Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques

Cybersecurity researchers have shed light on a new remote access trojan called NonEuclid that allows bad actors to remotely control compromised Windows systems.
"The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques," Cyfirma said in a technical analysis published last week.
"It employs various mechanisms, including antivirus bypass, privilege escalation, anti-detection, and ransomware encryption targeting critical files."
NonEuclid has been advertised in underground forums since at least late November 2024, with tutorials and discussions about the malware discovered on popular platforms like Discord and YouTube. This points to a concerted effort to distribute the malware as a crimeware solution.
At its core, the RAT commences with an initialization phase for a client application, after which it performs a series of checks to evade detection prior to setting up a TCP socket for communication with a specified IP and port.
It also configures Microsoft Defender Antivirus exclusions to prevent the artifacts from being flagged by the security tool, and keeps tabs on processes like "taskmgr.exe," "processhacker.exe," and "procexp.exe" which are often used for analysis and process management.
"It uses Windows API calls (CreateToolhelp32Snapshot, Process32First, Process32Next) to enumerate processes and check if their executable names match the specified targets," Cyfirma said. "If a match is found, depending on the AntiProcessMode setting, it either kills the process or triggers an exit for the client application."

Some of the anti-analysis techniques adopted by the malware include checks to determine if it's running in a virtual or sandboxed environment, and if found to be so, immediately terminate the program. Furthermore, it incorporates features to bypass the Windows Antimalware Scan Interface (AMSI).
While persistence is accomplished by means of scheduled tasks and Windows Registry changes, NonEuclid also attempts to elevate privileges by circumventing User Account Control (UAC) protections and execute commands.
A relatively uncommon feature is its ability to encrypt files matching certain extension types (e.g., .CSV, .TXT, and .PHP) and renaming them with the extension ". NonEuclid," effectively turning into ransomware.
"The NonEuclid RAT exemplifies the increasing sophistication of modern malware, combining advanced stealth mechanisms, anti-detection features, and ransomware capabilities," Cyfirma said.
"Its widespread promotion across underground forums, Discord servers, and tutorial platforms demonstrates its appeal to cyber-criminals and highlights the challenges in combating such threats. The integration of features like privilege escalation, AMSI bypass, and process blocking showcases the malware's adaptability in evading security measures."
UN aviation agency confirms recruitment database security breach
Thousands of credit cards stolen in Green Bay Packers store breach
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
MediumRelative Path Confusion
MediumXSLT Injection
LowStrict-Transport-Security Malformed Content (Non-compliant with Spec)
LowMultiple HREFs Redirect Detected (Potential Sensitive Information Leak)
LowStrict-Transport-Security Defined via META (Non-compliant with Spec)
InformationalLoosely Scoped Cookie
InformationalImage Exposes Location or Privacy Data
CWE-66 Improper Handling of File Names that Identify Virtual Resources
HighCWE-649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
CWE-1296 Incorrect Chaining or Granularity of Debug Components
CWE-1084 Invokable Control Element with Excessive File or Data Access Operations
Free online web security scanner