Full Report
Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT). "A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar," the Microsoft Threat Intelligence team said in a post on X. "This downloader used PowerShell
Analysis Summary
# Tool/Technique: Java-Based RAT Spread via Trojanized Gaming Utilities
## Overview
Threat actors are distributing a Remote Access Trojan (RAT) by luring users to run trojanized gaming utilities obtained through browsers and chat platforms. The initial stage involves a malicious downloader executing a staged portable Java Runtime Environment (JRE) and a malicious Java Archive (JAR) file named `jd-gui.jar`.
## Technical Details
- Type: Malware (Remote Access Trojan - RAT) and Multi-Purpose Malware (Loader/Downloader)
- Platform: Windows
- Capabilities: Remote command execution, file exfiltration, deployment of additional payloads, persistence mechanisms, defense evasion (deleting droppers, configuring Defender exclusions).
- First Seen: Not explicitly stated, but disclosed by Microsoft Threat Intelligence recently (as of Feb 27, 2026).
## MITRE ATT&CK Mapping
Based on the described behavior:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied by distribution via chat/browser leading to execution)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- **TA0005 - Defense Evasion**
- T1485 - Data Destruction (Deleting initial downloader)
- T1562.001 - Impair Defenses: Disable or Modify Tools (Configuring Defender exclusions)
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Using Windows startup script)
- T1053.005 - Scheduled Task/Job
## Functionality
### Core Capabilities
- Acts as a multi-purpose loader, runner, downloader, and RAT.
- Establishes Command and Control (C2) communication to an external server.
- Exfiltrates data from the compromised host.
- Deploys additional payloads post-compromise.
### Advanced Features
- **Staging:** Stages a portable Java Runtime Environment to execute the malicious JAR (`jd-gui.jar`).
- **Stealthy Execution:** Utilizes PowerShell and Living-Off-The-Land Binaries (LOLBins) like `cmstp.exe`.
- **Defense Evasion:** Automatically deletes the initial downloader stages and specifically configures exceptions/exclusions within Microsoft Defender for the RAT components.
- **Persistence:** Achieves persistence via a scheduled task and a Windows startup script named "world.vbs".
## Indicators of Compromise
- File Hashes: Not provided in the context.
- File Names:
- `jd-gui.jar` (Malicious Java archive)
- `world.vbs` (Persistence script)
- Registry Keys: Not explicitly detailed, but persistence mechanisms imply registry modifications (e.g., Run keys).
- Network Indicators:
- C2 Server: `79.110.49[.]15`
- Behavioral Indicators:
- Execution of JAR files triggered by a downloader staged with a portable JRE.
- Use of `cmstp.exe` for execution.
- Creation of scheduled tasks for persistence.
- Modification of Microsoft Defender exclusion settings.
## Associated Threat Actors
- Unknown threat actors using this specific multi-stage loader/RAT configuration.
- The article contrasts this threat with **Steaelite**, **DesckVB RAT**, and **KazakRAT**, but does not directly link the Java RAT to those specific groups.
## Detection Methods
- Signature-based detection: Signatures for the dropped JAR file, VBS script, or C2 connection to the specific IP.
- Behavioral detection: Monitoring unusual execution chains involving portable JRE staging, PowerShell leveraging `cmstp.exe`, and the creation of scheduled tasks/startup items alongside Defender exclusion modifications.
- YARA rules: Not provided.
## Mitigation Strategies
- Audit existing Microsoft Defender exclusions for unauthorized additions.
- Analyze and remove malicious scheduled tasks and startup scripts (specifically looking for `world.vbs`).
- Isolate affected endpoints immediately upon detection.
- Reset credentials for users active on compromised hosts.
- Enhance user awareness regarding running unexpected utilities obtained via chat or browser prompts (especially gaming tools).
## Related Tools/Techniques
The functionality and multi-stage use of LOLBins and persistence mechanisms are common across many modern RATs, including those mentioned later in the text:
- Steaelite RAT
- DesckVB RAT
- KazakRAT
---
# Tool/Technique: Steaelite RAT
## Overview
Steaelite is a new Windows RAT family first advertised on criminal forums in November 2025. It markets itself as a "best Windows RAT" with fully undetectable (FUD) capabilities, compatible with Windows 10 and 11. It uniquely bundles data theft capabilities with ransomware deployment into a single web panel, often facilitating double extortion.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows 10, Windows 11
- Capabilities: Comprehensive remote control, data theft, ransomware deployment, defense evasion, persistence.
- First Seen: Advertised circa November 2025.
## MITRE ATT&CK Mapping
*Note: Mappings are based on claimed features.*
- **TA0007 - Credential Access**
- T1003 - OS Credential Dumping (Implied by "password theft")
- **TA0009 - Collection**
- T1005 - Data from Local System (File searching, exfiltration)
- T1056.001 - Input Capture: Keylogging
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Deploying additional payloads)
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools (Disabling Defender, configuring exclusions)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Remote code execution (RCE).
- File management operations.
- Live streaming (webcam/microphone access) and surveillance.
- Credential harvesting (password theft).
- Ransomware deployment capabilities bundled with the RAT operations.
### Advanced Features
- **Double Extortion:** Facilitates both data theft and ransomware deployment from a single dashboard.
- **Developer Tools Integration:** Features include clipboard/clipper functionality, UAC bypass, and client-to-victim chat.
- **Defense Manipulation:** Removes competing malware, disables Microsoft Defender, or configures its exclusions.
- **Lateral Movement:** Includes USB spreading functionality.
- **Future Expansion:** An Android ransomware module is planned.
## Indicators of Compromise
- File Hashes: Not provided.
- File Names: Not provided.
- Registry Keys: Not provided.
- Network Indicators: Not provided (C2 details are proprietary to the operator).
- Behavioral Indicators: Operation via a single browser-based control panel giving operators full access.
## Associated Threat Actors
- Criminal actors purchasing the tool on dark web forums.
## Detection Methods
- Behavioral detection: Look for system-wide changes matching capabilities like disabling Defender, modifying clipboard (`clipper functionality`), or unusual startup configurations pointing to a centralized dashboard.
- Signature-based detection: Signatures for the compiled Steaelite binaries.
## Mitigation Strategies
- Implement strong endpoint protection capable of detecting anti-AV/Defender manipulation.
- Restrict execution of unknown binaries across the network perimeter.
- Regularly audit system configurations for unauthorized disabling of security features.
## Related Tools/Techniques
Steaelite contrasts with the Java-based RAT by offering integrated ransomware and advanced surveillance features, placing it in the category of comprehensive, multi-function commercial access tools often sold as FUD malware.
---
# Tool/Technique: DesckVB RAT and KazakRAT
## Overview
**DesckVB RAT** and **KazakRAT** are two newly discovered RAT families providing comprehensive remote control over infected hosts, allowing selective deployment of capabilities post-compromise.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows (Implied)
- Capabilities: Comprehensive remote control, selective post-compromise deployment.
- First Seen: Recent discoveries (contemporaneous with the article date).
## MITRE ATT&CK Mapping
These are generalized RAT capabilities, likely involving Command and Control (T1071) and Remote Execution (T1059).
## Functionality
### Core Capabilities
- Comprehensive remote control over compromised hosts.
- Ability to deploy specific malicious capabilities selectively after initial compromise.
### Advanced Features
- **KazakRAT Specific:** Suspected use by a state-affiliated cluster targeting Kazakh and Afghan entities since at least August 2022.
## Indicators of Compromise
- File Hashes: Not provided.
- File Names:
- DesckVB RAT repository noted on GitHub.
- Registry Keys: Not provided.
- Network Indicators: Not provided.
- Behavioral Indicators: Not provided in detail, focus is on the existence and targeting scope of KazakRAT.
## Associated Threat Actors
- **KazakRAT:** Suspected state-affiliated cluster targeting Kazakh and Afghan entities.
- **DesckVB RAT:** Actors unknown.
## Detection Methods
- Behavioral detection for unknown remote access patterns or unauthorized control mechanisms.
## Mitigation Strategies
- Geographically targeted defenders should focus on threat intelligence related to state-sponsored activity against Kazakh and Afghan infrastructure.
## Related Tools/Techniques
These represent modern sophisticated RATs similar in scope to Steaelite, focusing on persistent, comprehensive remote access.