When downloading video game mods opens the door to a RAT

In recent days, a tactic that computer criminals know well has again been highlighted: to take advantage of users' interest in video game-related utilities and mods to deceive them and get them to run malicious code. According to Microsoft research, criminal groups are distributing cross-sections - or "troyanized" - of game tools through browsers and messaging platforms; these downloads act as a gateway for a remote access Trojan (RAT) that turns the infected computer into a remote controlled machine.

The campaign skeleton is distinctive for its use of legitimate system tools to hide malicious execution. The attackers prepare a portable Java environment and release a malicious JAR file (identified as jd-gui.jar), relying on PowerShell and system binaries known as LOLBins - for example cmstp.exe - to run the code without raising suspicion. Microsoft published a thread in X explaining this attack chain and how operators erase their tracks by removing the initial download and, in addition, creating exclusions in Microsoft Defender for RAT components: measures designed to make detection and mediation difficult. The Microsoft notice is available on X here: https: / / x.com / MsftSecIntel / status / 2027070355487997998.

The persistence of the committed teams is achieved by creating a scheduled task and a Windows start-up script called "world.vbs," which ensure that malicious software survives reboot and is rerun. Once the malware is active, it communicates with a command and control server located in the direction 79.110.49 [.] 15, from where data exfiltration, additional load download and other remote actions can be ordered. Microsoft describes this family as "multi-purpose" means a charger, download and RAT at the same time, which highlights its ability to evolve and expand its impact on the infected machine.

In parallel to these intrusions, cybersecurity companies have identified and analysed new RAT families that group functionalities that used to be sold separately. A recent example is Steaelite, identified by BlackFog. According to this analysis, Steaelite was advertised in illicit forums as a "better RAT for Windows" with FOD (fully undetectable) capabilities and support for Windows 10 and 11. What is striking is that this malware integrates into a single web panel information theft and ransomware deployment functions, with an Android module developing; that is, it allows a single operator to manage access, extract credentials and deploy ciphers from the same interface. BlackFog's researcher Wendy McCague sums up the problem in a worrying image: a single tool that facilitates double extortion by combining exfiltration and encryption from the same control board.

Steaelite also incorporates utilities that facilitate the attacker's task: keyloggers, client-to-victim chat, file search, USB spread, background modification, UAC bypass and clipper functions to steal information copied to the clipboard. It is no coincidence that these suites also include mechanisms to disable or confuse defenses - competitor malware removal, Microsoft Defender deactivation or exclusions configuration - and to automatically establish persistence.

In the same ecosystem other RAT families such as DesckVB and KazakRAT have been observed, showing how operators modulate their capabilities and activate them selectively after intrusion. The DesckVB project is publicly available as a research repository in GitHub, while KazakRAT's analysis suggesting possible use by stakeholders linked to targeted campaigns in Kazakhstan and Afghanistan can be found in the report of Ctrl Alt Intel.

In view of this, the specific recommendations of defence are simple in concept but require discipline and appropriate tools. Microsoft advises to audit Defense exclusions and programmed tasks, remove malicious start tasks and scripts, isolate committed endpoints and restore the credentials of users who have worked on affected machines. Added to this, it is appropriate to block and monitor communications to suspicious domains or PIs - such as the IP associated with the C2 cited - and to review the execution records of unusual binaries to detect LOLBins abuses.

In addition to reactive measures, there are preventive steps that help reduce the likelihood of infection. Keep the software up-to-date, avoid installing runtimes or portable tools that do not come from verified sources, check signatures and verification amounts of downloaded files and limit local privileges prevent a misleading download from becoming a persistent intrusion. Organizations should activate integrity protection and manipulation protection in their antivirus solutions, deploy EDR capabilities that record suspicious behavior (e.g. unusual use of cmstp.exe or PowerShell) and have solid and verified off-line backup to mitigate the impact of a possible ansomware. To better understand the LOLBins phenomenon, see the LOLBAS project, which documents how legitimate binaries are used for malicious purposes: https: / / lolbas-project.github.io /.

Effective security against threats such as these combines basic digital hygiene, application control policies, network monitoring and rapid response. Exhaust the inlet pathways - not open executables downloaded from unreliable sources, set up running restrictions and review antimalware exclusions - greatly reduces the risk. For practical guides and resilience measures to double extortion and Ransomware threats, agencies such as CISA maintain resources and guides that can serve as a reference: https: / / www.cisa.gov / resources-tools.

If you use your equipment to play or tamper with community utilities, remember that convenience may have a cost: unverified download and run is the most common way to enter a RAT into your system. The contrast of sources, the prudence with executables and a good security policy in your personal or corporate environment are the best defenses for a game session not to end up becoming an unauthorized remote access.