STX RAT attempted deployment in financial services environment
Malware Activity
Summary
Hide ▲
Show ▼
A previously undocumented STX RAT attempted deployment in a financial services environment exposed a stealthy RAT with credential theft and remote-control capabilities. The malware uses multi-stage scripts and a PowerShell loader to run in memory and avoid file-based detection. It also relies on registry-based autorun, COM hijacking, and encrypted C2 traffic to persist and hide operator activity. Its feature set includes a hidden virtual desktop, network tunneling, simulated user input, and collection from browsers, FTP clients, and cryptocurrency wallets.
Related Happenings
STX RAT trojanized CPU-Z and HWMonitor distribution
Malware Activity
First: 12.04.2026 08:54
Last: 12.04.2026 08:54
Sources 1
About this happening:
A **trojanized CPU-Z and HWMonitor distribution** pushed **STX RAT** through **DLL side-loading**, exposing downloaders to **remote access** and **infostealing** risk. The payload...
STX RAT trojanized CPU-Z and HWMonitor distribution
Malware ActivityAbout this happening: A **trojanized CPU-Z and HWMonitor distribution** pushed **STX RAT** through **DLL side-loading**, exposing downloaders to **remote access** and **infostealing** risk. The payload...
EtherRAT Node.js backdoor with Ethereum smart-contract C2
Malware Activity
First: 26.03.2026 17:00
Last: 26.03.2026 17:00
Sources 1
About this happening:
The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...
EtherRAT Node.js backdoor with Ethereum smart-contract C2
Malware ActivityAbout this happening: The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...
Blackmoon (KRBanker) malware variant deployed via DLL sideloading and staged payloads
Malware Activity
First: 26.01.2026 19:01
Last: 26.01.2026 19:01
Sources 1
About this happening:
A **Blackmoon (KRBanker)** malware variant is being deployed through **DLL sideloading** and staged payload delivery, giving operators persistent control over compromised hosts an...
Blackmoon (KRBanker) malware variant deployed via DLL sideloading and staged payloads
Malware ActivityAbout this happening: A **Blackmoon (KRBanker)** malware variant is being deployed through **DLL sideloading** and staged payload delivery, giving operators persistent control over compromised hosts an...
Amatera Stealer data-exfiltration and NetSupport RAT delivery
Malware Activity
First: 17.11.2025 18:53
Last: 17.11.2025 18:53
Sources 1
About this happening:
**Amatera Stealer** is now being delivered through **ClickFix** phishing lures to steal data and stage **NetSupport RAT**, increasing risk to wallets, browsers, and email accounts...
Amatera Stealer data-exfiltration and NetSupport RAT delivery
Malware ActivityAbout this happening: **Amatera Stealer** is now being delivered through **ClickFix** phishing lures to steal data and stage **NetSupport RAT**, increasing risk to wallets, browsers, and email accounts...
Timeline
-
09.04.2026 18:00 2 articles · 1mo ago
STX RAT identified after attempted deployment in financial services
Initial DisclosureeSentire's Threat Response Unit identified the previously undocumented STX RAT after an attempted deployment against a financial services environment in late February 2026, then isolated the affected system and continued monitoring related activity. The malware uses a distinctive C2 communication marker, opportunistic delivery through browser-downloaded scripts and trojanized installers, multi-stage scripts, in-memory execution, and reflective loading.
Show sources
- STX RAT Targets Finance Sector With Advanced Stealth Tactics — www.infosecurity-magazine.com — 09.04.2026 18:00
- STX RAT Targets Finance Sector With Advanced Stealth Tactics — www.infosecurity-magazine.com — 09.04.2026 18:00