The saw a dramatic increase in hackers leveraging legitimate, free bot APIs. By turning standard developer platforms (like Discord's Developer Portal) into covert C&C channels, malicious actors built "Ratty Bots."
By treating Discord API traffic with the same level of zero-trust scrutiny as any external server connection, security operations centers can successfully neutralize the stealth advantage that these bots rely on.
The most prominent 2021 activity involving Ratty RAT was a phishing campaign observed by Infoblox on August 18. In this attack, cybercriminals distributed the RAT via weaponized Java files attached to emails that were carefully designed to appear legitimate.
Users would create tasks, setting the URL of the product, size requirements, and billing profiles. ratty bot 2021
The most significant event attributed to Ratty Bot 2021 occurred on May 19, 2021, coinciding with the broader crypto market crash.
In this environment, threat actors found an ingenious new ally: the legitimate messaging platform . Cybercriminals began exploiting Telegram's public API (application programming interface) as a cheap and reliable command-and-control (C2) server. Instead of building their own infrastructure, they could simply create a Telegram bot to send commands to infected machines and receive stolen data, making their attacks harder to track and block.
: The victim accidentally runs a compiled script (often built in Python or Go) containing the bot's unique API token. The saw a dramatic increase in hackers leveraging
This defensive analysis explores the architectural shift of 2021, how threat actors turn standard API bots into functional RATs, the operational dangers of these tools, and how enterprise network administrators can mitigate the threat. The Architecture: How a Discord Bot Becomes a RAT
By late Q3 2021, exchange security teams noticed the "Rat Tail" pattern. The bot’s API calls were too consistent; while the IP addresses changed, the millisecond timing of the orders was mathematically identical.
How to safely for unauthorized API connections. In this attack, cybercriminals distributed the RAT via
While "Ratty Bot" is most famous in the Dominion community, the phrase appeared in other niche circles during 2021:
: These payloads are heavily engineered to extract local session tokens, browser cookies, autofill passwords, and cryptocurrency wallet configurations.
on TikTok. It features a specific choreographed dance trend often set to music by artists like Lil Cherry Original Context : The trend emerged around December 2021. Key Elements
The legal proceedings resulted in a suspended sentence (probation). However, following violations or related legal enforcement, she was detained for approximately four months at the Seoul Eastern Detention Center in 2025.