Fake Software Downloads Deliver STX RAT and Vjw0rm via Layered Dropper Chains
Security researchers reported two malware campaigns using fake or trojanized software downloads to install remote access trojans with credential theft and persistence features. eSentire identified a previously undocumented STX RAT after an attempted intrusion against a finance-sector organization, where a browser-downloaded VBScript launched a multi-stage loader chain using XXTEA and Zlib unpacking, anti-analysis checks, and several persistence methods. The malware supports HVNC, in-memory payload execution, tunneling, screenshots, security-tool inventory, and theft of browser credentials, cookies, Windows Vault data, FTP client secrets, and cryptocurrency wallets. Its command-and-control design uses X25519 ECDH, Ed25519, HKDF-SHA256, and ChaCha20-Poly1305 over a custom TCP protocol, with infrastructure reachable over both the clear web and Tor.
A separate investigation by Breakglass Intelligence found a fake software keygen packaged as a malicious WinRAR self-extracting archive that deployed the Vjw0rm JavaScript RAT through a four-layer dropper chain. The infection used nested SFX archives, a compiled AutoHotkey loader, parallel payload paths, and three persistence mechanisms, while abusing upaste[.]me as a dead-drop service and hiding the RAT as an XML file later renamed to JavaScript for execution. Researchers said the operator appeared to be a Turkish-speaking commodity cybercrime actor relying on reused tooling, deceptive file paths, and bundled legitimate Windows files to evade detection, underscoring how software cracks, keygens, and trojanized installers remain effective delivery vectors for RATs and infostealers.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
eSentire publishes STX RAT analysis, YARA rules, and IOCs
eSentire publicly documented STX RAT as a new RAT with infostealer capabilities, detailing its multi-stage loader chain, anti-analysis features, credential theft functions, and mature encrypted C2 protocol. The company also released YARA detections and indicators of compromise and recommended mitigations such as disabling WScript and improving endpoint controls.
Breakglass documents fake keygen campaign delivering Vjw0rm RAT
Breakglass Intelligence reported a campaign using a malicious WinRAR self-extracting archive disguised as a software keygen to deploy a four-layer dropper chain ending in the Vjw0rm JavaScript RAT. The analysis linked the activity to a likely Turkish-speaking commodity cybercrime operator based on reused tooling and campaign artifacts.
Finance-sector customer targeted with attempted STX RAT delivery
In late February 2026, eSentire observed an attempted delivery of a previously undocumented remote access trojan later named STX RAT against a finance-sector customer. The malware was delivered via a browser-downloaded VBScript, and the affected host was isolated.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
STX RAT: A new RAT in 2026 with Infostealer Capabilities | eSentire
esentire.com
Open sourceThe Fake Keygen That Wasn't: Unpacking a Four-Layer Vjw0rm RAT Dropper Chain - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using **software impersonation** and **SEO poisoning** to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, **Storm-2561** used spoofed VPN vendor pages for products such as **Pulse Secure, Fortinet, and Ivanti** to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to **"Taiyuan Lihua Near Information Technology Co., Ltd."**, and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials. A separate but closely related campaign used fake **FileZilla** download pages to distribute a **Remote Access Trojan** through multi-stage loaders and **DLL sideloading**. Attackers bundled legitimate FileZilla software with a malicious `version.dll`, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate **Warlock** intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
Apr 26, 2026
Phishing and Trojanized Installers Deliver Remote Access Trojans via Multi-Stage, Evasion-Focused Infection Chains
Multiple active malware campaigns are delivering **remote access trojans (RATs)** using deceptive lures and multi-stage execution chains designed to evade endpoint defenses. Malwarebytes reported a campaign dubbed **DEAD#VAX** that distributes a file masquerading as a “PDF” but actually delivered as a **virtual hard disk (`.vhd`)** hosted via **IPFS**; when opened, Windows mounts the VHD and the victim is tricked into launching a **Windows Script File (`.wsf`)** that ultimately deploys **AsyncRAT**. The chain includes anti-analysis checks and **process injection** into Microsoft-signed binaries such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, and `sihost.exe`, enabling hands-on-keyboard remote control while minimizing obvious on-disk artifacts. Separately, reporting described **DesckVB RAT v2.9**, a modular **.NET** RAT using an obfuscated **WSH JavaScript** stager followed by **PowerShell**-based anti-analysis checks and an in-memory (“fileless”) loader, emphasizing persistence and a plugin-based architecture for post-compromise capabilities. Another campaign distributes **ValleyRAT** disguised as a legitimate *LINE* installer, targeting **Chinese-speaking users**; it attempts to weaken defenses by using PowerShell to add broad **Windows Defender exclusions**, performs sandbox checks (e.g., mutex/file-locking behaviors), and uses advanced injection (reported as **PoolParty Variant 7** via Windows I/O completion ports) to hide within trusted processes while stealing credentials and maintaining C2 communications.
Mar 21, 2026