Threat actors are distributing trojanized gaming utilities through browsers and chat platforms to deploy a multi-purpose Java-based RAT that exfiltrates data and maintains persistence on compromised systems.
Threat actors are distributing trojanized gaming utilities through browsers and chat platforms to deploy a multi-purpose Java-based RAT that exfiltrates data and maintains persistence on compromised systems.
A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar, according to the Microsoft Threat Intelligence team. The attack chain uses PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution.
The malware employs several evasion techniques, including deleting the initial downloader and configuring Microsoft Defender exclusions for RAT components. Persistence is achieved through a scheduled task and Windows startup script named "world.vbs" before the final payload is deployed.
Once launched, the malware connects to an external command-and-control server at 79.110.49[.]15, enabling data exfiltration and deployment of additional payloads. Microsoft describes it as a "multi-purpose malware" that functions as a loader, runner, downloader, and RAT.
To defend against this threat, users should audit Microsoft Defender exclusions and scheduled tasks, remove malicious tasks and startup scripts, isolate affected endpoints, and reset credentials for users active on compromised hosts.
This disclosure comes alongside BlackFog's report on Steaelite, a new Windows RAT malware family first advertised on criminal forums in November 2025 as a "best Windows RAT" with "fully undetectable" (FUD) capabilities. Compatible with both Windows 10 and 11, Steaelite bundles data theft and ransomware into a single web panel.
The Steaelite panel includes developer tools for keylogging, client-to-victim chat, file searching, USB spreading, wallpaper modification, UAC bypass, and clipper functionality. It can remove competing malware, disable Microsoft Defender, configure exclusions, and install persistence methods.
Steaelite's main capabilities include remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password theft, installed program enumeration, location tracking, arbitrary file execution, URL opening, DDoS attacks, and VB.NET payload compilation.
"The tool gives operators browser-based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from a single dashboard," said security researcher Wendy McCague.
In recent weeks, threat hunters have discovered two additional RAT families: DesckVB RAT and KazakRAT. According to Ctrl Alt Intel, KazakRAT is suspected to be the work of a state-affiliated cluster targeting Kazakh and Afghan entities as part of a persistent campaign ongoing since at least August 2022.
These developments highlight the evolving sophistication of remote access trojans, which now combine multiple attack capabilities into unified platforms, making them more dangerous and harder to detect than traditional malware variants.
Comments
Please log in or register to join the discussion