International Law Enforcement Operation Takes Down NetWire RAT

An international law enforcement operation has resulted in the seizure of the infrastructure used to support the NetWire remote access Trojan (RAT).

NetWire was first detected in 2012 and has been sold on cybercrime forums for more than a decade. NetWire has consistently been one of the most popular and widely distributed RATs for several years due to its low cost and reliability. The RAT is primarily distributed via email using booby-trapped Microsoft Office documents and targets Windows, Mac, and Linux systems and Android smartphones.

The malware was advertised on several cybercrime forums and has been sold online via a single World Wired Labs domain. That domain has now been seized by the Federal Bureau of Investigation (FBI) and now displays a seizure notice to that effect.

The FBI field office in Los Angeles launched an investigation into NetWire in 2020. The FBI purchased a subscription to use NetWire and used the NetWire builder to create a custom version of the malware. World Wired Labs marketed NetWire as a legitimate tool for maintaining computer infrastructure; however, NetWire was a remote access Trojan that provided cybercriminals with unrestricted access to infected devices, and has been extensively used for cybercriminal activity by a variety of threat actors from Nigerian 419 scammers to advanced persistent threat actors.

The FBI was granted a seizure warrant on March 3 by a U.S Magistrate Judge resulting in the seizure of the domain, which was used to sell the malware. Law enforcement officers in Switzerland seized the server that hosted the NetWire RAT infrastructure, and law enforcement officers in Croatia arrested an unnamed Croatian national who is believed to be the administrator of the website. That individual will be subject to prosecution in Croatia.

The operation has resulted in this decade-long stalwart of the cybercrime community being taken out of action, and has prevented the malware from being used to perpetuate fraud, data breaches and network intrusions by cybercriminals around the world.

“Today’s action is a testament to the innovation and flexibility necessary to fighting cybercriminals who operate without borders,” said United States Attorney Martin Estrada. “Our office will continue to forge international alliances to protect our communities from cyber threats. Criminals used NetWire on a global scale, and we have responded by dismantling the infrastructure that has caused untold harm to victims around the world.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of