Think you have a false positive on this rule?

Sid 1-46970


MALWARE-CNC Win.Trojan.Autophyte RAT variant outbound connection


This event is generated when an infected internal machine accesses Autophyte's Command and Control servers outside the network.


Trojan Activity.

Detailed information

Autophyte is a remote administration tool believed to be built and run by the Lazarus Group. It is used to collect victim data and potentially drop additional malware.

Affected systems

  • Windows 7, 8, 10

Ease of attack

False positives

None known.

False negatives

None known.

Corrective action

Please follow corporate mitigation procedures.


  • Yaser Mansour

Additional References