Remove a RAT from your computer — and protect your crypto in the same hour.
A modern Remote Access Trojan reinstalls itself if you only "clean" the payload. Here is the only protocol that works in 2026: disconnect, triage, migrate crypto, wipe, harden. Free, no antivirus upsell.
Open the panic guideDo this first — within 60 seconds
Physically disconnect the infected machine from the network. Pull the ethernet cable, flip the Wi-Fi hardware switch, or unplug the router. This stops further data exfiltration and ends the attacker's live session. Then walk to a clean device for every step below — do not type any password on the infected computer again.
The 6-step removal protocol
- 1
Disconnect
Pull ethernet, switch off Wi-Fi at the hardware level. Do not put the machine to sleep or shut down — disconnect the network first so the attacker can't trigger a wipe-on-shutdown.
- 2
Triage from a clean device
On a separate, known-clean device (a phone is fine): change your email password first, enable hardware-key or app-based 2FA, then sign out all sessions on every account that matters. Email is the keys to the kingdom — it goes first.
- 3
Move crypto now
Generate a brand-new wallet on the clean device (hardware wallet preferred). Move every asset off any seed phrase the infected device ever saw. Revoke approvals at revoke.cash for the old address. Assume the old seed is fully exposed.
- 4
Back up documents only
Boot the infected machine offline. Copy only documents, photos, videos to external storage. Do NOT copy executables, installers, browser profiles, AppData / Library folders, or 'just one' application.
- 5
Wipe and reinstall
Wipe the system drive. Reinstall the OS from official, freshly downloaded media (download on the clean device, write to USB). Do not restore from any backup made after the infection date.
- 6
Harden
Enable full-disk encryption (BitLocker / FileVault). Install software only from official app stores or signed installers. Switch on automatic OS updates. Use a password manager + hardware-key 2FA from now on.
Why "just run an antivirus scan" doesn't work in 2026
Modern RATs drop three to seven persistence mechanisms (Windows scheduled tasks, WMI event subscriptions, registry run keys, BITS jobs, signed-driver footholds, fileless PowerShell residues). A signature scanner that removes the obvious payload almost always leaves one persistence component intact, which re-downloads the RAT within hours. The only reliable cure is a clean OS reinstall on wiped storage — and the only reliable crypto cure is a brand new seed on a device that was never online during the infection window.
FAQ
What is a RAT (Remote Access Trojan)?
A RAT is malware that gives an attacker silent, persistent control of your device — keystrokes, screen, clipboard, microphone, camera, and stored files. Common 2026 families: AsyncRAT, Quasar, Remcos, NetWire, DarkComet, NjRAT, and crypto-targeted variants like MarsStealer, RedLine, and Lumma Stealer. They're delivered through pirated software, fake job offers, malicious DocuSign / Adobe attachments, and 'crypto trading bot' downloads on Discord and Telegram.
How do I know if my computer has a RAT?
Eight common signs: (1) the webcam light flickers when no app is using it, (2) the mouse moves on its own briefly, (3) unusual outbound network traffic at idle, (4) new scheduled tasks or startup entries you didn't create, (5) browser sessions logged in on devices you don't own, (6) password resets you didn't request, (7) clipboard contents (especially copied wallet addresses) being silently replaced, (8) crypto transactions you didn't sign. Any one of these warrants a full clean.
Will my antivirus catch a RAT?
Sometimes — but not reliably. Modern RATs use polymorphic packers, signed installers, and process hollowing to evade traditional signature scanners. Microsoft Defender, Malwarebytes, and ESET catch most commodity RATs after definitions update (usually 24–72 hours after release). Custom or freshly-packed RATs evade everything until they're triaged. Treat AV as one layer, not the answer.
Can I just remove the RAT and keep using my system?
Not safely. A modern RAT typically drops three to seven persistence mechanisms (services, scheduled tasks, WMI subscriptions, registry run keys, BITS jobs, signed-driver footholds). Removing the visible payload usually leaves at least one dormant component that re-installs the malware within hours. The only reliable cure is a full OS reinstall from clean media after backing up only documents (no executables, no installers, no profile folders).
If my wallet was on the infected machine, is my crypto compromised?
Assume yes. RATs routinely exfiltrate wallet files (wallet.dat, keystore JSON, browser-extension state) and capture seed phrases via keylogger or screen-capture. If you ever typed, pasted, or displayed a seed phrase on the infected device, that seed is exposed. Move every asset to a brand-new wallet generated on a clean device — ideally a hardware wallet you set up after the reinstall.
Where do RAT infections usually come from?
Top 2026 vectors: cracked / pirated software (Adobe, Office, Autodesk), fake 'trading bot' or 'arbitrage tool' downloads pushed on Telegram and Discord, malicious .lnk and .iso attachments in spoofed DocuSign / Adobe Sign emails, fake job-interview 'coding challenges' (Lazarus Group is famous for this), and trojanised npm / PyPI packages. If you installed anything outside an official app store in the last 90 days, that's the place to look first.
Stay ahead of new RAT families
Weekly digest of the newest crypto-targeted malware, drainer wallets, and emerging vectors — so the next campaign lands on someone better prepared.
Free · No spam · Unsubscribe anytime · We never sell your email.
Was the RAT delivered by a scam site or download?
Report the source URL so the next person who searches it sees a warning.
Related: recover stolen crypto · 15-minute playbook · panic guide