Hackers are tricking gamers into downloading infected utilities through chat apps and browsers to secretly install a remote access trojan on their systems. This sophisticated campaign utilizes legitimate Windows tools and PowerShell scripts to bypass security software and maintain permanent access to compromised devices.
Microsoft security researchers recently identified a campaign where users are lured into running fake gaming files like Xeno.exe or RobloxPlayerBeta.exe. These malicious files are spread across various digital platforms and chat services to bait unsuspecting players into initiating the infection. Once a user runs the file, it triggers a chain of events designed to compromise the system while staying hidden from traditional antivirus software.
The attack process begins with a downloader that brings in a portable Java runtime environment to execute a harmful JAR file. To remain undetected, the malware employs Living-off-the-Land Binaries such as cmstp.exe and relies heavily on PowerShell commands. The initial downloader is programmed to delete itself immediately after execution to leave behind as little forensic evidence as possible for security analysts to find.
To ensure long-term access, the malware automatically configures Microsoft Defender exclusions so it can operate without being blocked. It establishes persistence on the infected computer by creating scheduled tasks and custom startup scripts that run every time the machine boots up. This ensures that even if the user restarts their computer, the hackers maintain their foothold in the background.
The final stage of the attack involves the deployment of a versatile malware payload that functions as a loader, runner, and remote access trojan. This tool connects back to a specific command and control server at the IP address 79.110.49.15. Through this connection, the attackers gain the ability to steal sensitive personal data, monitor user activity, and remotely install additional malicious software onto the victim’s hardware.
Source: Microsoft Warns of RAT Delivered Through Trojanized Gaming Utilities Targeting Users