{"id":92,"date":"2026-02-27T11:44:58","date_gmt":"2026-02-27T11:44:58","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=92"},"modified":"2026-02-27T11:44:58","modified_gmt":"2026-02-27T11:44:58","slug":"trojanized-gaming-tools-spread-java-based-rat-via-browser-and-chat-platforms","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=92","title":{"rendered":"Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Feb 27, 2026<\/span><\/span><span class=\"p-tags\">Endpoint Security \/ Windows Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEillKgTghwZEhxrFFKb47xsniaaZYeDlISTMJYxMDr_82YETlHvM5M0XWXjizlkv1MgSAzkIEDbOcvfPsjsOaxRHvzl4-7LWTmKR6awOPB_FidaOgq0xhHslZbEJ7zh0Hq6CV0NJ8LUY-SDyA-nF6SeQ6Zzu-qrlWWMFsVg2n3yDRj0hcIPYEPLw6eAmadL\/s1700-e365\/remote.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT).<\/p>\n<p>\u00abA malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar,\u00bb the Microsoft Threat Intelligence team <a href=\"https:\/\/x.com\/MsftSecIntel\/status\/2027070355487997998\" rel=\"noopener\" target=\"_blank\">said<\/a> in a post on X. \u00abThis downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution.\u00bb<\/p>\n<p>The attack chain is also designed to evade detection by deleting the initial downloader and by configuring Microsoft Defender exclusions for the RAT components.<\/p>\n<p>Persistence is achieved by means of a scheduled task and Windows startup script named \u00abworld.vbs,\u00bb before the final payload is deployed on the compromised host. The malware, per Microsoft, is a \u00abmulti-purpose malware\u00bb that acts as a loader, runner, downloader, and RAT.<\/p>\n<p>Once launched, it connects to an external server at \u00ab79.110.49[.]15\u00bb for command-and-control (C2) communications, allowing it to exfiltrate data and deploy additional payloads.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/sse-customer-awards-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg5Ij_-TeqFMEsRFzgRRFzSRlVK6oHCncN_eJ2fkOdsA_1tN9HQbAlEEife2Z2JUt1lPv4st5n9KZP84jGEYY9Up6BQ7QE-N5rs6OhzL5thxGzVxnMx3JH9cGRLi9S5Kl-iV5PgjBeTdkBLnv_inF8UUAo88iqdmgJuPIc_6qiPyUMXwFyZWbZvkZkcRXSw\/s728-e100\/gartner-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>As ways to defend against the threat, users are advised to audit Microsoft Defender exclusions and scheduled tasks, remove malicious tasks and startup scripts, isolate affected endpoints, and reset credentials for users active on compromised hosts.<\/p>\n<p>The disclosure comes as BlackFog disclosed details of a new Windows RAT malware family called Steaelite that was first advertised on criminal forums in November 2025 as a \u00abbest Windows RAT\u00bb with \u00abfully undetectable\u00bb (FUD) capabilities. It&#8217;s compatible with both Windows 10 and 11.<\/p>\n<p>Unlike other off-the-shelf RATs sold to criminal actors, Steaelite bundles together data theft and ransomware, packaging them into one web panel, with an Android ransomware module on the way. The panel also incorporates various developer tools to facilitate keylogging, client-to-victim chat, file searching, USB spreading, wallpaper modification, UAC bypass, and clipper functionality.\u00a0<\/p>\n<p>Other notable features include removing competing malware, disabling Microsoft Defender, or configuring exclusions, and installing persistence methods.<\/p>\n<p>As for its main capabilities, Steaelite RAT supports remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password theft, installed program enumeration, location tracking, arbitrary file execution, URL opening, DDoS attacks, and VB.NET payload compilation.<\/p>\n<p>\u00abThe tool gives operators browser-based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from a single dashboard,\u00bb security researcher Wendy McCague <a href=\"https:\/\/www.blackfog.com\/steaelite-rat-double-extortion-from-single-panel\/\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ztw-hands-on-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhC66R4wPZ8qksTJukqlCCmrHCUX65DnpWW1nKnkOhy0Poe219tacbU6h09qEfUgRHxoObBazf3SVJ4OAd_iVd0EFecj-vskZSfroQ7rh0XyxQd6Ep_zNgqDW95YU4zG1Gpin8rHPK8Rqu_1KV7tf-G-7JJhxOVHhRJDWnj0qfq82uZSAvAG2rxK-Fe5fwd\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abA single threat actor can browse files, exfiltrate documents, harvest credentials, and deploy ransomware from the same dashboard. This enables complete double extortion from one tool.\u00bb<\/p>\n<p>In recent weeks, threat hunters have also discovered two new RAT families tracked as <a href=\"https:\/\/github.com\/ShadowOpCode\/DesckVB-RAT\" rel=\"noopener\" target=\"_blank\">DesckVB RAT<\/a> and <a href=\"https:\/\/ctrlaltintel.com\/threat%20research\/KazakRAT\/\" rel=\"noopener\" target=\"_blank\">KazakRAT<\/a> that enable comprehensive remote control over infected hosts and even selectively deploy capabilities post-compromise. According to Ctrl Alt Intel, KazakRAT is suspected to be the work of a suspected state-affiliated cluster targeting Kazakh and Afghan entities as part of a persistent campaign ongoing since at least August 2022.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Feb 27, 2026Endpoint Security \/ Windows Security Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a&hellip;<\/p>\n","protected":false},"author":1,"featured_media":93,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[265,266,260,263,267,264,262,261,259],"class_list":["post-92","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-browser","tag-chat","tag-gaming","tag-javabased","tag-platforms","tag-rat","tag-spread","tag-tools","tag-trojanized"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/92","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/92\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/93"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}