STX RAT
STX RAT is a remote access trojan first documented in 2026, tracked by eSentire TRU and named for the Start of Text (STX, 0x02) byte prefixed to its C2 messages. It has broad infostealer capability and supports hidden virtual desktop/HVNC-style remote control, follow-on payload execution, command execution, tunneling, screenshot capture, clipboard capture, and collection of host, user, process, OS, and security-product information. Reported theft targets include browser credentials and cookies or session tokens, Windows Vault data, FTP client credentials, and cryptocurrency wallet data.
Observed delivery vectors include browser-downloaded VBScript/JScript and PowerShell loader chains, trojanized installers, fake software download sites, and software supply-chain or watering-hole activity. Multiple 2026 campaigns delivered STX RAT through DLL sideloading with a malicious CRYPTBASE.dll placed beside legitimate signed executables such as CPUID CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor, powerMAX, FileZilla-related lures, cryptocurrency trading software, Steam-themed lures, and X-VPN. In the CPUID incident, attackers reportedly compromised a secondary API and redirected official download links to attacker-controlled Cloudflare R2 buckets; more than 150 victims were reported, including individuals and organizations in retail, manufacturing, consulting, telecommunications, agriculture, and a targeted financial services environment.
The malware is consistently described as multi-stage and heavily obfuscated, using XXTEA decryption, zlib decompression, reflective loading, API hashing, PEB walking, and in-memory execution to reduce disk artifacts and evade file-based detection. Anti-analysis behavior includes debugger and sandbox checks, virtualization checks for environments such as QEMU, VirtualBox, and VMware, and termination when analysis is suspected. Persistence mechanisms reported across analyses include HKCU Run or registry autoruns, scheduled tasks, COM/TypeLib hijacking, PowerShell autorun, and MSBuild project execution.
C2 communications have been reported over HTTPS, DNS-over-HTTPS-assisted infrastructure, and a custom encrypted protocol. Public reporting ties campaigns to supp0v3[.]com infrastructure, including welcome.supp0v3[.]com/d/callback and helloworld.supp0v3[.]com, while eSentire also documented C2 at 95.216.51.236 with an associated Tor onion service. Reported protocol details include JSON-based host registration and, in deeper analysis, X25519 ECDH with ChaCha20-Poly1305, Ed25519 verification, and HKDF-SHA256. High-confidence campaign artifacts mentioned in the content include malicious CRYPTBASE.dll sideloading, Cloudflare R2-hosted trojanized packages, and infrastructure centered on supp0v3[.]com. Public reporting links STX RAT activity to earlier fake FileZilla campaigns and assesses the operator as more likely an e-crime or initial-access-broker cluster than a credibly identified named APT or ransomware group.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The same IP was used for earlier .url shortcut exploits (CVE-2023-36025 SmartScreen bypass) targeting LibreOffice and Google Drive downloads, sharing VBS payloads via WebDAV.
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesA poisoned “watering hole” CPUID ... the CPUID website redirected to malicious download from April 9, 15:00 UTC to April 10, 10:00 UTC.
Attackers breached the website CPUID and replaced download links for CPU-Z and HWMonitor with malicious files for several hours.
A threat actor spent one month building a trojanized software supply chain aimed at a specific type of victim: crypto traders and investors.
Execution
7 techniquesIndicators of persistence: Uses Software\Microsoft\Windows\CurrentVersion\Run (nRun), scheduled tasks (Unregister-ScheduledTask)
Indicators of execution: PowerShell with -WindowStyle Hidden -ExecutionPolicy Bypass
The malicious DLL extracts obfuscated data from its .rdata section, allocates executable memory using VirtualAlloc, and passes execution through several decryption stages before reaching the final payload.
Indicators of persistence: Uses Software\Microsoft\Windows\CurrentVersion\Run (nRun), scheduled tasks (Unregister-ScheduledTask), and MSBuild for LotL execution (CommonBuild.proj).
By bundling a malicious CRYPTBASE.dll in a repackaged installer and distributing it through the amos-trading Bitbucket repository, the actor caused the malicious DLL to load whenever a victim ran the trojanized bundle.
Persistence
2 techniquesPrivilege Escalation
3 techniquesIndicators of persistence: Uses Software\Microsoft\Windows\CurrentVersion\Run (nRun), scheduled tasks (Unregister-ScheduledTask)
Flag 0x04 (line 178) copies secondaryPayload into RWX memory and executes it as shellcode in a worker thread.
Stealth
14 techniquesThe actor caused the malicious DLL to load whenever a victim ran the trojanized bundle... On load, CRYPTBASE.dll initiates the multi-stage unpack chain.
Lines 17-18 resolve kernel32.dll... via GetModuleHandleByHash, then resolve VirtualProtect... via GetProcAddressByHash... Line 21 resolves WaitForSingleObject...
Defense Evasion T1027.009 Obfuscated Files or Information: Embedded Payloads
The bundle contains the same malicious CRYPTBASE.dll alongside legitimate X-VPN and WireGuard client components.
The Steam package is notable: on inspection, it contained a renamed MetaTrader 5 installer, suggesting the actor was using the Steam brand to reach a broader population of non-crypto users who would not recognize the MetaTrader 5 name.
Flag 0x04 (line 178) copies secondaryPayload into RWX memory and executes it as shellcode in a worker thread.
Indicators of persistence: Uses Software\Microsoft\Windows\CurrentVersion\Run (nRun), scheduled tasks (Unregister-ScheduledTask), and MSBuild for LotL execution (CommonBuild.proj).
This is the main glue which encapsulates decryption, decompression and then launches the next stage payload. Line 12 calls decryptPayloadXXTEA on the encryptedBlob... Line 14 calls zlibDecompress, decompressing the encryptedBlob into payloadBuffer.
Indicators hinting at anti-analysis: Checks for QEMU, VirtualBox (vboxservice.exe), and inspects BIOS/processor strings via registry to detect VMs and sandboxes. Also checks BeingDebugged in the PEB.
Line 159 calls hideWindow which hides the RAT’s window using SW_HIDE and WS_EX_TOOLWINDOW... Flag 0x02 (line 174) hides the RAT’s window from the taskbar.
Around April 9 to 10, CPUID’s side API was reportedly hijacked so official CPU-Z, HWMonitor, and PerfMonitor links pointed to attacker-controlled Cloudflare R2 buckets, while the signed binaries themselves remained legitimate.
These files contain a legitimate signed executable for the corresponding product and a malicious DLL which is named CRYPTBASE.dll to leverage the DLL Sideloading technique.
STX RAT is a remote access trojan with active infostealer capabilities, first documented in 2026. It loads entirely in memory via reflective injection, leaving no file artifacts on disk after the initial sideloaded DLL executes.
Credential Access
1 techniqueVerifying in CAPA, we see that it does appears to contain logic for credential theft... There remains significant depth to explore... capability modules such as HVNC and credential theft.
Discovery
4 techniquesIt silently captures screenshots, collects hostname, username, and OS details...
Indicators hinting at anti-analysis: Checks for QEMU, VirtualBox (vboxservice.exe), and inspects BIOS/processor strings via registry to detect VMs and sandboxes. Also checks BeingDebugged in the PEB.
It also enumerates installed security products including antivirus and EDR solutions such as Avast, Bitdefender, SentinelOne, and CarbonBlack.
Collection
1 techniqueOnce the RAT is active on a machine, attackers gain the ability to monitor and capture the victim’s screen... It silently captures screenshots...
Command and Control
5 techniquesThere remains significant depth to explore in the final payload, particularly the C2 session manager, the network protocol implementation (which eSentire documents as X25519 ECDH + ChaCha20-Poly1305)
C2 over HTTPS. All outbound traffic uses standard web protocols, blending with normal browsing activity and avoiding port-based detection.
The trojanized packages carried a malicious CRYPTBASE.dll, which sideloaded a reflective loader and then STX RAT, with persistence and DoH-based C2.
Flag 0x40 (line 198) loads a DLL from secondaryPayload, resolves a known export by trying three obfuscated names, and runs it in a worker thread.
Users who downloaded them got infected with the STX RAT, giving attackers remote access to their systems.
Exfiltration
1 techniqueLine 161 calls exfiltrateCollectedData which packages data from the populated globals with a decoded keyword and sends it to the C2 server.
IOCs tracked for this family
148 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An in-memory remote access trojan with infostealer capabilities. It is delivered via malicious CRYPTBASE.dll sideloading, uses reflective injection, provides remote command execution, steals browser credentials and session tokens, collects system/process/clipboard data, and communicates with C2 over HTTPS.
STX RAT is a remote access trojan delivered via DLL sideloading using a trojanized HWMonitor package. It is loaded through a multi-stage reflective in-memory chain and is used for long-term surveillance and data theft, including screenshot capture, system information collection, security product enumeration, persistence, and HTTPS-based C2 communications using JSON messages.
Remote access trojan delivered via trojanized trusted software installers using DLL sideloading and a reflective loader; provides persistence and communicates over DNS-over-HTTPS C2. The reporting frames it primarily as an access-layer tool likely used by an initial-access broker for resale-ready footholds.
STX RAT is a multi-stage remote access trojan delivered through layered XXTEA decryption and zlib decompression. The final payload includes anti-analysis checks, reflective loading, encrypted configuration parsing, C2 communications, persistence mechanisms, credential theft, shellcode and DLL execution, and data exfiltration capabilities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.