Microsoft Defender researchers uncovered a campaign that tricks users into running trojanized gaming utilities (Xeno.exe and RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan. A malicious downloader used a portable Java runtime, PowerShell and LOLBins like cmstp.exe to run a harmful JAR, evade detection, establish persistence, and connect the RAT to C2 79.110.49[.]15 for data theft and further payloads. #Xeno.exe #RobloxPlayerBeta.exe
Keypoints
- Threat actors lure users with trojanized gaming utilities named Xeno.exe and RobloxPlayerBeta.exe distributed via browsers and chat platforms.
- A malicious downloader deploys a portable Java runtime to execute a harmful JAR file.
- The campaign uses PowerShell and LOLBins like cmstp.exe for stealth, then self-deletes and adds Microsoft Defender exclusions.
- Persistence is established via a scheduled task and a startup script before installing a multi-purpose loader/downloader/runner and RAT.
- The RAT connects to C2 at 79.110.49[.]15, enabling data theft and additional payload deployment; Microsoft published IoCs for the campaign.