In order to spread a remote access trojan (RAT), threat actors are tricking unsuspecting users into using trojanized gaming utilities that are distributed via browsers and chat platforms. "The Microsoft Threat Intelligence team posted on X that a malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file called jd-gui.jar. "This downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution."
By removing the original downloader and setting up Microsoft Defender exclusions for the RAT components, the attack chain is also made to avoid detection. A Windows startup script called "world.vbs," along with a scheduled task, are used to achieve persistence before the final payload is installed on the compromised host.
Microsoft describes the malware as "multi-purpose malware" that functions as a downloader, loader, runner, and RAT. After launching, it establishes a command-and-control (C2) connection to an external server at "79.110.49[. ]15" in order to exfiltrate data and launch more payloads.
As ways to defend against the threat, users are advised to audit Microsoft Defender exclusions and scheduled tasks, remove malicious tasks and startup scripts, isolate affected endpoints, and reset credentials for users active on compromised hosts. The disclosure comes as BlackFog disclosed details of a new Windows RAT malware family called Steaelite that was first advertised on criminal forums in November 2025 as a "best Windows RAT" with "fully undetectable" (FUD) capabilities. It's compatible with both Windows 10 and 11.
Steaelite combines ransomware and data theft into a single web panel, unlike other commercial RATs sold to criminal actors. An Android ransomware module is also on the way. In order to enable keylogging, client-to-victim chat, file searching, USB spreading, wallpaper modification, UAC bypass, and clipper functionality, the panel also includes a number of developer tools.
Other noteworthy features include installing persistence techniques, disabling Microsoft Defender or setting exclusions, and eliminating competing malware. Remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password theft, installed program enumeration, location tracking, arbitrary file execution, URL opening, DDoS attacks, and VB.NET payload compilation are among Steaelite RAT's primary functionalities.
According to security researcher Wendy McCague, "the tool gives operators browser-based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from a single dashboard." From the same dashboard, a single threat actor can harvest credentials, browse files, exfiltrate documents, and install ransomware. This allows for total double extortion using a single instrument.
Two new RAT families, known as DesckVB RAT and KazakRAT, have also been found by threat hunters in recent weeks. These families allow for complete remote control over compromised hosts and even the selective deployment of capabilities after compromise. As part of a persistent campaign that has been going on since at least August 2022, KazakRAT is thought to be the work of a suspected state-affiliated cluster that targets Kazakh and Afghan entities, according to Ctrl Alt Intel.
