123/69 Monday, March 2, 2026
The Microsoft Defender research team has identified a campaign in which attackers distribute trojanized “gaming utility” programs through web browsers and chat platforms. The malicious files, disguised as legitimate tools such as Xeno.exe or RobloxPlayerBeta.exe, trick users into executing them, ultimately leading to the installation of a Remote Access Trojan (RAT) that allows attackers to remotely control infected machines.
The attack chain begins with a downloader that executes a malicious JAR file via the Java runtime environment. Attackers leverage PowerShell along with built-in system tools (LOLBins), such as cmstp.exe, to disguise malicious activity. The malware attempts to evade detection by adding exclusions in Microsoft Defender and deleting related files to reduce forensic traces. It also establishes persistence through Scheduled Tasks and startup scripts, ensuring the malware relaunches even after a system reboot. The primary payload functions as both a downloader and a remote access trojan, connecting to the IP address 79.110.49.15 to receive commands from its command-and-control (C2) server.
Successful exploitation may enable attackers to steal sensitive information or deploy additional malware onto compromised systems, posing significant security risks. Microsoft has published Indicators of Compromise (IoCs) related to this campaign to support detection and monitoring efforts. Users are strongly advised to avoid downloading software from untrusted sources to reduce the risk of infection.