STX RAT campaign targets finance sector with advanced in-memory evasion and encrypted C2
Summary
Hide ▲
Show ▼
A previously undocumented remote access trojan (RAT), designated STX RAT, was deployed against a financial services organization in late February 2026. The malware uses a multi-stage, in-memory execution chain with XXTEA encryption, Zlib compression, and reflective loading via PowerShell to evade file-based detection. It establishes encrypted command-and-control (C2) channels, delays credential theft until instructed, and employs virtual desktop integration to operate stealthily. Attackers leveraged opportunistic delivery vectors such as browser-downloaded scripts and trojanized installers. Initial access led to privilege escalation, persistent registry autorun and COM hijacking, and extensive post-exploitation capabilities including data harvesting, payload execution, and network tunneling.
Timeline
-
09.04.2026 18:00 1 articles · 3h ago
STX RAT deployed against financial services in late February 2026 with advanced evasion and encrypted C2
A previously undocumented RAT, tracked by eSentire’s Threat Response Unit, was deployed against a financial services organization in late February 2026. The malware uses multi-stage in-memory execution with XXTEA encryption and Zlib compression, reflective loading via PowerShell, and encrypted C2 traffic with delayed credential theft. Initial access vectors include browser-downloaded scripts and trojanized installers, with persistence via registry autorun and COM hijacking. Post-exploitation includes hidden virtual desktop control, data harvesting from browsers and cryptocurrency wallets, payload execution, and network tunneling.
Show sources
- STX RAT Targets Finance Sector With Advanced Stealth Tactics — www.infosecurity-magazine.com — 09.04.2026 18:00
Information Snippets
-
STX RAT was first observed in a targeted attack against a financial services environment in late February 2026.
First reported: 09.04.2026 18:001 source, 1 articleShow sources
- STX RAT Targets Finance Sector With Advanced Stealth Tactics — www.infosecurity-magazine.com — 09.04.2026 18:00
-
The malware employs multi-stage, in-memory execution using VBScript, JScript, PowerShell, and reflective DLL loading, with payloads delivered via compressed archives and encrypted with XXTEA and Zlib.
First reported: 09.04.2026 18:001 source, 1 articleShow sources
- STX RAT Targets Finance Sector With Advanced Stealth Tactics — www.infosecurity-magazine.com — 09.04.2026 18:00
-
C2 communication is secured with modern cryptography and includes a distinct network marker to identify malicious traffic.
First reported: 09.04.2026 18:001 source, 1 articleShow sources
- STX RAT Targets Finance Sector With Advanced Stealth Tactics — www.infosecurity-magazine.com — 09.04.2026 18:00
-
Persistence mechanisms include registry autorun and COM hijacking; evasion includes sandbox detection and layered string encryption.
First reported: 09.04.2026 18:001 source, 1 articleShow sources
- STX RAT Targets Finance Sector With Advanced Stealth Tactics — www.infosecurity-magazine.com — 09.04.2026 18:00
-
Post-exploitation features include hidden virtual desktop control, browser/FTP/cryptocurrency wallet data harvesting, payload execution, network tunneling, and simulated user input.
First reported: 09.04.2026 18:001 source, 1 articleShow sources
- STX RAT Targets Finance Sector With Advanced Stealth Tactics — www.infosecurity-magazine.com — 09.04.2026 18:00
-
Credential theft functions are conditionally triggered only after explicit C2 instruction, reducing automated analysis visibility.
First reported: 09.04.2026 18:001 source, 1 articleShow sources
- STX RAT Targets Finance Sector With Advanced Stealth Tactics — www.infosecurity-magazine.com — 09.04.2026 18:00