MalwareUsed by 1 actor

Millenium RAT

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Y2K Operators

A remote access trojan known as Millenium RAT has been quietly spreading across the globe... The most significant change in version 4 is its full rewrite from .NET into native C++.

via cyber security newscybersecuritynews.com

MITRE ATT&CK

Techniques & procedures

21 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1195Supply Chain CompromiseEvidence1

The operators take known RATs and exploit builders, silently embed a backdoor, and redistribute the tampered files.

Execution

3 techniques

T1059.001PowerShellEvidence1

In one campaign, victims received a shortcut disguised as a PDF, which triggered PowerShell silently and fetched a decoy document alongside the RAT payload, opening the document in the foreground as cover.

T1204User ExecutionEvidence1

The Y2K Operators rely entirely on deception to get Millenium RAT onto victim machines. Files are disguised as credit card generators, crypto balance checkers, hacking toolkits, cracked software, and gaming utilities.

T1204.002Malicious FileEvidence1

In one campaign, victims received a shortcut disguised as a PDF, which triggered PowerShell silently and fetched a decoy document alongside the RAT payload.

Persistence

2 techniques

T1547Boot or Logon Autostart ExecutionEvidence1

Persistence is set up by copying the payload into %APPDATA% and adding a registry autorun entry.

T1547.001Registry Run Keys / Startup FolderEvidence1

Persistence is set up by copying the payload into %APPDATA% and adding a registry autorun entry.

Privilege Escalation

3 techniques

T1547Boot or Logon Autostart ExecutionEvidence1

Persistence is set up by copying the payload into %APPDATA% and adding a registry autorun entry.

T1547.001Registry Run Keys / Startup FolderEvidence1

Persistence is set up by copying the payload into %APPDATA% and adding a registry autorun entry.

T1548.002Bypass User Account ControlEvidence1

The malware also attempts privilege escalation through a standard Windows UAC prompt, counting on the user to approve it.

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

The data is Base64-encoded and protected with a custom XOR algorithm, with extra random data added to change the file hash and bypass signature-based detection.

T1027.009Embedded PayloadsEvidence1

Once executed, the RAT loads an encrypted configuration from an embedded file resource.

T1036MasqueradingEvidence1

After infection, the payload blends in using names like svchost.exe, MsEdgeUpdate.exe, and Microsoft Antivirus.exe.

Credential Access

4 techniques

T1056.001KeyloggingEvidence1

This contains the Telegram bot token, chat ID, persistence settings, and keylogger options.

T1539Steal Web Session CookieEvidence1

It can steal browser credentials and cookies

T1555Credentials from Password StoresEvidence1

It can steal browser credentials and cookies

T1555.003Credentials from Web BrowsersEvidence1

It can steal browser credentials and cookies

Collection

4 techniques

T1056.001KeyloggingEvidence1

This contains the Telegram bot token, chat ID, persistence settings, and keylogger options.

T1113Screen CaptureEvidence1

It can steal browser credentials and cookies, capture screenshots and webcam images

T1123Audio CaptureEvidence1

It can steal browser credentials and cookies, capture screenshots and webcam images, record audio

T1125Video CaptureEvidence1

It can steal browser credentials and cookies, capture screenshots and webcam images

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence1

It communicates with operators through the Telegram Bot API, disguising command-and-control traffic as normal web activity

T1071.001Web ProtocolsEvidence1

It communicates with operators through the Telegram Bot API, disguising command-and-control traffic as normal web activity

T1105Ingress Tool TransferEvidence1

victims received a shortcut disguised as a PDF, which triggered PowerShell silently and fetched a decoy document alongside the RAT payload

Impact

1 technique

T1486Data Encrypted for ImpactEvidence1

It can steal browser credentials and cookies, capture screenshots and webcam images, record audio, log keystrokes, pull Telegram and Discord session data, and encrypt the victim’s files.

INDICATORS OF COMPROMISE

IOCs tracked for this family

59 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

9 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

39 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

11 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in apptoday

hash.sha256●●●●●●●●●●●●View more in apptoday

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

cyber security newsNews

Jun 29, 2026

Millenium RAT Rewritten in C++ Infects 62,000+ Devices Across 160 Countries

Millenium RAT is a Windows-focused malware-as-a-service remote access trojan that uses social-engineering lures and trojanized tools for delivery. It communicates via the Telegram Bot API, loads an encrypted embedded configuration, establishes persistence through %APPDATA% and a Run registry key, and supports credential and cookie theft, screenshots, webcam capture, audio recording, keylogging, Telegram/Discord session theft, and file encryption.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching59

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping21

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.