Threat Actor Profile: RTM 

RTM, also known as G0048, is a highly technical cybercriminal group that has been operating since at least 2015. Primarily focused on financial gain, the group targets businesses, especially those in Russia and its neighboring countries, by exploiting vulnerabilities in remote banking systems. Their activities continue to be observed as recently as September 19, 2025.

Origins and Geographic Focus

RTM’s operations have been centered mainly in Russia, but their influence extends to several neighboring countries and key European regions. The group has been documented targeting organizations across the Czech Republic, Germany, Kazakhstan, Ukraine, and Russia itself. This broad geographic footprint aligns with RTM’s goal of infiltrating financial institutions and exploiting their digital assets for monetary theft.

Modus Operandi and Malware Utilized 

RTM’s operations heavily rely on custom-built malware, primarily coded in Delphi, tailored specifically for stealing funds from compromised systems. Among the malware families attributed to them are the RTM Trojan, known for its banking trojan capabilities, and AtNow, a command-line utility with rapid execution features. 

The AtNow tool is particularly notable for its ability to schedule and execute commands within 70 seconds of initiation. Though its origins and motivations remain unclear, AtNow’s swift command execution makes it a powerful asset in the hands of malicious actors, facilitating the quick deployment of malware or other malicious activities that evade detection. 

RTM’s attack approach typically involves infiltrating networks through simple backdoors to establish initial access. Once inside, the group moves methodically to gather intelligence on their targets, focusing largely on systems used by accounting and financial staff to maximize the chance of accessing sensitive monetary data. 

Techniques and Tactics 

RTM employs a broad range of tactics to gain entry, maintain persistence, evade defenses, and ultimately exfiltrate funds: 

• Initial Access: The group frequently uses drive-by compromise via exploit kits like RIG and SUNDOWN, and online advertising platforms such as Yandex.Direct distribute malware. Spearphishing with malicious attachments is also a common vector. 

• Execution: The group leverages Windows command shell commands and native APIs to execute their code stealthily. They exploit browser histories and tabs using techniques like Dynamic Data Exchange (DDE) to harvest data. 

• Persistence: RTM establishes long-term access by creating scheduled tasks disguised as legitimate system processes (e.g., naming tasks “Windows Update”) and manipulating Registry run keys. They have also used DLL search order hijacking to force legitimate software such as TeamViewer to load malicious libraries. 

• Privilege Escalation: Through social engineering, RTM tricks users into elevating privileges by presenting fake error messages coupled with User Account Control (UAC) prompts, aiming to bypass security controls. 

• Defense Evasion: Encryption and obfuscation are heavily used to protect RTM’s tools and data. They encrypt their strings and modules using modified RC4 algorithms and package malware in archives like ZIP, 7-ZIP, or RAR files. The group also employs masquerading tactics, disguising malware executables as PDFs and deleting execution traces to cover their tracks. Some samples have even been signed with legitimate code-signing certificates, enhancing their credibility to security systems. 

• Discovery: RTM conducts extensive reconnaissance, gathering information about the victim’s system, including usernames, OS details, active processes, security software, and connected peripherals like smart card readers. They also detect sandbox and virtualization environments to avoid analysis. 

• Collection: The group actively records keystrokes (including virtual keyboards), takes screenshots, monitors browsing activity, and collects clipboard data, thereby capturing a wealth of sensitive information. 

• Command and Control: Communications with external command servers are maintained over secure HTTPS channels. RTM employs unconventional methods such as using RSS feeds from Livejournal to update lists of encrypted C2 servers, complicating detection and takedown efforts. The group also downloads additional tools as needed to further their objectives. 

Conclusion 

RTM poses a serious threat to businesses using remote banking systems, especially in Eastern Europe and Russia. It leverages custom malware and stealthy tactics to steal financial data. As their techniques evolve and expand, organizations must strengthen defenses through vigilant monitoring and advanced security tools.  

Leading cybersecurity firms like Cyble provide AI-driven threat intelligence and automated response platforms that help detect, predict, and stop threats like RTM before they cause damage, empowering businesses to stay one step ahead of these cybercriminals. 

Schedule a personalized demo with Cyble today to experience next-generation cybersecurity in action. 

Recommendations and Mitigation 

• Strengthen Email Defenses and Training: Use advanced email filtering to block spearphishing and educate employees on spotting malicious attachments and social engineering attempts. 

• Monitor Scheduled Tasks and Registry Changes: Regularly check for suspicious tasks or Registry entries, especially those disguised as system processes, to catch persistence techniques early. 

• Deploy AI-Powered Endpoint Detection: Use AI-driven EDR solutions to identify obfuscated malware, unusual command executions, and malicious DLL injections. 

• Enforce Strict Privilege Controls: Apply least privilege policies and educate users to recognize fake prompts aimed at privilege escalation. 

• Leverage Threat Intelligence and Network Monitoring: Continuously monitor network traffic for unusual activity and integrate threat intelligence from platforms like Cyble to detect RTM’s tactics quickly. 

MITRE ATT&CK Techniques Associated with RTM 

• Drive-by Compromise (T1189): RTM distributes malware via RIG and SUNDOWN exploit kits and Yandex.Direct ads. 

• Spearphishing Attachment (T1566.001): Malware delivered through spearphishing email attachments. 

• Windows Command Shell (T1059.003): Uses command line and rundll32.exe for execution. 

• Native API (T1106): Uses FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA to search browser history. 

• Malicious File (T1204.002): Lures victims to open malicious email attachments. 

• Dynamic Data Exchange (T1559.002): Searches browser tabs for specific strings via DDE. 

• Scheduled Task (T1053.005): Adds scheduled tasks to maintain persistence. 

• Registry Run Keys / Startup Folder (T1547.001): Uses Registry run keys, including for modified TeamViewer software. 

• DLL Search Order Hijacking (T1574.001): Hijacks DLL loading to force malicious DLLs to load via TeamViewer. 

• Bypass User Account Control (T1548.002): Social engineering with fake error messages and UAC prompts escalating privileges. 

• Keylogging (T1056.001): Records keystrokes from physical and virtual keyboards. 

• Screen Capture (T1113): Takes screenshots. 

• Clipboard Data (T1115): Collects clipboard contents. 

• Automated Collection (T1119): Monitors browsing activity and auto-captures screenshots based on URLs. 

• Web Protocols (T1071.001): Uses HTTPS to communicate with C2 servers. 

• Dead Drop Resolver (T1102.001): Updates encrypted C2 server lists via RSS feeds on Livejournal. 

• Ingress Tool Transfer (T1105): Downloads additional tools and files.