Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms
Source: The Hacker News
Threat overview
Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to deliver a remote‑access trojan (RAT).
Attack chain details
- A malicious downloader stages a portable Java runtime and executes a malicious JAR file named
jd-gui.jar. - Execution is performed via PowerShell and living‑off‑the‑land binaries (LOLBins) such as
cmstp.exefor stealth. - The initial downloader deletes itself and configures Microsoft Defender exclusions for the RAT components.
- Persistence is achieved with a scheduled task and a Windows startup script named
world.vbs. - The final payload connects to an external C2 server at
79.110.49[.]15, allowing data exfiltration and deployment of additional payloads.
“A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd‑gui.jar,” the Microsoft Threat Intelligence team said in a post on X.
Defense recommendations
- Audit Microsoft Defender exclusions and scheduled tasks.
- Remove any malicious tasks or startup scripts (e.g.,
world.vbs). - Isolate affected endpoints promptly.
- Reset credentials for users who accessed compromised hosts.
Steaelite RAT
BlackFog disclosed a new Windows RAT family called Steaelite, first advertised on criminal forums in November 2025 as a “best Windows RAT” with “fully undetectable” (FUD) capabilities. It is compatible with Windows 10 and 11.
Key characteristics
- Bundles data theft and ransomware into a single web panel, with an Android ransomware module in development.
- Includes developer tools for keylogging, client‑to‑victim chat, file searching, USB spreading, wallpaper modification, UAC bypass, and clipper functionality.
- Can remove competing malware, disable Microsoft Defender, or configure exclusions, and install persistence mechanisms.
Main capabilities
- Remote code execution, file management, live streaming, webcam/microphone access.
- Process management, clipboard monitoring, password theft, installed‑program enumeration, location tracking.
- Arbitrary file execution, URL opening, DDoS attacks, VB.NET payload compilation.
“The tool gives operators browser‑based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from a single dashboard,” security researcher Wendy McCague said.
Other emerging RAT families
- DesckVB RAT – tracked on GitHub: .
- KazakRAT – detailed by Ctrl Alt Intel: .
KazakRAT is suspected to be operated by a state‑affiliated cluster targeting Kazakh and Afghan entities, with activity ongoing since at least August 2022. Both families enable comprehensive remote control and selective post‑compromise capability deployment.