The cybersecurity landscape in 2026 faces a significant challenge with the emergence of STX RAT, a new remote access trojan. This malicious software combines concealed remote desktop capabilities and credential-stealing features to infiltrate and compromise target systems discreetly.
Understanding the Mechanics of STX RAT
Named after the Start of Text (STX) magic byte x02, which it appends to all messages sent to its command-and-control (C2) server, STX RAT showcases the meticulous design behind its operations. Initially detected in late February 2026, the malware was discovered in a financial sector organization. Attackers attempted to introduce it via a browser-downloaded VBScript file.
This VBScript initiated a chain reaction, dropping a JScript file that acquired a TAR archive and called upon a PowerShell loader to execute the final payload in memory. By March, Malwarebytes had identified an additional campaign distributing STX RAT through compromised FileZilla installers, indicating the operators were utilizing multiple delivery methods concurrently.
Technical Sophistication and Evasion Techniques
Research conducted by eSentire’s Threat Response Unit (TRU) revealed STX RAT’s technical complexity. The malware employs extensive anti-analysis strategies, such as artifact checks for VirtualBox, VMware, and QEMU environments. Upon detecting these, it executes a “jitter exit,” pausing randomly before terminating, which complicates automated sandbox analysis.
In addition to virtual machine detection, STX RAT leverages an AMSI-ghosting technique to subvert security tools by patching a core Windows RPC function. The malware remains invisible in the Alt+Tab switcher and Taskbar. Once activated, it communicates with a C2 server, transmitting critical system details including hostname, OS version, and antivirus status.
Exploiting Hidden Remote Desktop Features
The most concerning aspect of STX RAT is its Hidden Virtual Network Computing (HVNC) module, enabling attackers to control a victim’s computer without detection. Unlike traditional remote desktop software, HVNC operates a separate session in the background, ensuring all malicious activities are unseen by the user.
Through commands like start_hvnc, key_press, and mouse_input, attackers can interact with the hidden session to execute various tasks. This architecture, combined with the credential-stealing module, allows attackers to maintain a persistent presence on compromised systems.
Security teams are advised to block the known C2 IP address 95.216.51.236 and associated Tor onion address to mitigate this threat. Deploying YARA detection rules from eSentire’s TRU and disabling unnecessary VBScript and JScript can reduce the attack surface. Continuous monitoring for suspicious activities is essential to detect and prevent early infections.
