Threat actors are distributing trojanized gaming utilities via browsers and chat platforms to deliver a multi-purpose remote access trojan that stages a portable Java runtime and runs a malicious jd-gui.jar using PowerShell and LOLBins like cmstp.exe. The attacks delete initial downloaders, configure Microsoft Defender exclusions, establish persistence via a scheduled task and a world.vbs startup script, and connect to C2 at 79.110.49[.]15 to exfiltrate data and deploy additional payloads. #Steaelite #KazakRAT
Keypoints
- Trojanized gaming utilities spread through browsers and chat platforms to trick users into running malware.
- A malicious downloader stages a portable Java runtime and executes jd-gui.jar using PowerShell and LOLBins like cmstp.exe.
- Operators evade detection by deleting downloaders, setting Microsoft Defender exclusions, and creating persistence with scheduled tasks and world.vbs.
- Steaelite and other RAT families consolidate data theft and ransomware capabilities into a browser-based control panel for full remote control.
- Defensive steps include auditing Defender exclusions and scheduled tasks, removing malicious startup scripts, isolating endpoints, and resetting credentials.
Read More: https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html