WezRat

This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.

Summary

Associated actor(s): Cotton Sandstorm
Tool type(s): Modular infostealer / RAT
Confidence level(s): High
Source ID(s): SRC-CP-WEZRAT

Behavior

Actor	Behavior Summary
Cotton Sandstorm	Check Point reports WezRat as a modular infostealer/RAT distributed through fake INCD-themed phishing; behavior includes modular collection, command execution, screenshot or data theft capabilities depending on module, and Israeli security-update lure abuse.

Hash And IOC Status

Actor	Status	Reference
Cotton Sandstorm	Hash not committed; use Check Point and government IOC references for current sample hashes, lure senders, domains, and C2 paths.	`SRC-CP-WEZRAT`

Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.

Defensive Hunting Notes

Actor	Hunting Notes
Cotton Sandstorm	Hunt fake INCD/security-update lures, sender/domain impersonation, user-path execution after download, modular infostealer staging, and unusual outbound C2 after security-themed attachments.

Handling Notes

Actor	Handling Notes
Cotton Sandstorm	Do not store payloads; treat lure reuse and persona context through evidence and persona-claim workflow.

Crosslinks

Cotton Sandstorm: profile, workbench, tool matrix
Detection status: Detection Status Dashboard
Hunt workflow: Hunt Workflow

Mapped ATT&CK Techniques For Associated Actor(s)

Actor	Technique	Tactic	Mapping Quality	Source
Cotton Sandstorm	T1585 Establish Accounts	Resource Development	M1	`SRC-MS-IRAN-IO`
Cotton Sandstorm	T1204.002 User Execution: Malicious File	Execution	M3	`SRC-CP-WEZRAT`
Cotton Sandstorm	T1566 Phishing	Initial Access	M3	`SRC-FBI-EMENNET-2024`

These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.

Actor	Detection	Release Status	DRL	Rule
Cotton Sandstorm	DET-004 - Mail Click To Execution Correlation	Hunt	4	detections/kql/mail-click-to-exec-correlation.kql

These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.

Actor	Hunt	Hypothesis	Query
Cotton Sandstorm	HUNT-004	If VIP phishing is active then mail click events will correlate to risky sign-in or execution	detections/kql/mail-click-to-exec-correlation.kql

Source Review

Source	Publisher	Date	Reliability	Type	Last Reviewed
`SRC-CP-WEZRAT`	Check Point Research	2024-11-14	A	Vendor CTI	2026-05-14

If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.

Summary​

Behavior​

Hash And IOC Status​

Defensive Hunting Notes​

Handling Notes​

Crosslinks​

Mapped ATT&CK Techniques For Associated Actor(s)​

Related Actor-Level Repository Detections​

Related Actor-Level Hunts​

Source Review​