Top Remote Access Trojans (RATs) 2026
The most active RATs and keyloggers ranked by sample volume.
AsyncRAT
rat ↑ Rising 57%An open-source .NET remote access trojan widely adopted by threat actors for its extensibility, ease of deployment, and active community development.
QuasarRAT
rat ↑ Rising 36%A lightweight open-source remote administration tool for Windows, widely repurposed by both cybercriminals and nation-state actors for persistent remote access.
Snake Keylogger
keylogger ↑ Rising 775%A .NET-based keylogger and credential stealer sold on underground forums, notable for its multiple data exfiltration channels and aggressive harvesting capabilities.
Cobalt Strike
rat ↑ Rising 94%Cobalt Strike is a commercial penetration testing and red teaming framework that has been widely adopted by threat actors for post-exploitation activities...
Remcos RAT
ratA commercial remote access tool frequently abused by threat actors for surveillance, credential theft, and persistent backdoor access.
What Are Remote Access Trojans?
Remote Access Trojans (RATs) give attackers persistent, hidden control over infected systems. Unlike infostealers that grab data and exit, RATs maintain a backdoor — enabling keylogging, screen capture, file exfiltration, and lateral movement across networks. They're the tool of choice for targeted attacks, APT campaigns, and ransomware pre-positioning.
Open-source RATs like AsyncRAT and QuasarRAT are widely used because they're free, customizable, and well-documented. Commercial RATs like Remcos offer polished C2 panels and are sold as "legitimate remote administration tools" — a thin legal veneer over their primary use in cybercrime.