Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Millenium RAT Windows malware activity and native C++ rewrite

Malware Activity
First reported
Last updated
Happening score
H score 62
1 unique sources, 1 articles

Summary

Hide ▲

The Millenium RAT malware activity is spreading across Windows systems, with 60,000+ infections in 160+ countries and a newer native C++ build that helps it evade weaker detection tools.

Related Happenings

Y2K Operators Millenium RAT social-engineering distribution campaign

Campaign
H score73 First: 29.06.2026 17:30 Last: 29.06.2026 17:30 Sources 1

How related: The Y2K Operators lean on social engineering, spreading the trojan through booby-trapped downloads disguised as game cheats, cracked software and hacking tools.

About this happening: The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...

Open Happening

SprySOCKS Windows backdoor activity against government organizations

Malware Activity
H score23 First: 16.06.2026 12:00 Last: 16.06.2026 12:00 Sources 1

About this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...

Open Happening

VENON Rust-based banking malware targeting Brazilian Windows users

Malware Activity
H score20 First: 12.03.2026 19:31 Last: 12.03.2026 19:31 Sources 1

About this happening: Researchers disclosed **VENON**, a new **Rust-based banking malware** aimed at **Brazilian Windows users**, raising the risk of **credential theft** through fake banking overlays....

Open Happening

Remcos RAT runtime decryption and dynamic API loading analysis

Technical Analysis
H score23 First: 19.02.2026 18:30 Last: 19.02.2026 18:30 Sources 1

About this happening: A newly observed **Remcos RAT** variant now uses **runtime decryption** and **dynamic Windows API loading** to reduce detection and frustrate static analysis on **Windows systems*...

Open Happening

Blackmoon (KRBanker) malware variant deployed via DLL sideloading and staged payloads

Malware Activity
H score26 First: 26.01.2026 19:01 Last: 26.01.2026 19:01 Sources 1

About this happening: A **Blackmoon (KRBanker)** malware variant is being deployed through **DLL sideloading** and staged payload delivery, giving operators persistent control over compromised hosts an...

Open Happening

Timeline

  1. 29.06.2026 17:30 2 articles · 1h ago

    Group-IB analyzes Millenium RAT’s native C++ rewrite and Telegram command flow

    Technical Analysis Update

    Group-IB describes Millenium RAT as a Telegram-controlled malware-as-a-service backdoor targeting Windows devices, and says version four rewrites the malware from the .NET framework to native C++ while using libcurl and the Telegram Bot API to receive commands without dedicated infrastructure. The analysis also attributes the campaign to Y2K Operators, reports 62,289 infections across more than 160 countries with most activity in the first three months of 2026, and notes that Millenium RAT first appeared in 2023.

    Show sources
    Open in new tab