Researchers have identified STX RAT, a newly observed remote access trojan that pairs credential theft with hidden virtual network computing (HVNC) to let attackers control infected Windows systems without visible on-screen activity. The malware was seen in early 2026 delivered through a browser-downloaded VBScript chain that launched JScript, fetched a TAR archive, and used a PowerShell loader for in-memory injection; a separate campaign used trojanized FileZilla installers. Analysis found anti-analysis checks for VirtualBox, VMware, and QEMU, along with a random-delay “jitter exit” and an AMSI ghosting technique that patches a Windows RPC function to reduce detection.
STX RAT communicates with command-and-control infrastructure at 95.216.51.236 using X25519 ECDH and ChaCha20-Poly1305 encryption, then exfiltrates host information, screenshots, and credentials from tools including FileZilla, WinSCP, and Cyberduck. Its HVNC capability is considered the most dangerous feature because it creates invisible desktop sessions that allow attackers to interact with the victim machine covertly. Defenders were urged to block the known C2 IP and associated Tor onion infrastructure, monitor suspicious WScript and PowerShell activity, apply available YARA detections, and disable VBScript and JScript where operationally possible.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
On April 9, 2026, reporting based on eSentire Threat Response Unit analysis disclosed STX RAT's anti-analysis checks, AMSI-ghosting technique, encrypted C2 communications with 95.216.51.236, credential theft from FileZilla, WinSCP, and Cyberduck, and its hidden virtual network computing module for invisible remote desktop sessions.
A newly identified remote access trojan, STX RAT, was observed in early 2026 targeting organizations. Initial infection chains used a browser-downloaded VBScript that launched JScript, retrieved a TAR archive, and used PowerShell to inject the payload into memory.
Researchers also identified a distinct distribution campaign in which attackers spread STX RAT through trojanized FileZilla installer packages. This expanded the malware's delivery methods beyond script-based initial access.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.