Florida Child Pornography Charges and Remote Access Trojans: Wrongful Conviction?

July 8, 2025 Don Pumphrey, Jr. Criminal Defense, Sex Crimes Social Share

In Florida, possession and distribution of child pornography is an extremely serious felony. Possession of child pornography is classified as a third-degree felony in Florida, punishable by up to 5 years in prison and a $5,000 fine. If someone is charged with aggravated possession (depending on the material recovered), this is a second-degree felony, punishable by up to 15 years in prison and a $10,000 fine.

When someone is accused of possessing child sexual abuse material (CSAM), also known as child pornography, the State must prove the following beyond a reasonable doubt to secure a conviction:

• The defendant knowingly and intentionally possessed, controlled or viewed a photograph, video or digital file that includes sexual conduct by a child
• The defendant knew or should have known the content involved a minor

In cases involving child pornography charges, it is critical to remember that nothing on the internet (or someone’s device) is truly secure. Some of the clearest evidence of this fact is the existence of Remote Access Trojans (RATs), a form of malware. Malware refers to any software designed to cause damage to a computer system, network, or user data, or to gain unauthorized access to systems. 

RATs are a form of malware that can be remotely installed and used by another person to control a device and plant illegal material on that device – all without the knowledge of the device’s primary user. This blog will provide an overview of RATs and their relevance in the context of CSAM criminal cases in Florida.

The vast majority of CSAM cases proceed on a theory of constructive possession.

To prove that someone constructively possessed CSAM, the State must prove all of the following beyond a reasonable doubt:

• The defendant had knowledge of the contraband (CSAM)
• The defendant had the ability to exercise control or dominion over the contraband
• The defendant had knowledge of the illegal nature of the contraband 

If this cannot be proven with circumstantial evidence and no evidence of actual possession is introduced, someone cannot be convicted of possessing contraband (including CSAM) under Florida law. Nugent v. State, 275 So.3d 721 (Fla 2d. DCA 2019). 

Allowing the State to proceed on a theory of constructive (indirect) possession in CSAM cases makes it easier to convict someone of illegally possessing such material. However, it also makes it easier for an attacker to frame someone for CSAM possession. This is because malware, such as Remote Access Trojans (RATs), can place CSAM on a user’s device without them knowing it’s there.

Since the dawn of the digital age, RATs have been a powerful and dangerous tool in the hands of cybercriminals.

RATs are a form of malware that are often used for the following purposes:

• Conducting surveillance of the activities on a particular device or set of devices
• Data theft (using a RAT to access the device remotely and obtain sensitive data from it)
• System hijacking (compromising a device and allowing it to be controlled by the person who infected that device with the RAT)

But RATs can be used in even more nefarious ways. As previously noted, RATs may be used to plant illegal child sexual abuse material (CSAM) on a device without the device’s user ever seeking this out and without the user’s knowledge that the files are ever there. This makes it possible to frame someone for possession of child pornography, potentially leading to a wrongful conviction.

At its core, a RAT is a type of malware allowing an attacker to remotely control a target system (such as a phone or computer).

Once installed, a RAT can do any of the following:

• Monitor and log keystrokes from a device’s user
• Activate webcams and microphones
• Steal passwords and sensitive files
• Download or upload files, including CSAM, to various locations on a device
• Install or delete programs, which may include illegal content

Like some other forms of malware, RATs are very difficult to detect. Often, they operate as fileless malware – which is nearly impossible to identify in standard forensic imaging. The result is that police and prosecutors may think illegal CSAM was knowingly and intentionally installed on a device by its user – even when it was actually a RAT.

There are various common RATs that are known for their abuse potential. These include:

• Blackshades RAT: One of the most infamous RATs, Blackshades is widely sold on hacker forums to be used in “takedown” operations (compromising target devices). Blackshades RAT has the capability to log keystrokes, remotely upload or download files and access webcams – all without a user’s knowledge. Blackshades may be used to install illegal files on a victim’s device and erase evidence of delivery, making it undetectable via basic forensic imaging. 
• DarkComet: A RAT that is widely available and used by hackers of all levels of experience, DarkComet enables its user to browse files, download or upload content, and conduct full system surveillance of a target device. DarkComet can be used to deliver CSAM to a device and auto-hide CSAM in its folders, including a device’s cache, which is generally inaccessible to most users.  
• njRAT: Also known as “Bladabindi,” njRAT is a popular RAT for Middle Eastern cyber espionage and general cybercrime. This RAT can easily be scripted to deliver and auto-hide CSAM in cache folders on a device, as it has full file system access.
• QuasarRAT: Common in advanced persistent threat hacking, QuasarRAT is especially dangerous because in addition to installing illegal files (such as CSAM), it can simulate user behavior to create the illusion that content was knowingly accessed. 
• LuminosityLink: Marketed to non-technical buyers and requiring minimal skill, LuminosityLink installs silently – most often in the form of what the user believes to be a software update or a game. It is capable of altering file timestamps and metadata, making it difficult to prove the file was not accessed by the user. 
• Remcos RAT: Marketed as legal software, Remcos is widely used in illegal hacking campaigns. It runs on “stealth mode” and is particularly prominent on Microsoft devices, as it appears to be a legitimate Windows service. However, it can be used to remotely install images and videos on the device.

If a RAT is used to plant CSAM on a device in Florida, this will typically occur in the following manner:

1. The victim clicks a phishing email, installs what appears to be a normal program, clicks a bad link or inserts an infected USB drive.
2. The RAT is deployed and establishes a hidden remote session.
3. After this session begins, the attacker (person or group that introduced the RAT) sends CSAM to a victim’s device. This could either be done directly or embedded inside other files, or in obscure folders (including a device’s cache).
4. Depending on the RAT, the attacker can alter or delete logs and file locations to eliminate any trace of a RAT being behind the download of the images. 
5. In some cases, attackers may ensure files appear recently accessed or opened so that basic forensic imaging frames the victim (as the image or video appears to have been viewed but there is no sign of RATs).

In sum, possession of child sexual abuse material (CSAM) is a very serious felony offense in Florida. An exhibit found may be charged as a second-degree (aggravated) or third-degree felony depending on the facts of the case. This is punishable by 15 and 5 years in prison per exhibit, respectively. 

Due to the presence of Remote Access Trojans (RATs), someone may be falsely accused of possessing CSAM because it is present on their device. Malware like RATs can be used to create a trail of phony circumstantial evidence that a user knowingly and intentionally accessed CSAM on the device, when this was actually done by an attacker using a RAT. 

Various defenses are available if someone is arrested and charged with alleged CSAM possession. These defenses may include:

• Lack of knowledge or intent to view the content (files in cache, thumbnails, and lack of user interaction)
• Shared devices or IP attribution issues (no clear link between user activity and file download)
• Malware or remote access (including the use of RATs)
• Challenging hash matches or metadata
• Illegal searches and seizures
• Daubert challenges to digital forensic evidence

If someone is arrested and charged in a case involving possession or distribution of child pornography, it is critical to find experienced and trusted legal representation as soon as possible. This decision could make the difference in whether or not someone faces a lengthy prison term and hefty fines.

Criminal Defense Attorney in Tallahassee, FL

Don Pumphrey, Jr. is a Former Prosecutor, Former State Police Officer, Lifetime Member of the Florida Association of Criminal Defense Lawyers; for over 25 years as a private defense attorney who is Trusted, Experienced, Aggressive in Criminal Defense as a Trial Attorney, Criminal Lawyer, Criminal Defense Lawyer for the accused in Florida State Courts located in Tallahassee, Florida but handling cases throughout the State of Florida.

Don Pumphrey, Jr. and the Tallahassee criminal defense lawyers at Pumphrey Law have decades of experience fighting drug charges on behalf of clients and winning. Call Pumphrey Law now at (850) 681-7777 to learn more about what we can do for you. Our lawyers will be happy to provide you with a free consultation.

  Social Share