Ramsay
MITRE
Malware Type:
Other
Other
First seen:
Unknown
Unknown
Last seen:
Unknown
Unknown
Details:
[Ramsay](https://attack.mitre.org/software/S0458) is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between [Ramsay](https://attack.mitre.org/software/S0458) and the [Darkhotel](https://attack.mitre.org/groups/G0012)-associated Retro malware.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)
Associated Techniques (39)
| ID | ATT&CK | Tactics |
|---|---|---|
| T1005 | Data from Local System | - |
| T1014 | Rootkit | - |
| T1016 | System Network Configuration Discovery | - |
| T1025 | Data from Removable Media | - |
| T1027 | Obfuscated Files or Information | - |
| T1027.003 | Steganography | - |
| T1036 | Masquerading | - |
| T1036.005 | Match Legitimate Resource Name or Location | - |
| T1039 | Data from Network Shared Drive | - |
| T1046 | Network Service Discovery | - |
| T1049 | System Network Connections Discovery | - |
| T1053.005 | Scheduled Task | - |
| T1055.001 | Dynamic-link Library Injection | - |
| T1057 | Process Discovery | - |
| T1059.005 | Visual Basic | - |
Metadata
| ID: | 524 |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |