How to get rid of Overlord RAT?

What kind of malware is Overlord?

Overlord is a Remote Access Trojan (RAT) written in the Go programming language. It targets both Windows and macOS systems, with first detections recorded in South Korea. On macOS, Overlord can establish a persistent connection to an attacker-controlled server, capture keyboard and mouse input, and attempt to hijack browsers. If Overlord is detected on a device, it should be removed as soon as possible.

Overlord RAT overview

Overlord is compiled as a macOS Apple Silicon (arm64) binary using Go 1.25.6. Its source code is publicly available on GitHub under an open-source license, with hundreds of commits and active ongoing development. This means its macOS capabilities could expand significantly in the near future.

Once installed on a Mac, Overlord connects to a command-and-control (C2) server and waits for instructions from the operator. The malware also sets up persistence, allowing it to continue running automatically after each system restart. Keyboard and mouse input is captured and forwarded through an internal channel, giving the attacker visibility into what the user is doing.

Overlord's capabilities on macOS

Overlord supports a set of C2 commands for remotely managing the infected device. The "hvnc_start" command is designed to launch a hidden desktop session and stream its contents to the attacker. The "hvnc_start_chrome_injected" and "hvnc_start_browser_injected" commands target Chrome and other browsers, attempting to force-relaunch them with malicious modifications. The "hvnc_lookup" command resolves executable file paths on the victim's system.

On macOS, the hidden virtual desktop and DLL injection features are currently stubs. They are present in the code but not fully functional, returning "HVNC not supported on this platform" when triggered. Process injection into a hidden desktop session and DLL payload extraction are also Windows-only at this time.

That said, persistence and input event capture work on both platforms. These features alone allow an attacker to monitor what the user types and clicks, which can be used for credential theft and surveillance. Browser-related injection commands are included in the macOS build, though their effectiveness on macOS is more limited than on Windows.

Conclusion

Overlord is a Go-based RAT that can give attackers persistent remote access to infected Macs. Even in its current macOS form, where several advanced features remain as stubs, it captures input events and maintains a live C2 connection.

Victims are at risk of credential theft, browser hijacking, and surveillance. As the project is under active development, its macOS capabilities may grow over time. If Overlord is detected on a device, it should be removed immediately.

More examples of malware targeting macOS are GolangGhost, notnullOSX, and NovaStealer.

How did Overlord infiltrate my computer?

The exact methods used to distribute Overlord are not fully confirmed. First detections were recorded in South Korea, and it is not certain whether the malware has been deployed against real victims or is still in a testing and development phase.

Generally, RATs and similar malware reach victims through phishing emails and social engineering tactics. Malicious programs are typically disguised as legitimate software or bundled with pirated content. In many cases, simply opening an infected file or installer is enough to trigger the infection.

Other common distribution methods include drive-by downloads, fake software installers from third-party sites, peer-to-peer sharing platforms, software cracks, and malicious links sent through email or messaging apps. Some RATs can also spread through local networks or removable storage devices once a foothold is established on one machine.

How to avoid malware?

Be cautious with unexpected emails, links, or attachments, especially from unknown senders. Download software only from official sources such as the Mac App Store or an official developer's website. Avoid pirated programs, key generators, and cracked applications, as these commonly carry hidden malware.

Keep macOS and all installed applications up to date, and be careful with pop-ups, browser notifications, and ads from unfamiliar websites. Use a reputable security tool and perform regular scans. If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate all threats.

Overlord RAT promoted on GitHub:

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

• What is Overlord?
• Remove Overlord related files and folders from OSX.

Unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Frequently Asked Questions (FAQ)

My computer is infected with Overlord malware, should I format my storage device to get rid of it?

Formatting will fully remove Overlord, but it will also delete all data stored on the device. Before taking such a drastic step, it is generally better to first attempt removal using a trusted security tool like Combo Cleaner.

What are the biggest issues that Overlord malware can cause?

Overlord can give an attacker persistent remote access to an infected Mac, including the ability to capture keystrokes and attempt browser hijacking. This can result in stolen credentials, account hijacking, identity theft, and in more serious cases, full system compromise.

What is the purpose of Overlord malware?

The purpose of Overlord is to give attackers remote control over infected devices. It is designed to maintain a persistent C2 connection, capture keyboard and mouse input, and attempt browser hijacking, enabling ongoing surveillance and credential theft.

How did Overlord malware infiltrate my computer?

Malware is mainly distributed via trojans, drive-by downloads, phishing emails, malicious attachments, pirated software, cracking tools, and fake updates. Some programs can also spread through local networks or removable storage devices.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner can detect and remove most known threats. However, advanced malware may hide deep within the system, so running a full scan is always recommended to ensure complete removal.