Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Trojanized gaming utility RAT delivery campaign via browsers and chat platforms

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

Threat actors are running a trojanized gaming utility delivery campaign through browsers and chat platforms, putting unsuspecting users at risk of RAT infection and follow-on remote control. The initial payload uses a malicious downloader to stage a portable Java runtime and launch jd-gui.jar. The chain relies on PowerShell, cmstp.exe, scheduled tasks, and world.vbs to stay stealthy and persistent. Once deployed, the RAT connects to 79.110.49[.]15 for C2, enabling data exfiltration and additional payload delivery.

Related Happenings

Deed RAT and TernDoor multi-wave deployment

Malware Activity
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: A **multi-wave malware deployment** delivered **Deed RAT (Snappybee)** and **TernDoor** into an **Azerbaijani oil and gas company** across **three waves**, creating repeated footh...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

Plain-crypto-js remote-access Trojan delivery

Malware Activity
First: 31.03.2026 23:55 Last: 31.03.2026 23:55 Sources 1

About this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...

Latest development: 04.04.2026 23:30

Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.

Open Happening

Contagious Interview malicious npm package payload activity

Malware Activity
First: 02.03.2026 10:44 Last: 02.03.2026 10:44 Sources 1

About this happening: The **Contagious Interview** operation has added **26 malicious npm packages**, expanding a cross-platform supply-chain path that can hide **C2 resolution**, steal credentials, an...

Open Happening

Steaelite Windows RAT with FUD and multi-function capabilities

Malware Activity
First: 27.02.2026 12:06 Last: 27.02.2026 12:06 Sources 1

How related: The disclosure comes as BlackFog disclosed details of a new Windows RAT malware family called Steaelite that was first advertised on criminal forums in November 2025 as a "best Windows RAT" with "fully undetectable" (FUD) capabilities.

About this happening: The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...

Open Happening

Timeline

  1. 27.02.2026 12:06 2 articles · 2mo ago

    Trojanized gaming utilities deliver a Java-based RAT

    Initial Disclosure

    Threat actors lure unsuspecting users into running trojanized gaming utilities distributed via browsers and chat platforms, where a malicious downloader stages a portable Java runtime, executes jd-gui.jar, uses PowerShell and cmstp.exe for stealthy execution, deletes the initial downloader, configures Microsoft Defender exclusions, and establishes persistence with a scheduled task and world.vbs before the remote access trojan (RAT) connects to 79.110.49[.]15 for command-and-control, data exfiltration, and additional payload delivery.

    Show sources
    Open in new tab