Fake Software Downloads Deliver STX RAT and Vjw0rm via Layered Dropper Chains
Security researchers reported two malware campaigns using fake or trojanized software downloads to install remote access trojans with credential theft and persistence features. eSentire identified a previously undocumented STX RAT after an attempted intrusion against a finance-sector organization, where a browser-downloaded VBScript launched a multi-stage loader chain using XXTEA and Zlib unpacking, anti-analysis checks, and several persistence methods. The malware supports HVNC, in-memory payload execution, tunneling, screenshots, security-tool inventory, and theft of browser credentials, cookies, Windows Vault data, FTP client secrets, and cryptocurrency wallets. Its command-and-control design uses X25519 ECDH, Ed25519, HKDF-SHA256, and ChaCha20-Poly1305 over a custom TCP protocol, with infrastructure reachable over both the clear web and Tor.
A separate investigation by Breakglass Intelligence found a fake software keygen packaged as a malicious WinRAR self-extracting archive that deployed the Vjw0rm JavaScript RAT through a four-layer dropper chain. The infection used nested SFX archives, a compiled AutoHotkey loader, parallel payload paths, and three persistence mechanisms, while abusing upaste[.]me as a dead-drop service and hiding the RAT as an XML file later renamed to JavaScript for execution. Researchers said the operator appeared to be a Turkish-speaking commodity cybercrime actor relying on reused tooling, deceptive file paths, and bundled legitimate Windows files to evade detection, underscoring how software cracks, keygens, and trojanized installers remain effective delivery vectors for RATs and infostealers.
Timeline
Apr 8, 2026
eSentire publishes STX RAT analysis, YARA rules, and IOCs
eSentire publicly documented STX RAT as a new RAT with infostealer capabilities, detailing its multi-stage loader chain, anti-analysis features, credential theft functions, and mature encrypted C2 protocol. The company also released YARA detections and indicators of compromise and recommended mitigations such as disabling WScript and improving endpoint controls.
Mar 12, 2026
Breakglass documents fake keygen campaign delivering Vjw0rm RAT
Breakglass Intelligence reported a campaign using a malicious WinRAR self-extracting archive disguised as a software keygen to deploy a four-layer dropper chain ending in the Vjw0rm JavaScript RAT. The analysis linked the activity to a likely Turkish-speaking commodity cybercrime operator based on reused tooling and campaign artifacts.
Feb 28, 2026
Finance-sector customer targeted with attempted STX RAT delivery
In late February 2026, eSentire observed an attempted delivery of a previously undocumented remote access trojan later named STX RAT against a finance-sector customer. The malware was delivered via a browser-downloaded VBScript, and the affected host was isolated.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Organizations
Sources
Related Stories
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
1 months ago
SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using **software impersonation** and **SEO poisoning** to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, **Storm-2561** used spoofed VPN vendor pages for products such as **Pulse Secure, Fortinet, and Ivanti** to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to **"Taiyuan Lihua Near Information Technology Co., Ltd."**, and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials. A separate but closely related campaign used fake **FileZilla** download pages to distribute a **Remote Access Trojan** through multi-stage loaders and **DLL sideloading**. Attackers bundled legitimate FileZilla software with a malicious `version.dll`, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate **Warlock** intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
1 weeks ago
Phishing and Trojanized Installers Deliver Remote Access Trojans via Multi-Stage, Evasion-Focused Infection Chains
Multiple active malware campaigns are delivering **remote access trojans (RATs)** using deceptive lures and multi-stage execution chains designed to evade endpoint defenses. Malwarebytes reported a campaign dubbed **DEAD#VAX** that distributes a file masquerading as a “PDF” but actually delivered as a **virtual hard disk (`.vhd`)** hosted via **IPFS**; when opened, Windows mounts the VHD and the victim is tricked into launching a **Windows Script File (`.wsf`)** that ultimately deploys **AsyncRAT**. The chain includes anti-analysis checks and **process injection** into Microsoft-signed binaries such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, and `sihost.exe`, enabling hands-on-keyboard remote control while minimizing obvious on-disk artifacts. Separately, reporting described **DesckVB RAT v2.9**, a modular **.NET** RAT using an obfuscated **WSH JavaScript** stager followed by **PowerShell**-based anti-analysis checks and an in-memory (“fileless”) loader, emphasizing persistence and a plugin-based architecture for post-compromise capabilities. Another campaign distributes **ValleyRAT** disguised as a legitimate *LINE* installer, targeting **Chinese-speaking users**; it attempts to weaken defenses by using PowerShell to add broad **Windows Defender exclusions**, performs sandbox checks (e.g., mutex/file-locking behaviors), and uses advanced injection (reported as **PoolParty Variant 7** via Windows I/O completion ports) to hide within trusted processes while stealing credentials and maintaining C2 communications.
1 months ago