Techniques are disclosed for detecting malicious remote-administration tool (RAT) software by detecting reverse-connection communication activity. Communications are monitored over one or more persistent connections, such as TCP (Transmission Control Protocol) connections. Each monitored connection is between an initiator device and a follower device, and the initiator device is identified as the device that sent an initial packet to the follower device in order to open the connection. The disclosed techniques detect reverse-connection activity on the connection by detecting that communications over the connection are actually driven by the follower device, indicating that a malicious RAT is using the connection.