>samit_hota
Back to adversary profiles
G0048HighActive

RTM (G0048): A Financially Motivated Cybercriminal Evolution

Samit Hota·
Suspected Origin
Russia and Neighboring Countries
Motivation
Financial Gain
Aliases
None documented
Target Sectors
Financial Institutions, Remote Banking Systems, Transportation, General Business, Healthcare, Critical Infrastructure
Associated Malware
RTM Trojan, Redaman, TeamViewer (modified), Remote Utilities, RTM Locker, Quoter
#threat-actor#g0048

Overview

The RTM threat group (G0048) represents a persistent and evolving financially motivated cybercriminal entity that has been active since at least 2015. Their operations have historically concentrated on users of remote banking systems within Russia and its neighboring countries, indicating a strong regional focus for their initial criminal endeavors. While an explicit national attribution is rarely cemented for such groups, their consistent targeting within this geographical area suggests a likely origin from the region. The group’s motivation has remained steadfastly financial, driven by monetary theft, which distinguishes them from state-sponsored actors whose objectives might include espionage or sabotage.

Over the years, RTM has demonstrated an adaptive nature, evolving its toolkit and operational models to maximize illicit gains. What began with the deployment of a custom banking Trojan has expanded significantly to include sophisticated ransomware-as-a-service (RaaS) operations. This shift reflects a common trend among seasoned cybercriminal groups: diversifying their attack methods and monetization strategies to exploit a broader range of vulnerabilities and targets.

Tactics & Techniques

RTM employs a range of tactics, techniques, and procedures (TTPs) designed to gain initial access, maintain persistence, evade defenses, and ultimately achieve their financial objectives.

For initial access, spearphishing remains a primary vector. The group distributes malicious emails often containing archived Windows executable files disguised as legitimate documents, such as PDFs. They leverage social engineering to trick victims into opening these attachments and executing the embedded malware. In addition to direct phishing, RTM has been observed using exploit kits, specifically RIG and SUNDOWN, for distribution, alongside compromising online advertising networks like Yandex.Direct. More recently, for their RTM Locker ransomware operations, payloads have also spread via secondary infections following the exploitation of vulnerable public-facing applications or interfaces.

Once a foothold is established, RTM employs several techniques for persistence. They commonly modify registry run keys, sometimes under benign-sounding names like “Windows Update,” and also configure scheduled tasks to ensure their malware restarts across reboots.

Defense evasion is a critical part of their methodology. The RTM Trojan and its associated tools are designed with anti-analysis capabilities, including checks for virtualization and sandbox environments. The group has also utilized modified versions of legitimate remote access software like TeamViewer and Remote Utilities. These modified tools are often configured to not maintain logs, complicating forensic analysis. Furthermore, RTM malware can delete files and registry entries it creates during execution, attempting to clean up its tracks. Some RTM samples have also been signed with code-signing certificates, which can lend an air of legitimacy and bypass certain security measures. For privilege escalation, RTM has been known to attempt to run programs as an administrator, often displaying a fake error message coupled with a legitimate User Account Control (UAC) bypass prompt to socially engineer users into granting elevated permissions.

Command and control (C2) communications are typically encrypted using custom variants of algorithms like RC4. RTM has employed interesting C2 mechanisms, such as updating lists of encrypted C2 server names via RSS feeds hosted on platforms like Livejournal. In more advanced instances, they have hidden C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchains, demonstrating an understanding of obfuscation techniques using public ledgers. C2 connections are often initiated over HTTPS.

For discovery, the malware collects extensive system information, including computer name, operating system version, default language identifier, victim username and permissions, and local time zone. They specifically scan victim drives for banking software to identify high-value targets and gather information about installed security software to adapt their behavior.

Data collection is granular, involving keystroke logging (both physical and virtual keyboards), searching for specific strings within browser tabs using Dynamic Data Exchange, and monitoring browsing activity to capture screenshots when victims visit banking or financial sites. Clipboard data is also routinely collected. In their ransomware operations, data exfiltration often precedes encryption, with the group threatening to publish siphoned information if ransom demands are not met.

Notable Campaigns

RTM’s activity timeline traces back to late 2015 when researchers first became aware of their operations. Initially, their campaigns predominantly featured the RTM banking Trojan, targeting financial institutions and remote banking users in Russian-speaking regions. A significant campaign period was noted between September and December 2018, during which the group unleashed over 11,000 malicious emails, indicating a high volume of phishing activity.

A pivotal shift occurred in the group’s operational model around early 2023, when RTM expanded into ransomware-as-a-service (RaaS). This evolution saw the emergence of “RTM Locker”. This ransomware variant targets not only traditional Windows systems (Windows 10 and 11) but has also been observed in Linux binaries, extending its reach to Linux, NAS, and ESXi hosts. This multi-platform targeting demonstrates a broadened scope and increased threat capability, indicating RTM’s adaptability in the ransomware landscape. RTM Locker has shown similarities to the leaked source code of Babuk ransomware, incorporating robust encryption mechanisms like ECDH on Curve25519 and Chacha20.

In a report from March 2021, Kaspersky documented RTM’s attacks on transportation and finance companies, notably using not only their established banking Trojan but also a new ransomware variant known as “Quoter.” This signifies their earlier foray into ransomware before the more widespread RTM Locker operations, suggesting a phased expansion into this lucrative attack method.

Associated Malware & Tools

The RTM group primarily leveraged a custom banking Trojan, also known by the name “RTM.” This malware, written in Delphi, served as their core tool for financial fraud, particularly targeting remote banking systems. Newer iterations of this Trojan have been identified as “Redaman”.

Beyond their proprietary malware, RTM has integrated legitimate tools into their attack chain, often in modified forms. This includes using altered versions of remote desktop software like TeamViewer and Remote Utilities for remote access and control over compromised systems. They also have the capability to download additional modules, such as VNC, from their C2 infrastructure.

The most significant recent addition to their arsenal is “RTM Locker,” a ransomware variant that forms the basis of their RaaS operations. This ransomware is designed to encrypt files on victim systems and demand a ransom for decryption. RTM Locker’s ability to target Windows, Linux, NAS, and ESXi environments highlights its versatility and the group’s technical capacity to develop cross-platform threats. Prior to RTM Locker, the group was also associated with “Quoter” ransomware in 2021, showcasing a sustained interest in ransomware as a profit-generating mechanism.

Current Status

The RTM threat group remains an active and evolving cybercriminal entity. Their continuous activity since 2015, coupled with the observed expansion into ransomware-as-a-service operations in early 2023 with RTM Locker, confirms their ongoing and dynamic presence in the threat landscape. The ongoing development of RTM Locker, including the discovery of new Linux binaries in April 2023, underscores their commitment to expanding their capabilities and target base beyond Windows systems to include enterprise-critical platforms like ESXi and NAS.

Security vendors continue to track RTM’s activities, with analyses of RTM Locker ransomware emerging as recently as May 2023, describing it as a “silent data hijacker” that organizations cannot afford to ignore. The consistent updates and mentions across threat intelligence platforms and MITRE ATT&CK itself (with recent modifications to their group and software profiles in April 2025) suggest that RTM is not only active but also continually adapting its tactics and tools to maintain effectiveness. Organizations operating in their target regions and sectors should consider RTM an active and serious financial threat.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call