Researchers reported two active malware delivery operations centered on STX RAT, a remote access trojan aimed at stealing browser credentials, session tokens, and other access from financially valuable victims such as cryptocurrency traders. One campaign used a high-severity ClickFix chain built on the brand-squatted domain lirunex[.]tech, which impersonated a payment platform, used server-side cloaking to show a Swagger UI clone to non-targets, and silently replaced clipboard content so victims pasted a malicious command instead of an SSL certificate path. The staged execution launched through conhost --headless and ended with a cross-platform RAT hidden inside image files.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Researchers identified a high-severity multi-step ClickFix attack using the brand-squatted domain lirunex[.]tech, clipboard manipulation, and a two-stage dropper chain. The campaign used server-side cloaking and ultimately delivered a cross-platform remote access trojan hidden in image files.
Researchers described an active campaign distributing 11 trojanized software packages to deliver STX RAT, initially targeting cryptocurrency traders and later expanding to Steam-themed and X-VPN lures. The operation used DLL sideloading, reflective in-memory loading, and supp0v3[.]com infrastructure, and continued evolving even after disclosure.
X-VPN released version 77.5.2 with stricter DLL loading, hash verification, and hardened DLL load policies. The update addressed the DLL search order weakness abused by the trojanized installer in the STX RAT campaign.
Howler Cell disclosed that a trojanized X-VPN installer was being used in an active STX RAT supply chain campaign. The package exploited a DLL search order weakness in the Windows client to sideload a malicious CRYPTBASE.dll.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
community.gurucul.com
Open sourcemalware.news
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.