Trojanized Gaming Utilities Used to Distribute Remote Access Trojan (RAT)
Recently, threat actors have been employing a sneaky tactic to infiltrate users’ systems by distributing trojanized gaming utilities through web browsers and chat platforms. These malicious utilities are designed to deliver a remote access trojan (RAT) onto unsuspecting victims’ devices.
The Microsoft Threat Intelligence team revealed that a malicious downloader utilized a portable Java runtime to execute a malicious Java archive (JAR) file named jd-gui.jar. This downloader cleverly employed PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe to execute the attack stealthily.
To avoid detection, the attack chain includes deleting the initial downloader and configuring Microsoft Defender exclusions for the RAT components. Persistence is established through a scheduled task and a Windows startup script named “world.vbs” before deploying the final payload on the compromised host. According to Microsoft, the malware is a versatile threat acting as a loader, runner, downloader, and RAT.
Upon execution, the malware establishes a connection with an external server at “79.110.49[.]15” for command-and-control communications, enabling data exfiltration and the deployment of additional payloads.
Defending Against the Threat
To safeguard against such threats, users are advised to audit Microsoft Defender exclusions and scheduled tasks, remove any malicious tasks and startup scripts, isolate affected endpoints, and reset credentials for users active on compromised hosts.
Introduction of Steaelite RAT Malware
BlackFog recently disclosed details about a new Windows RAT malware family known as Steaelite. Initially advertised on criminal forums in November 2025, this malware is promoted as the “best Windows RAT” with “fully undetectable” (FUD) capabilities, compatible with Windows 10 and 11.
Steaelite differentiates itself from other RATs by combining data theft and ransomware functionalities into a single web panel. Additionally, it includes an Android ransomware module and various developer tools for keylogging, client-to-victim chat, file searching, USB spreading, wallpaper modification, UAC bypass, and clipper functionality.
Notable features of Steaelite RAT include removing competing malware, disabling Microsoft Defender, configuring exclusions, and implementing persistence methods.
Capabilities of Steaelite RAT
Steaelite RAT offers a wide range of capabilities, including remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password theft, installed program enumeration, location tracking, arbitrary file execution, URL opening, DDoS attacks, and VB.NET payload compilation.
Security researcher Wendy McCague highlighted that the tool grants operators browser-based control over infected Windows machines, enabling various malicious actions such as remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from a centralized dashboard.
Discovery of New RAT Families
Recent findings by threat hunters unveiled two new RAT families known as DesckVB RAT and KazakRAT. These RATs allow comprehensive remote control over infected hosts and selective deployment of capabilities post-compromise. KazakRAT, suspected to be orchestrated by a state-affiliated cluster, targets Kazakh and Afghan entities in a persistent campaign ongoing since at least August 2022 according to Ctrl Alt Intel.
