A remote access trojan (RAT) is a type of trojan malware hidden inside seemingly harmless software that, once installed, gives an adversary remote control over a victim's device, letting them run commands, steal files, or activate a webcam or microphone (AP Cybersecurity EK 4.1.B.2).
A remote access trojan (RAT) is a specific flavor of trojan. A trojan is malware embedded in software that looks safe, like a free photo editor or an email attachment. Once you run it, the malware does its real job in the background. What makes a RAT different from a plain trojan is the payoff: it opens a remote door so an adversary can control your device from somewhere else (EK 4.1.B.2).
Think of it as the attacker installing their own remote desktop on your machine without you knowing. Through that connection they can issue commands, steal or destroy data, turn on your webcam or microphone, and quietly watch what you do (EK 4.1.C.1). The RAT itself is the foothold; it's usually one step in a larger plan, not the whole attack. That "remote control" capability is exactly what separates a RAT from malware that just deletes files or spreads on its own.
RATs live in Unit 4: Securing Devices, specifically topic 4.1 Device Vulnerabilities and Attacks. They directly support learning objective AP Cybersecurity 4.1.B (identifying the type of malware used in an attack), and they connect straight to AP Cybersecurity 4.1.C because remote control of a device is one of the headline ways an adversary exploits a vulnerability. They also feed into AP Cybersecurity 4.1.D, where you assess risk: a RAT on a server holding sensitive data is a far higher risk than one on a spare laptop. Knowing the RAT by name, and being able to explain what it lets an attacker actually do, is the core skill the exam wants here.
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryTrojans (Unit 4)
A RAT is a trojan, just a more dangerous one. Both arrive disguised as harmless software you choose to open. The plain trojan might drop any payload; the RAT's payload specifically hands the attacker remote control.
Command and Control / C2 (Unit 4)
Once a RAT is installed, it has to phone home. That ongoing connection back to the attacker's server is command and control (C2). The RAT is the foothold; C2 is the channel the attacker uses to send instructions through it.
Keylogger (Unit 4)
A keylogger records what you type. RATs often bundle keylogging as one of their capabilities, so you can think of a keylogger as one tool an attacker reaches for once a RAT gives them access to the machine.
Anti-malware (Unit 4)
Anti-malware software is the defense that detects and removes RATs. Connecting the attack (RAT) to the control that stops it is exactly the attack-and-defense thinking 4.1.D rewards.
Expect this term in multiple-choice questions that hand you a scenario and ask you to name the malware. The classic stem describes a user downloading a legitimate-looking app (a photo editor, an email attachment) that secretly grants an adversary remote access and command execution over the system. Your job is to recognize the two clues that point to RAT: it was disguised as safe software (that's the trojan part) and it gives the attacker remote control (that's the RAT part). On the free-response side, you may be asked to explain how a device vulnerability leads to loss or damage, where a RAT is a strong example because it can steal data, destroy data, or hijack a webcam.
A worm spreads on its own from computer to computer with no human action. A RAT is a trojan, so it needs a user to run the disguised file, and its goal is remote control rather than automatic spreading. If the question says 'no user interaction,' it's a worm; if it says 'disguised software grants remote control,' it's a RAT.
A remote access trojan (RAT) is a trojan whose payload gives an adversary remote control of the victim's device.
Because it's a trojan, a RAT requires a user to run disguised software; it doesn't spread on its own like a worm.
Once active, a RAT can run commands, steal or destroy files, and turn on a webcam or microphone, which aligns with EK 4.1.C.1.
A RAT is usually a foothold in a larger attack, often paired with command and control (C2) to receive instructions.
Risk depends on the device: a RAT on a critical server holding sensitive data is a high risk under 4.1.D.
It's a trojan, malware hidden inside seemingly harmless software, that once installed gives an adversary remote control over your device. The College Board defines RATs under EK 4.1.B.2 as trojans that 'provide' remote access to an attacker.
No. Every RAT is a trojan, but not every trojan is a RAT. A trojan is any malware disguised as safe software; a RAT is the subtype whose specific purpose is to hand the attacker remote control of the device.
A worm spreads from computer to computer with no human interaction, while a RAT needs a user to open or run a disguised file. The worm's goal is to spread; the RAT's goal is to give an attacker remote control.
They can issue their own commands, steal or destroy data, enable or disable services, and even turn on a webcam or microphone to watch the user, all examples of exploitation described in EK 4.1.C.1.
Look for two clues: the malware arrived disguised as a legitimate app or attachment, and it gives the adversary remote access or command execution over the system. Those two details together point to a remote access trojan.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.