Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms  Ravie Lakshmanan  Feb 27, 2026 Endpoint Security / Windows Security Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT). "A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar," the Microsoft Threat Intelligence team said in a post on X. "This downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution." The attack chain is also designed to evade detection by deleting the initial downloader and by configuring Microsoft Defender exclusions for the RAT components. Persistence is achieved by means of a scheduled task and Windows startup script named "world.vbs," before the final payload is deployed on the compromised host. The malware, per Microsoft, is a "multi-purpose malware" that acts as a loader, runner, downloader, and RAT. Once launched, it connects to an external server at "79.110.49[.]15" for command-and-control (C2) communications, allowing it to exfiltrate data and deploy additional payloads. As ways to defend against the threat, users are advised to audit Microsoft Defender exclusions and scheduled tasks, remove malicious tasks and startup scripts, isolate affected endpoints, and reset credentials for users active on compromised hosts. The disclosure comes as BlackFog disclosed details of a new Windows RAT malware family called Steaelite that was first advertised on criminal forums in November 2025 as a "best Windows RAT" with "fully undetectable" (FUD) capabilities. It's compatible with both Windows 10 and 11. Unlike other off-the-shelf RATs sold to criminal actors, Steaelite bundles together data theft and ransomware, packaging them into one web panel, with an Android ransomware module on the way. The panel also incorporates various developer tools to facilitate keylogging, client-to-victim chat, file searching, USB spreading, wallpaper modification, UAC bypass, and clipper functionality . Other notable features include removing competing malware, disabling Microsoft Defender, or configuring exclusions, and installing persistence methods. As for its main capabilities, Steaelite RAT supports remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password theft, installed program enumeration, location tracking, arbitrary file execution, URL opening, DDoS attacks, and VB.NET payload compilation. "The tool gives operators browser-based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from a single dashboard," security researcher Wendy McCague said . "A single threat actor can browse files, exfiltrate documents, harvest credentials, and deploy ransomware from the same dashboard. This enables complete double extortion from one tool." In recent weeks, threat hunters have also discovered two new RAT families tracked as DesckVB RAT and KazakRAT that enable comprehensive remote control over infected hosts and even selectively deploy capabilities post-compromise. According to Ctrl Alt Intel, KazakRAT is suspected to be the work of a suspected state-affiliated cluster targeting Kazakh and Afghan entities as part of a persistent campaign ongoing since at least August 2022. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  cybersecurity , endpoint security , Malware , Microsoft Defender , ransomware , Remote Access Trojan , Threat Intelligence , windows security Trending News OT Security, In Practice: 4 Cross‑Industry Trends from Global Assessments and How CISOs Should Respond Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools Microsoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days SSHStalker Botnet Uses IRC C2 to Control Linux Systems via Legacy Kernel Exploits First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials ThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days and 25+ Stories Google Reports State-Backed Hackers Using Gemini AI for Recon and Attack Support Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History New Chrome Zero-Day (CVE-2026-2441) Under Active Attack — Patch Released Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet and AI Malware Infostealer Steals OpenClaw AI Agent Configuration Files and Gateway Tokens Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates Popular Resources 100+ Domains Multiply Attack Risk 6× - Download the CTEM Divide Research Boost SOC Efficiency with AI-Guided Triage — Download Investigator Overview Silent Residency Is the New Threat Model — Download the Red Report Exposed Cloud Training Apps Are Letting Hackers In — Download the Research