Trojanized Gaming Utilities Deliver Java-Based RAT via Browser and Chat Platforms
Microsoft Threat Intelligence reported an active malware campaign targeting gamers by distributing trojanized gaming utilities through browsers and chat platforms, leading victims to execute a multi-stage downloader that ultimately installs a Java-based remote access trojan (RAT). The infection chain was observed staging a portable Java runtime and launching a malicious JAR (jd-gui.jar), while using PowerShell and living-off-the-land binaries such as cmstp.exe to reduce detection. The activity includes defense evasion by deleting the initial downloader and adding Microsoft Defender exclusions, and persistence via a scheduled task and a startup script named world.vbs; the RAT then beacons to 79.110.49[.]15 for C2, enabling data theft and follow-on payload delivery.
Reporting also noted the campaign’s use of gaming-adjacent filenames to increase execution likelihood (e.g., Xeno.exe, RobloxPlayerBeta.exe) and emphasized that the final payload functions as a loader/runner/downloader/RAT rather than a single-purpose stealer, increasing the risk of secondary malware deployment. Separately, one report highlighted the emergence of Steaelite, a Windows RAT advertised on criminal forums with claimed “FUD” capabilities and an integrated panel combining data theft and ransomware features, underscoring broader commoditization of multi-function RAT ecosystems even when not directly tied to the specific trojanized-gaming-tools intrusion chain.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes IOCs and mitigation guidance for the campaign
Alongside its disclosure, Microsoft released indicators of compromise tied to infrastructure including 79.110.49[.]15 and powercat[.]dog, and recommended actions such as auditing Defender exclusions, checking scheduled tasks and startup scripts, isolating affected endpoints, and resetting credentials.
Microsoft identifies active trojanized gaming utility campaign
Microsoft Threat Intelligence reported an active campaign distributing trojanized gaming utilities such as Xeno.exe and RobloxPlayerBeta.exe via browsers and chat platforms. The malware chain used a downloader, portable Java runtime, a malicious JAR, PowerShell, and cmstp.exe to deploy a multi-purpose RAT capable of data theft and additional payload delivery.
Steaelite RAT advertised on criminal forums
BlackFog reported that the Windows RAT family Steaelite was advertised on criminal forums in November 2025 as "fully undetectable," with capabilities spanning data theft, ransomware, Defender tampering, and multiple persistence options.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Windows RAT proliferated through bogus gaming tools | brief | SC Media
scworld.com
Open sourceMicrosoft warns of RAT delivered through trojanized gaming utilities
securityaffairs.com
Open sourceMicrosoft warns of RAT delivered through trojanized gaming utilities
securityaffairs.com
Open sourceTrojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms
thehackernews.com
Open sourceMicrosoft Defender Uncovers Trojanized Gaming Utility Campaign Targeting Users with RATs and Remote Data Theft
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and Trojanized Installers Deliver Remote Access Trojans via Multi-Stage, Evasion-Focused Infection Chains
Multiple active malware campaigns are delivering **remote access trojans (RATs)** using deceptive lures and multi-stage execution chains designed to evade endpoint defenses. Malwarebytes reported a campaign dubbed **DEAD#VAX** that distributes a file masquerading as a “PDF” but actually delivered as a **virtual hard disk (`.vhd`)** hosted via **IPFS**; when opened, Windows mounts the VHD and the victim is tricked into launching a **Windows Script File (`.wsf`)** that ultimately deploys **AsyncRAT**. The chain includes anti-analysis checks and **process injection** into Microsoft-signed binaries such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, and `sihost.exe`, enabling hands-on-keyboard remote control while minimizing obvious on-disk artifacts. Separately, reporting described **DesckVB RAT v2.9**, a modular **.NET** RAT using an obfuscated **WSH JavaScript** stager followed by **PowerShell**-based anti-analysis checks and an in-memory (“fileless”) loader, emphasizing persistence and a plugin-based architecture for post-compromise capabilities. Another campaign distributes **ValleyRAT** disguised as a legitimate *LINE* installer, targeting **Chinese-speaking users**; it attempts to weaken defenses by using PowerShell to add broad **Windows Defender exclusions**, performs sandbox checks (e.g., mutex/file-locking behaviors), and uses advanced injection (reported as **PoolParty Variant 7** via Windows I/O completion ports) to hide within trusted processes while stealing credentials and maintaining C2 communications.
Mar 21, 2026
Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple **social-engineering-driven malware delivery** efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed **counterfeit adult games** via popular “webhard” file-sharing services; victims received a ZIP containing a decoy `Game.exe` launcher that stages additional components (`Data1.Pak`, `Data2.Pak`, `Data3.Pak`) and ultimately injects **QuasarRAT** (aka **xRAT**), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as `GoogleUpdate.exe` and `WinUpdate.db`, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection. Separately, a spear-phishing campaign weaponized news about a purported **Nicolás Maduro arrest** to deliver a **backdoor**: emails carried a ZIP with a lure executable (`Maduro to be taken to New York.exe`) alongside a malicious DLL (`kuguo.dll`) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to `C:\ProgramData\Technology360NB`, persistence via an auto-start renamed binary (`DataTechnology.exe`), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with **Mustang Panda** but said attribution was not yet confirmed. A separate research note described **GravityRAT** reemerging as a multi-platform RAT with expanded **Android** targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
Mar 21, 2026
Malware campaigns abusing trusted software channels (browser extensions, developer tools, and Google Ads) to deliver RATs and stealers
Multiple active malware campaigns are abusing *trusted distribution channels*—including Chrome/Edge extensions, Visual Studio Code extensions, and Google Ads/redirection infrastructure—to trick users into executing payloads that deliver **remote access trojans (RATs)** or **information stealers**. Huntress reported a malvertising-driven fake ad blocker extension, **NexShield**, that intentionally forces Chrome/Edge into a crash/DoS state by looping `chrome.runtime` port connections; on restart it displays a fake “security warning” and uses a **ClickFix-style** social engineering flow (“CrashFix”) to push users to paste and run clipboard-copied commands that trigger an obfuscated PowerShell download-and-execute chain, ultimately deploying the Python-based **ModeloRAT** in corporate environments. Separately, Trend Micro described **Evelyn Stealer** delivered via a trojanized **Visual Studio Code extension** that drops a malicious `Lightshot.dll` side-loaded by legitimate *Lightshot* (`Lightshot.exe`), then runs staged PowerShell and payload retrieval to steal browser credentials, cookies, crypto wallets, VPN/Wi‑Fi data, files, and screenshots before exfiltrating to an attacker-controlled FTP server—posing elevated risk when developer workstations are compromised. South Korea-focused activity also features prominently across several reports, with multiple delivery vectors leading to RAT deployment. ASEC documented **Remcos RAT** distributed via fake installers masquerading as *VeraCrypt* and via gambling-related “lookup” tools, using multi-stage obfuscated **VBS/PowerShell** chains and enabling credential theft, keylogging, and device surveillance (webcam/mic). Genians attributed “**Operation Poseidon**” to the **Konni APT**, describing spear-phishing that abuses Google’s advertising/tracking redirection (e.g., `ad.doubleclick.net` parameters) to make malicious links appear legitimate, redirecting victims to compromised WordPress infrastructure hosting ZIPs with LNK files that launch AutoIt-based loaders to run an **EndRAT** variant in memory. Nextron Systems reported widespread trojanized “free converter” apps promoted via malicious Google ads and lookalike converter sites (e.g., `ez2convertapp[.]com`, `convertyfileapp[.]com`), with some payloads signed using abused/rotating code-signing certificates (e.g., BLUE TAKIN LTD, TAU CENTAURI LTD, SPARROW TIDE LTD) to evade trust checks while installing persistent backdoors.
Mar 21, 2026