RATatouille: Cooking Up Chaos in the I2P Kitchen

This FLINT report analyzes I2PRAT, a sophisticated multi-stage Remote Access Trojan observed in the ClickFix campaign (Nov 2024–Jan 2025). The report details the loader's privilege checks and escalation (RPC abuse, SeDebug and parent PID spoofing), anti-debugging and string obfuscation, dynamic API resolution, encrypted TCP/I2P C2 communication, installation artifacts (dropped DLLs, service persistence), and provides IOCs and detection rules for network, registry and file-based telemetry.