Researchers at eSentire disclosed a previously undocumented remote access trojan, STX RAT, after it was used in an attempted intrusion against a financial services organization. The malware was delivered through a sophisticated multi-stage chain involving script launchers, encrypted and compressed payloads, privilege escalation, and in-memory PowerShell execution designed to avoid detection. Investigators said the RAT used XXTEA encryption, Zlib compression, reflective loading, layered string obfuscation, anti-virtualization checks, registry-based autoruns, and COM hijacking to establish persistence and frustrate analysis.
Once deployed, STX RAT waited for command-and-control instructions and was built to steal data from browsers, FTP clients, and cryptocurrency wallets while minimizing early detection through delayed credential theft and an encrypted C2 protocol. The malware also supported hidden virtual desktop operations, execution of additional payloads, network tunneling, and simulated user input, giving operators broad post-compromise control. eSentire said the targeted environment was contained and urged organizations, particularly in financial services, to strengthen endpoint protections and reduce exposure to script-based initial access methods.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Public reporting revealed STX RAT's use of in-memory PowerShell loading, XXTEA encryption, Zlib compression, reflective loading, registry autoruns, COM hijacking, anti-virtualization checks, and encrypted command-and-control communications. Defenders were advised to strengthen endpoint protections and reduce exposure to script-based attack paths.
Following the attempted deployment, eSentire's Threat Response Unit analyzed the intrusion and identified STX RAT as a new remote access trojan with capabilities including credential and wallet theft, hidden virtual desktop operation, payload execution, and network tunneling. The affected system was isolated and the targeted environment was contained while monitoring continued.
In late February 2026, a financial services organization was targeted in an attempted intrusion involving the previously undocumented STX RAT. The malware was delivered through a sophisticated multi-stage script-based chain designed to gain execution and persistence while evading detection.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
osintteam.blog
Open sourcescworld.com
Open sourceinfosecurity-magazine.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.