Cybersecurity experts have uncovered a disturbing trend where malicious actors are exploiting gaming utilities to propagate a sophisticated remote access trojan (RAT). This campaign involves trojanized gaming tools distributed through browsers and chat applications, aiming to compromise user security.
Methods of Distribution and Execution
According to a report by the Microsoft Threat Intelligence team, attackers employ a deceptive downloader that sets up a portable Java runtime environment and executes a harmful Java archive (JAR) file named jd-gui.jar. This downloader cleverly utilizes PowerShell scripts and living-off-the-land binaries (LOLBins) like cmstp.exe to conduct operations stealthily and avoid detection.
The attackers further obfuscate their activities by removing initial download traces and configuring Microsoft Defender exclusions for the RAT’s components. Persistence is maintained through scheduled tasks and a Windows startup script named “world.vbs,” ensuring the RAT remains active until the final payload is delivered to the compromised system.
Threat Analysis and Defense Strategies
Once installed, the RAT establishes a connection with an external command-and-control server at “79.110.49[.]15,” enabling the exfiltration of sensitive data and the download of additional malicious payloads. To counter this threat, users should audit Microsoft Defender exclusions and scheduled tasks, eliminate malicious scripts, isolate impacted endpoints, and reset credentials for affected users.
Further complicating the cybersecurity landscape, BlackFog has revealed a new Windows RAT malware family known as Steaelite, which emerged on the dark web in November 2025. Marketed as a “fully undetectable” tool, Steaelite integrates data theft and ransomware functionalities into a single interface, with an Android ransomware module under development.
Advanced Capabilities of Emerging RATs
Steaelite offers a comprehensive suite of features, including remote code execution, file management, live surveillance, and credential theft. It enables operators to control compromised Windows machines via a web-based dashboard, facilitating a range of malicious activities from file exfiltration to ransomware deployment.
Security researchers have also identified two additional RAT families, DesckVB RAT and KazakRAT, which allow extensive remote manipulation of infected hosts. Notably, KazakRAT is believed to be linked to a state-sponsored group targeting entities in Kazakhstan and Afghanistan, highlighting the global scale and political dimensions of these cyber threats.
With the rise of these sophisticated RATs, organizations must remain vigilant and invest in robust cybersecurity measures to protect their digital assets from evolving threats.
