Alleged seller of NetWire RAT arrested in Croatia

This week, as part of a global law enforcement operation, federal authorities in Los Angeles successfully confiscated, a domain utilized by cybercriminals to distribute the NetWire remote access trojan (RAT) allowed perpetrators to assume control of infected computers and extract a diverse range of sensitive information from their unsuspecting victims.


“A RAT is a type of malware that allows for covert surveillance, allowing a ‘backdoor’ for administrative control and unfettered and unauthorized remote access to a victim’s computer, without the victim’s knowledge or permission,” according to court documents filed in Los Angeles.

As part of this week’s law enforcement action, authorities arrested a Croatian national who allegedly was the administrator of the website. Brian Krebs pinpointed the suspect, who will be prosecuted by Croatian authorities. Additionally, law enforcement in Switzerland seized the computer server hosting the NetWire RAT infrastructure.

The FBI in Los Angeles in 2020 opened an investigation into worldwidelabs, the only known online distributor of NetWire. Undercover investigators with the FBI created an account on the website, paid for a subscription plan, and “constructed a customized instance of the NetWire RAT using the product’s Builder Tool,” according to the affidavit in support of the seizure warrant.

While the website marketed NetWire as a legitimate business tool to maintain computer infrastructure, the affidavit states that NetWire is a malware used for malicious purposes, the software was advertised on hacking forums, and numerous cyber security companies and government agencies have documented instances of the NetWire RAT being used in criminal activity.

“Today’s action is a testament to the innovation and flexibility necessary to fighting cybercriminals who operate without borders,” said United States Attorney Martin Estrada. “Our office will continue to forge international alliances to protect our communities from cyber threats. Criminals used NetWire on a global scale, and we have responded by dismantling the infrastructure that has caused untold harm to victims around the world.”

“By removing the Netwire RAT, the FBI has impacted the criminal cyber ecosystem,” said Donald Alway, the Assistant Director in Charge of the FBI’s Los Angeles Field Office. “The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals.”

Don't miss