{"id":10984,"date":"2026-02-27T10:04:07","date_gmt":"2026-02-27T10:04:07","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/27\/microsoft-defender-uncovers-trojanized-gaming-utility-campaign-targeting-users-with-rats-and-remote-data-theft\/"},"modified":"2026-02-27T10:04:07","modified_gmt":"2026-02-27T10:04:07","slug":"microsoft-defender-uncovers-trojanized-gaming-utility-campaign-targeting-users-with-rats-and-remote-data-theft","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/27\/microsoft-defender-uncovers-trojanized-gaming-utility-campaign-targeting-users-with-rats-and-remote-data-theft\/","title":{"rendered":"Microsoft Defender Uncovers Trojanized Gaming Utility Campaign Targeting Users with RATs and Remote Data Theft"},"content":{"rendered":"<p>    Microsoft Defender Uncovers Trojanized Gaming Utility Campaign Targeting Users with RATs and Remote Data Theft<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Cybercriminals have found a new way to get past users\u2019 defenses \u2014 by hiding malware inside gaming tools that look completely normal. Microsoft\u2019s security team has uncovered an active campaign where attackers are distributing trojanized versions of popular gaming utilities to unsuspecting users. <\/p>\n<p>These fake tools, once run, quietly deploy a Remote Access Trojan (RAT) that gives attackers full and unrestricted control over the infected machine. <\/p>\n<p>The campaign marks a clear shift in how threat actors are now using everyday software to reach a much wider and less suspicious pool of victims.\u200b<\/p>\n<p>The malware was spread through browsers and chat platforms, making it far too easy for users to unknowingly download and run infected files. <\/p>\n<p>The two main files used in this campaign were named\u00a0Xeno.exe\u00a0and\u00a0RobloxPlayerBeta.exe\u00a0\u2014 names chosen specifically because they look familiar and completely trustworthy to gamers. <\/p>\n<p>By targeting gaming communities, attackers are betting on the fact that younger or casual users may be far less cautious about running executable files downloaded from chat groups or informal third-party websites. <\/p>\n<p>This tactic effectively lowers the victim\u2019s guard and significantly raises the attacker\u2019s overall success rate.\u200b<\/p>\n<p><a href=\"https:\/\/x.com\/MsftSecIntel\/status\/2027070355487997998?s=20\" id=\"https:\/\/x.com\/MsftSecIntel\/status\/2027070355487997998?s=20\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft Threat Intelligence analysts identified the malware<\/a> and traced its full attack chain, revealing a well-planned, multi-stage infection process. <\/p>\n<p>Researchers noted that the final payload was a multi-purpose threat capable of acting as a loader, runner, downloader, and RAT \u2014 all in one. <\/p>\n<p>This kind of combined capability makes it far more dangerous than a simple <a href=\"https:\/\/cybersecuritynews.com\/fake-captcha-delivers-eddiestealer\/\" id=\"109164\" target=\"_blank\" rel=\"noreferrer noopener\">data-stealing tool<\/a>, as attackers can use it to install additional malware, run remote commands, and exfiltrate sensitive information at any point in time.\u200b<\/p>\n<p>The impact of this campaign is significant and should not be underestimated. <\/p>\n<p>Once the RAT is successfully installed, attackers connect to the victim\u2019s machine through a command-and-control (C2) server at IP address\u00a079.110.49[.]15. From that point forward, the compromised system is fully under the attacker\u2019s control. <\/p>\n<p>Personal files, login credentials, and any <a href=\"https:\/\/cybersecuritynews.com\/lumma-infostealer-steal-all-data-stored-in-browsers\/\" id=\"116815\" target=\"_blank\" rel=\"noreferrer noopener\">data stored<\/a> or typed on the machine can be quietly stolen without the user ever realizing anything is wrong. <\/p>\n<p>For organizations where employees may use personal machines for work, this threat carries serious and far-reaching consequences.\u200b<\/p>\n<h2 class=\"wp-block-heading\" id=\"infection-mechanism-and-persistence-tactics\"><strong>Infection Mechanism and Persistence Tactics<\/strong><\/h2>\n<p>What makes this campaign particularly clever is the way the malware installs itself and hides from security tools. <\/p>\n<p>After the victim runs the trojanized gaming utility, a malicious downloader quietly stages a portable Java runtime environment on the machine and then executes a malicious Java Archive (JAR) file named\u00a0jd-gui.jar. <\/p>\n<p>Using a portable Java runtime means the attacker does not need Java pre-installed on the victim\u2019s device, as the malware brings everything it needs with it.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT).<\/p>\n<p>A malicious downloader\u2026 <a href=\"https:\/\/t.co\/87Yum5y78z\">pic.twitter.com\/87Yum5y78z<\/a><\/p>\n<p>\u2014 Microsoft Threat Intelligence (@MsftSecIntel) <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/2027070355487997998?ref_src=twsrc%5Etfw\">February 26, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>To avoid being caught, the downloader takes several careful steps. It uses PowerShell alongside living-off-the-land binaries (LOLBins) \u2014 specifically\u00a0cmstp.exe, a legitimate Windows tool \u2014 to run its code in a way that blends in with normal system activity. <\/p>\n<p>After completing its job, the downloader deletes itself to remove all traces of its presence from the system. Attackers also added exclusions directly into <a href=\"https:\/\/cybersecuritynews.com\/microsoft-defenders-blocks-legitimate-mas\/\" id=\"139200\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Defender<\/a> for the RAT\u2019s components, essentially telling the security tool to ignore the malicious files entirely.\u200b<\/p>\n<p>To ensure the malware survives a system restart, the attackers created a scheduled task and a startup script named\u00a0world.vbs. <\/p>\n<p>These persistence mechanisms make certain the RAT launches every time the machine boots, giving attackers a reliable and continuous foothold on the infected system.\u200b<\/p>\n<p id=\"recommendations\">Organizations and individual users should take the following steps to defend against this threat:\u200b<\/p>\n<ul class=\"wp-block-list\">\n<li>Block or monitor outbound connections to known malicious domains and IP addresses, and set up alerts for downloads of\u00a0<strong>java[.]zip<\/strong>\u00a0or\u00a0<strong>jd-gui.jar<\/strong>\u00a0from non-corporate sources.<\/li>\n<li>Hunt for related processes and components across endpoints using EDR telemetry.<\/li>\n<li>Audit Microsoft Defender exclusions and scheduled tasks for suspicious or randomly named entries, then remove any malicious tasks and startup scripts.<\/li>\n<li>Isolate affected endpoints immediately upon detection, collect <a href=\"https:\/\/cybersecuritynews.com\/heartcrypt-packed-edr-killer-tools-avkiller\/\" id=\"120009\" target=\"_blank\" rel=\"noreferrer noopener\">EDR telemetry<\/a>, and reset credentials for any users active on compromised hosts.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"h-indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IOCs)<\/strong><\/h2>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">SHA-256 \/ Value<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">decompiler.exe<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">File<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>48cd5d1ef968bf024fc6a1a119083893b4191565dba59592c541eb77358a8cbb<\/code><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">jd-gui.jar<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">File<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>a33a96cbd92eef15116c0c1dcaa8feb6eee28a818046ac9576054183e920eeb5<\/code><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">worldview.db-wal \/ StandardName.exe<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">File<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>4442ba4c60a6fc24a2b2dfd041a86f601e03b38deab0300a6116fea68042003f<\/code><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">world.vbs<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">File<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>65f003998af7dd8103607c8e18ef418b131ba7d9962bd580759d90f4ac51da36<\/code><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">powercat[.]dog:443<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Domain\/Port<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">C2 communication endpoint<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">79.110.49[.]15<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">IP Address<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Remote C2 server<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/microsoft-defender-uncovers-trojanized-gaming-utility-campaign\/\">Microsoft Defender Uncovers Trojanized Gaming Utility Campaign Targeting Users with RATs and Remote Data Theft<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/microsoft-defender-uncovers-trojanized-gaming-utility-campaign\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Defender Uncovers Trojanized Gaming Utility Campaign Targeting Users with RATs and Remote Data Theft Cybercriminals have found a new way to get past users\u2019 defenses \u2014 by hiding malware inside gaming tools that look completely normal. Microsoft\u2019s security team has uncovered an active campaign where attackers are distributing trojanized versions of popular gaming utilities [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-10984","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10984"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10984"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10984\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}