Trojan Gaming Tools Distribute Java-Based RAT Via Browser and Chat Forums
Threat actors lure unsuspecting users to use game services distributed through browsers and chat platforms to distribute a remote access Trojan (RAT).
“The malicious downloader created a portable Java runtime and executed a malicious Java Java application (JAR) file named jd-gui.jar,” the Microsoft Threat Intelligence team said in a post on X. “This attacker used PowerShell and living-off-the-land binaries (LOLBins) such as cmstp.exe to extract the malware.”
The attack chain is also designed to avoid detection by removing the initial payload and by configuring the exclusion of Microsoft Defender from the RAT components.
Persistence is achieved through a scheduled task and a Windows startup script called “world.vbs,” before the final payload is installed on the vulnerable host. The malware is, according to Microsoft, “multi-purpose malware” that acts as a loader, runner, downloader, and RAT.
When launched, it connects to the external server at “79.110.49[.]15” for command and control communication (C2), allowing it to transmit data and transmit additional payloads.
As ways to protect against threats, users are advised to check Microsoft Defender exclusions and scheduled activities, remove malicious activities and startup scripts, isolate affected endpoints, and reset active user credentials on vulnerable hosts.
The disclosure comes as BlackFog disclosed details of a new Windows RAT malware family called Steaelite that was first advertised on crime forums in November 2025 as a “leading Windows” RAT with “completely invisible” (FUD) capabilities. It is compatible with both Windows 10 and 11.
Unlike other off-the-shelf RATs sold to criminal actors, Steaelite combines data theft and ransomware, packing it into a single web panel, with an Android ransom module on the go. The panel also includes various developer tools to facilitate key entry, client-to-victim chat, file search, USB spread, wallpaper change, UAC bypass, and clipper functionality.
Other notable features include removing competing malware, disabling Microsoft Defender, or uninstalling fixes, and installing persistence methods.
As for its main capabilities, Steaelite RAT supports remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password theft, installed program enumeration, location tracking, arbitrary file extraction, URL opening, DDoS attacks, and VB.NET payment integration.
“The tool gives operators browser-based control over infected Windows machines, including remote code execution, data theft, live monitoring, file extraction, and ransomware delivery from a single dashboard,” said security researcher Wendy McCague.
“A single threat actor can browse files, extract documents, harvest information, and execute ransomware from the same dashboard. This allows for double the fraud from a single tool.”
In recent weeks, threat hunters have discovered two new RAT families tracked as DesckVB RAT and KazakRAT that enable extensive remote control over infected hosts and selectively exploit them after compromise. According to Ctrl Alt Intel, KazakRAT is suspected to be the work of an alleged government-affiliated group targeting Kazakh and Afghan organizations as part of an ongoing campaign that has been ongoing since at least August 2022.
