Powershell RAT Backdoor Tool Extract Data Gmail

Share on facebook
Share on google
Share on twitter
Share on linkedin
Join Masterscyber Institute Of Technology for free and Paid Courses And Many More Traning Tools transform your career with degrees certificates Take the next step in your career with a world class learning experience Student Free Earning Facilitis Available Hare & Courses Joining for free

Powershell RAT is a Python and Powershell script tool that has been made to help a pen tester during red team engagements to backdoor For linux

Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail

Python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment. This RAT will help someone during red team engagements.




PowerShell-RAT is a stealthy tool which exfiltrates sensitive information from the fully patched Windows environment via screenshots

Powershell RAT has low support with neutral developer sentiment, no bugs, no vulnerabilities. Get detailed review and download.

Python based backdoor that uses Gmail to exfiltrate data through attachment. This RAT will help during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends it to an attacker as an e-mail attachment

Throwaway Gmail address
Enable “Allow less secure apps” by going to https://myaccount.google.com/lesssecureapps
Modify the $username & $password variables for your account in the Mail.ps1 Powershell file
Modify $msg.From & $msg.To.Add with throwaway gmail address

This work is licensed under a Creative Commons Attribution 4.0 International License. Want to contribute? Please fork it and hit up with a pull request. Any suggestions or ideas for this tool are welcome – just tweet

PowerShell-RAT is a stealthy tool which exfiltrates sensitive information from the fully patched Windows environment via screenshots, keystrokes, clipboard hijack and reverse shell over Gmail domain. This tool is highly useful when the standard RAT tools get picked by the client anti-virus software and one need to provide a proof of concept to the client to prove that malicious users or an attacker can exfiltrate information from the network even though they are running fully patched and up-to-date antivirus solutions.




The exfiltrated information is sent to a malicious user over a HTTPS protocol in the form of email attachments. The RAT can be invoked with a single key press using ‘Hail Mary’ option. Gmail is used to receive files from the backdoored machine as it is considered one of the highly trusted domains, this would allow an attacker to avoid network detection by NextGen Firewalls.

During a Red Team engagement or an Internal Penetration Test, this tool can be executed on any Windows machine which will backdoor the compromised user machine using a number of task schedulers in turn will run the PowerShell modules (scripts). Once backdoored, malicious user receives screenshots, clipboard history and keystrokes of the user activities via email every few minutes. After the email is received, screenshots and log files are deleted from the machine to clean up the disk space, hence, avoiding the detection.

On successful authentication on a Windows machine by a compromised user, backdoor triggers the keystroke module on the user machine. It saves every key press on the keyboard in the “log.txt” file on the user machine and sends it to the malicious user every hour as an email attachment. Similar to keystorkes, user clipboard us monitored every 2 seconds and is saved in the “clip.txt” file and the clipboard information is sent via email every 5 hours.

To setup this RAT it requires a dedicated throw away Gmail account with modification to PowerShell script credential variables and a malicious user needs to enable “Allow less secure apps” under the security settings of the Gmail account to receive screenshots, clipboard and key logs from the backdoored machine. To run these modules user does not require an administrator rights and these options for exfiltration can be customised as per user needs.

Reverse Shell module allows user to execute windows command on the compromised host by sending commands to the throwaway Gmail account. Commands are read in the background by constantly monitoring the inbox for a new email. Commands in the body of an email is read every 5 seconds and is executed instantly. Once the commands are executed on the backdoored host it will send the command output as an email to the attacker Gmail address automatically allowing two way communication between attacker and a compromised host.

Target system can be identified using email subject line which is a compromised host computer name followed by the timestamp. Remote Access Trojan (RAT) Python file can be converted into an executable using Pyinstaller. During demo at BlackHat, I walked everyone through a number of defence mechanisms to detect PowerShell-RAT backdoor using publicly available tools such as Sysinternals from Microsoft. However, all these defensive mechanism solutions can be bypassed by an attacker.

Morphisec has recently monitored a highly sophisticated Crypter-as-a-Service that delivers numerous RAT families onto target machines.

The Crypter is most commonly delivered through phishing emails, which lead to the download of a visual basic file. In some cases, however, the attack chain starts with a large install file, such as an Adobe installer, which bundles the next stage. 

This Crypter implements several advanced techniques to bypass detection, such as: 

  • Executing PowerShell code with the ‘remotesigned’ parameter
  • Validating the existence of Windows Sandbox and VMWare virtualization
  • Using Pastebin and top4top for staging
  • Compiling RunPE loaders on the endpoint in runtime

We have named the  Crypter based on the common denominator username taken from the PDB indicator we found in an earlier variant




The first stage of the attack chain is a VB Script that’s designed to load and then move the execution to the second-stage PowerShell script. We’ve identified four versions containing 11 sub-versions in this initial loader stage, with the main difference between the four being the second-stage PowerShell loading mechanism. The main difference between the 11 sub-versions is the type of obfuscation that each uses. 

An interesting and unique technique here is that the script executes the PowerShell script with a -RemoteSigned parameter along with the script as a command.

Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail attachment.

Powershell-RAT - Gmail Exfiltration RAT

Powershell-RAT – Gmail Exfiltration RAT

Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail attachment.

Powershell-RAT - Gmail Exfiltration RAT

This RAT will help you during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment.

It claims to not need Administrator access and is not currently detected by Anti-virus software.

How to setup Powershell-RAT Gmail Exfiltration RAT

  1. You need a throwaway Gmail email address
  2. Then enable “Allow less secure apps” by going to www.masterscyber.com
  3. Modify the $username & $password variable for your account in the Mail.ps1 Powershell file
  4. Modify $msg.From & $msg.To.Add with the throwaway Gmail address

How I do use Powershell-RAT Gmail Backdoor?

  • Press 1: This option sets the execution policy to unrestricted using Set-ExecutionPolicy Unrestricted. This is useful on administrator machine
  • Press 2: This takes the screenshot of the current screen on the user machine using Shoot.ps1 Powershell script
  • Press 3: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesCore
  • Press 4: This option sends an email from the user machine using Powershell. These uses Mail.ps1 file to send screenshot as attachment to exfiltrate data
  • Press 5: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesUA
  • Press 6: This option deletes the screenshots from user machine to remain stealthy
  • Press 7: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesDF
  • Press 8: This option performs all of the above with a single button press 8 on a keyboard. Attacker will receive an email every 5 minutes with screenshots as an email attachment. Screenshots will be deleted after 12 minutes
  • Press 9: Exit gracefully from the program or press Control+C

Download Powershell Rat Free Linux Tool

Zip Password : www.masterscyber.com







Masterscyber Institute Of Technology

Masterscyber Institute Of Technology

Join the skill-based learning programs at MCIT and launch your career in the technology industry Free Courses Available Hare

Sign up for our Website

Free Joining and Signup Today Join Our Institute Special Discount 30% Extra