Skip to content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Mandatory Privacy Policy

To the extent you are completing this form on your own behalf, and not on behalf of your agency or organization, be advised that the information on the form is being collected in accordance with the Privacy Act Statement on the IC3 homepage, https://www.ic3.gov/Home/Privacy. Whether you are completing the form on your own behalf, or on behalf of your agency or organization, you are requested to avoid including, to the extent possible, the personally identifiable information of others.

Warzone Remote Access Trojan ("RAT") is a type of malicious software("malware") that has been used by cyber criminals to gain unauthorized access to victim computers. Warzone RAT is sometimes referred to with variations of the name Ave Maria RAT. Warzone RAT allows users to remotely connect and surreptitiously access a victim's computer to browse the file system, take screenshots, record keystrokes, steal victim's usernames and passwords, watch the victim through their web camera, and conduct a range of other activities. Unlike similar commercially available programs, Warzone RAT does not notify or request approval from the owner of the computer, but instead allows remote access without the victim's knowledge or permission. Malware such as Warzone RAT can be used by cyber criminals to further promote a myriad of criminal activities, such as ransomware attacks, theft of personally identifiable information, phishing campaigns, and other computer-related crimes.

The specific techniques employed by the Warzone RAT malicious software itself are outlined by the Federally Funded Research and Development organization MITRE on their ATT&CK framework website accessible here: https://attack.mitre.org/software/S0670

All reporting of Cybercrime activity to the FBI's IC3 website is helpful and assists the FBI with it's mission to combat cybercrime and assist victims. We recognize that you may not have answers to all of the below listed questions, but please provide as much detail as you can. If the FBI has additional questions about your report, you will be contacted directly. Thank you for taking the time to report this incident.

Point of Contact
Exploitation
What were the start and end dates of the attack?

Please provide the following, if possible:

  • IP Addresses/Domains used to exploit infrastructure
  • IP Addresses/Domains used to receive beacons
  • IP Addresses/Domains used to exfiltrate data

Post-Exploitation
Was there data exfiltration?
Organization-Related Questions
Has this incident been previously reported to other federal agencies?
Were there any reports generated from this incident?
Were there any third-party companies involved in incident response/remediation?
If so, can we speak with them?
What is a good point of contact for this company?
Were there any loss incurred by you or your organization or adverse impact on you or your organization?