Cybersecurity researchers are warning that attackers are disguising malicious software as popular gaming utilities to infect unsuspecting users. The campaign relies on browser downloads and chat platform sharing to deliver a Java based remote access trojan, enabling full control over compromised systems.
According to the Microsoft Threat Intelligence team, the infection process begins with a malicious downloader that installs a portable Java runtime environment and launches a harmful Java archive file named jd-gui.jar. The attackers rely on PowerShell scripts and legitimate Windows tools, including cmstp.exe, to execute the payload discreetly. These tactics fall under living off the land techniques, where built in system binaries are abused to avoid detection.
Stealth Tactics and Defense Evasion
To reduce the likelihood of discovery, the malware removes the initial downloader after execution and configures exclusions within Microsoft Defender to prevent security scans from flagging RAT related components.
Persistence mechanisms are established using a scheduled task along with a Windows startup script titled world.vbs. Once these steps are completed, the final payload is deployed. Microsoft describes the malware as multi functional, acting as a loader, executor, downloader, and remote access trojan.
After activation, the RAT connects to an external command and control server at 79.110.49[.]15. This connection allows attackers to extract sensitive information, issue remote commands, and deliver additional malicious modules.
Recommended Mitigation Steps
Security professionals advise users and organizations to review Defender exclusion settings and scheduled tasks for unauthorized changes. Any suspicious startup scripts should be removed immediately. Affected systems should be isolated from networks, and all user credentials accessed from compromised devices must be reset to prevent lateral movement.
Emergence of Steaelite Windows RAT
In a related development, researchers from BlackFog revealed a newly marketed Windows malware family known as Steaelite. First promoted on underground forums in November 2025, it was advertised as a fully undetectable Windows RAT compatible with both Windows 10 and Windows 11.
Unlike traditional off the shelf RAT tools, Steaelite integrates data theft and ransomware functionality within a single web based control panel. An Android ransomware module is reportedly under development.
The panel offers features such as keylogging, direct operator to victim chat, file searching, USB based propagation, wallpaper manipulation, user account control bypass, and clipboard data theft. It can also disable Microsoft Defender, remove competing malware, configure antivirus exclusions, and install persistence routines.
Broad Surveillance and Control Capabilities
Steaelite supports remote code execution, file management, live screen streaming, webcam and microphone activation, process monitoring, clipboard tracking, credential harvesting, installed software enumeration, geographic tracking, arbitrary file execution, malicious URL opening, distributed denial of service attacks, and even VB.NET payload compilation.
Security researcher Wendy McCague noted that the platform enables attackers to browse files, steal credentials, exfiltrate documents, and deploy ransomware from a unified dashboard. This integrated approach allows threat actors to conduct double extortion attacks without switching tools.
Additional RAT Families Identified
Threat hunters have also detected two emerging remote access trojan families, DesckVB RAT and KazakRAT. Both provide extensive remote control over infected systems and allow operators to selectively activate capabilities after gaining access.
Research from Ctrl Alt Intel suggests that KazakRAT may be linked to a state affiliated cluster targeting organizations in Kazakhstan and Afghanistan. The campaign is believed to have been active since at least August 2022.
Growing Risk From Multi Purpose RAT Malware
The rise of Java based loaders and feature rich RAT platforms highlights an ongoing trend in cybercrime. Attackers are increasingly combining stealth techniques, built in system tools, and multifunction dashboards to maximize operational efficiency while minimizing exposure.
Experts stress that downloading unofficial gaming utilities, cracked software, or tools shared through informal chat channels significantly increases infection risk. Regular software updates, strict application control policies, and continuous endpoint monitoring remain critical defenses against modern remote access trojan campaigns.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
