Retro-C2 Technical Malware Analysis Report

As ThreatMon, we strive to prevent potential malicious activities by informing individuals, companies, firms, institutions, and organizations about current threats through our reports, posts, and analyses.

Retro-C2 is a next-generation, web-based Remote Access Trojan (RAT) and infostealer developed by the Turkish-speaking threat actor known as ZeroTrace. Designed for stealth, flexibility, and extensive system control, Retro-C2 leverages a modern web panel to manage infected hosts and perform a wide range of malicious activities through an intuitive interface.

The malware distinguishes itself by utilizing a Reflective Loader technique, enabling in-memory execution of its core modules to evade traditional endpoint detection mechanisms. By employing direct system calls (direct syscalls), Retro-C2 significantly reduces its detectability and bypasses common user-mode security products as well as analysis sandboxes. This advanced technique is primarily used for extracting sensitive browser data, including cookies, passwords, and payment information, directly from the memory of targeted browsers.

Victim information, such as host identification, operating system details, and hardware specifications, is collected and transmitted to the attacker’s server in structured JSON format. This approach ensures reliable and automated data exchange. The command-and-control infrastructure is fully web-based and provides threat actors with real-time client monitoring, action management such as CMD, PowerShell, Remote Desktop, keylogging, clipboard capture, file and process management, registry and network operations, audio recording, wallet scanning, persistence operations, and credential recovery. Rapid execution of post-exploitation tasks is also supported.