender with an Add-MpPreference exclusion for its install path and process name
Registers itself as a Windows Service (WindowsAudit)
Drops a self-backup at %CommonProgramData%\Microsoft\Windows\WinSAT\WinSATTemp.exe
Adds a WMI event subscription
Writes registry Run keys
Registers a RemoteAdminEdrCleanup scheduled task that re-arms the operator after a Safe Mode reboot

The single-instance guard is the mutex Global\WindowsAuditSingleInstance.

Command-and-Control Architecture

WindowsAudit ships three independent C2 transports. The agent fails open to the next channel if one is unavailable, and all three blend with legitimate enterprise traffic.

Discord (Primary)

Authenticates with a hardcoded bot token using gateway intents 33281 (GuildMessages, GuildMessageReactions, MessageContent, GuildMembers, GuildPresences)
Polls two channels in a single guild: a bus channel for tasking and a store channel for results and large file transfers (up to 25 MB per attachment)
Registers Discord slash commands on connect; operators task agents by exact hostname, partial hostname, Machine GUID, GUID prefix, or "all" for broadcast
Reconnects with randomized 15–30 second back-off

MQTT (Secondary)

Connects to a public HiveMQ Cloud broker on port 8883 over TLS
Tasks published to remoteadmin/commands, results to remoteadmin/results
Client ID format ra-agent-{MachineName}-{short-guid} leaks hostname to the broker audit log
Supports retained messages for offline agents

Telegram (Optional)

If configured, the agent accepts a reduced command set over Telegram: ping, exec, ps, screenshot, record, browse, sysinfo, netscan, kerbrenew, service, process, inventory, wol, registry.

Persistence Mechanisms

Mechanism	Detail
Windows Service	`WindowsAudit`, `LocalSystem`, `start=auto`, failure recovery at 5s / 10s / 30s
WMI Subscription	Registered via `EnsureWmiSubscriptionAsync` for redundant persistence
Defender Exclusion	`Add-MpPreference` adds install path and process name to exclusion list
Self-Backup	Copies itself to `%CommonProgramData%\Microsoft\Windows\WinSAT\WinSATTemp.exe`
Registry Run Keys	`WinSATService` and `WindowsAuditSvc` under `HKCU\...\CurrentVersion\Run`
Scheduled Task	`RemoteAdminEdrCleanup` runs at startup in Safe Mode to scrub EDR services

Companion Dropper: WinSATSvc

A second .NET 8 binary — WinSATSvc.exe — masquerades as the legitimate Windows System Assessment Tool service. On a 3-minute loop it checks whether the primary agent process is running. If not, it polls the same Discord channels for a restore_manifest message, pulls GZip-compressed restore_chunk attachments, and reassembles them into WinSATTemp.exe — a fresh copy of the primary WindowsAudit.exe agent, not the watchdog itself — then launches it. Requests are keyed by a 12-character hex requestId. The dropper uses 120-second HTTP timeouts over Discord API v10.

Credential Access

Method	Detail
LSASS dump	`comsvcs.dll!MiniDumpWriteDump` to disk
SAM/SYSTEM/SECURITY hive dump	Volume Shadow Copy extraction
DPAPI browser credentials	Chrome, Edge, Brave; embedded `chromelevator.exe` fallback
Credential Manager	Windows DPAPI dump
Kerberos attacks	Kerberoasting, AS-REP roasting, Pass-the-Hash, Pass-the-Ticket
WiFi profiles	Plaintext PSK extraction
Token abuse	Process token enumeration, impersonation, steal-from-PID

Active Directory Abuse

The agent ships a near-complete AD attack toolkit:

Category	Capability
Discovery	`ad_users`, `ad_user`, `local_users`, `user_logons`, `dc_logons`, `enum_spns`, `enum_gpo`, `netscan`, `smbscan`, `enum_shares`, `enum_sessions` (via `NetSessionEnum` across the domain)
ACL abuse	Forced password change, add member, take ownership, grant DCSync via ACL write
Delegation abuse	RBCD (Resource-Based Constrained Delegation)
ACL graphing	BloodHound-style ACL path enumeration

From SYSTEM, domain takeover is one command.

Execution, Evasion, and EDR Tear-Down

Userland Hook Bypass (Hell’s Gate)

The agent detects user-mode hooks on NT APIs and recovers original syscall numbers (SSNs) so syscalls bypass EDR userland instrumentation entirely.

EDR Removal

Targets CrowdStrike, SentinelOne, Carbon Black, Cylance, Symantec, McAfee, Trellix, Sophos, ESET, Kaspersky, Trend Micro, Cortex XDR, Cybereason, Bitdefender, Webroot, and Malwarebytes — detected by registry uninstall key, service name, and install directory.

Removal sequence:

Silent uninstall via registry-parsed uninstall strings
sc.exe force-stop + takeown.exe / icacls.exe / rd /s /q on install directories
If both fail: reboot into Safe Mode (bcdedit /set {current} safeboot minimal), run RemoteAdminEdrCleanup scheduled task, remove EDR SafeBoot registry entries, restore normal boot, reboot again

In-Process Patches

Patch	Detail
AMSI	Patches `amsi!AmsiScanBuffer` in-process, defeating script-content scanning
ETW	Patches `ntdll!EtwEventWrite` to suppress event tracing telemetry

Execution Primitives

The agent supports four execution methods:

exec — CMD shell
ps — PowerShell
shell_start / shell_input / shell_stop — interactive shell sessions over Discord threads
smb_exec — remote execution via WMI/SMB on remote hosts

Process Manipulation

APC injection / process hollowing (process_hollow)
Parent PID spoofing (ppid_spoof)
PE header zeroing (pe_stomp) in self, by name, or by PID

Surveillance Capabilities

Capability	Command
Screenshot	`screenshot`
Screen recording (H.264 MP4)	`record`
Live screen stream to Discord	`stream_start` / `stream_stop`
Webcam capture (MediaFoundation)	`cam_start` / `cam_stop`
Microphone recording	`mic_record`
Keylogger (WH_KEYBOARD_LL + window title)	`keylog`
Monitor blackout	`blackout`
Keyboard/mouse lock	`input_lock`
Windows Geolocation	`geolocation`

VPN, Tunneling, and Lateral Movement

Method	Detail
WireGuard server	Auto-installed from wireguard[.]com; stands up `10[.]13[.]37[.]1/24` with a `New-NetNat` split-tunnel rule; operator receives a generated client config
OpenVPN client	Connects to an operator-supplied `.ovpn` config
SOCKS5 proxy	On-agent SOCKS5 server; combined with a Discord relay proxy, routes traffic through the agent without opening any inbound port
TCP tunnels	Bidirectional TCP tunnels through the agent; agent-to-agent relay sessions over Discord via `AgentRelayManager`
Agent deployment	`deploy_agent` pushes the binary to a target via SMB + `sc.exe` using a relay agent on the same network

Indicators of Compromise

Hashes, the Discord bot token, channel/guild IDs, and the MQTT broker hostname and credentials are redacted here. The full IOC set is available from contact@profero.io.

Note on IPs: IP addresses below resolved to Discord and Cloudflare CDN endpoints at analysis time. They rotate and are not safe to block outright. Use them for retrospective hunting; base prevention on domain and TLS-SNI indicators.

File System

Path	Description
`%CommonProgramData%\Microsoft\Windows\WinSAT\WinSATTemp.exe`	Primary agent self-backup
`%CommonProgramData%\Microsoft\Windows\WinSAT\WinSATSvc.exe`	Companion dropper

Services

Name	Description
`WindowsAudit`	Primary RAT service (`LocalSystem`, `auto` start)
`WinSATSvc`	Companion dropper service

Registry

Key	Value	Data
`HKCU\...\CurrentVersion\Run`	`WinSATService`	Path to `WinSATSvc.exe`
`HKCU\...\CurrentVersion\Run`	`WindowsAuditSvc`	Path to primary agent

Scheduled Tasks

Name	Trigger
`RemoteAdminEdrCleanup`	On startup (Safe Mode)

Mutex

Global\WindowsAuditSingleInstance

Network (DNS / TLS SNI)

Indicator	Type	Note
`discord[.]com`	Domain	Primary C2
`gateway[.]discord[.]gg`	Domain	WebSocket gateway
`*[.]hivemq[.]cloud`	Domain	MQTT secondary C2 (port 8883)
`api[.]ipify[.]org`	Domain	Public IP probe
`download[.]wireguard[.]com`	Domain	WireGuard installer source
`r13[.]c[.]lencr[.]org`	Domain	Let’s Encrypt CRL (execution timing correlator)

Other Artifacts

Artifact	Value
Internal version string	`v1.5.77`
Discord bot “Now Playing” status	`v1.5.77`
WireGuard server subnet	`10[.]13[.]37[.]1/24`
Public IP probe URL	`hxxps://api[.]ipify[.]org`

Detection Guidance

Service creation — Alert on any service with display name "Windows Audit", description "Windows security audit and compliance monitoring service", or where binPath points outside %SystemRoot% or Program Files.
Defender exclusion — EDR rule for Add-MpPreference -ExclusionPath ... -ExclusionProcess WindowsAudit.exe; flag any Add-MpPreference issued from a non-administrative process tree.
Safe Mode pivot — Alert on bcdedit /set {current} safeboot minimal, creation of the RemoteAdminEdrCleanup scheduled task, or deletion of SafeBoot registry entries for EDR services.
Discord/MQTT egress — Block or alert on TLS connections from server VLANs to discord[.]com, gateway[.]discord[.]gg, and *[.]hivemq[.]cloud. Specific guild and channel IDs for alerting available on request.
Persistence triplet — Hunt for simultaneous presence of the WindowsAudit service + WinSATTemp.exe in the WinSAT directory + both HKCU Run keys. No legitimate software leaves this combination.
Mutex — Any endpoint tool that enumerates kernel objects will find Global\WindowsAuditSingleInstance on infected hosts.

MITRE ATT&CK Mapping (Selected)

Technique	ID	Tactic
Signed Binary Proxy Execution	T1218	Defense Evasion
AMSI Bypass	T1562.001	Defense Evasion
ETW Tampering	T1562.006	Defense Evasion
Safe Mode Boot	T1562.009	Defense Evasion
Process Injection (APC)	T1055.004	Defense Evasion / Privilege Escalation
Parent PID Spoofing	T1134.004	Defense Evasion
LSASS Memory Dump	T1003.001	Credential Access
SAM/SYSTEM/SECURITY Hive Dump	T1003.002	Credential Access
DPAPI Credential Theft	T1555.004	Credential Access
Kerberoasting	T1558.003	Credential Access
AS-REP Roasting	T1558.004	Credential Access
Windows Service	T1543.003	Persistence
WMI Subscription	T1546.003	Persistence
Registry Run Keys	T1547.001	Persistence
Scheduled Task	T1053.005	Persistence
Discord C2	T1102.002	Command and Control
Web Service (MQTT)	T1102	Command and Control
Keylogging	T1056.001	Collection
Screen Capture	T1113	Collection
Audio Capture	T1123	Collection
Video Capture	T1125	Collection
DCSync	T1003.006	Credential Access
RBCD Delegation Abuse	T1484.001	Privilege Escalation

For the full IOC set including hashes, Discord identifiers, and MQTT broker details, contact contact@profero.io.

Written by

Profero IRT

Related posts