Full Report
Credential and cryptocurrency theft, live surveillance, ransomware - an attacker's Swiss Army knife A new remote access trojan (RAT) being sold on cybercrime networks enables double extortion attacks on Windows machines by bundling ransomware and data theft, along with credential and cryptocurrency stealers, live surveillance, and a whole host of other illicit capabilities, all controllable from a centralized dashboard.…
Analysis Summary
# Tool/Technique: Steaelite RAT
## Overview
Steaelite is a new Remote Access Trojan (RAT) marketed on cybercrime networks. It functions as an attacker's "Swiss Army knife," bundling capabilities for double extortion, including data theft, ransomware deployment, credential harvesting, cryptocurrency theft, and live surveillance, all managed via a centralized, browser-based dashboard.
## Technical Details
- Type: Malware (Remote Access Trojan - RAT)
- Platform: Windows 10 and 11 (Android module reportedly in development)
- Capabilities: Double extortion (data theft + ransomware), credential stealing, cryptocurrency clipping, live surveillance (webcam/mic), centralized C2 dashboard.
- First Seen: November 2025 (Reported by BlackFog researchers)
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on the capabilities described.*
- **TA0001 - Initial Access** (Potential, if used for initial compromise)
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (via disabling Windows Defender)
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
- T1003 - OS Credential Dumping (Implied via password recovery)
- **TA0007 - Discovery**
- T1082 - System Information Discovery (via installed program enumeration)
- **TA0008 - Lateral Movement**
- T1575 - USB Spreading
- **TA0009 - Collection**
- T1113 - Screen Capture (Implied via live streaming/surveillance)
- T1056.001 - Input Capture: Keylogging
- T1115 - Clipboard Data (via clipper functionality)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied by data harvesting)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Browser-based dashboard access)
- **TA0012 - Execution**
- T1059 - Command and Scripting Interpreter (via remote code execution, VB.NET payload compilation)
- **TA0014 - Impact**
- T1486 - Data Encrypted for Impact (Ransomware deployment)
## Functionality
### Core Capabilities
* **Double Extortion:** Integrates both data exfiltration and ransomware capabilities into a single tool.
* **Automated Data Theft:** Immediately harvests browser-stored passwords, session cookies, and application tokens upon victim connection, preceding operator commands.
* **Remote Control & Management:** Centralized, browser-based dashboard for managing infected hosts.
* **Credential Harvesting:** Password recovery modules.
* **Surveillance:** Live webcam and microphone access, location tracking.
* **System Management:** Process management, file management, URL opening, installed program enumeration.
### Advanced Features
* **Ransomware Deployment:** Capability for locking user files and initiating cryptocurrency extortion.
* **Cryptocurrency Clipping:** Monitors the clipboard for cryptocurrency wallet addresses and silently substitutes them with an attacker-controlled address during paste operations (transferring funds without victim notification).
* **Defense Evasion:** Ability to disable Windows Defender and manage exclusion lists.
* **Persistence Mechanisms:** Installation of persistence modules.
* **Malware Removal:** A "bot-killing feature" designed to remove competing malware from the victim's system.
* **Lateral Movement:** Support for USB spreading.
* **Evasion:** UAC Bypass capability included.
* **Networking:** Capabilities to initiate DDoS attacks.
* **Payload Compilation:** On-the-fly VB.NET payload compilation.
## Indicators of Compromise
*Note: Specific IOCs were not detailed in the article, only general behavioral characteristics.*
- File Hashes: [Not Available in source text]
- File Names: [Not Available in source text]
- Registry Keys: [Not Available in source text]
- Network Indicators: [Not Available in source text]
- Behavioral Indicators: Automated browser data exfiltration upon connection; manipulation of clipboard data targeting cryptocurrency addresses; disabling of Windows Defender; installation of persistence mechanisms.
## Associated Threat Actors
* Threat actors actively purchasing and utilizing this commercial tool sold on cybercrime forums and shared via promotional videos. (No specific named groups provided in the text).
## Detection Methods
* **Signature-based detection:** Unknown hashes or associated binaries.
* **Behavioral detection:** Monitoring for immediate and automated exfiltration of session cookies/passwords post-connection; detection of clipboard monitoring/replacement related to crypto transactions; unauthorized disabling of Windows Defender or creation of persistence mechanisms.
* **YARA rules:** [Not Available in source text]
## Mitigation Strategies
* **Prevention measures:** Strict outbound network filtering; use multi-factor authentication (MFA) across all services; rigorous endpoint security solutions capable of detecting multi-stage attacks.
* **Hardening recommendations:** Implement robust host-based intrusion prevention systems; restrict unsigned code execution; monitor clipboard object access; disable or strictly control UAC features where applicable.
## Related Tools/Techniques
* Commercial Remote Access Trojans (RATs).
* Ransomware payloads coordinated with separate data stealer modules (Steaelite streamlines this into one package).
* Tools facilitating double extortion tactics requiring coordination between initial access brokers and ransomware affiliates.