Trojanized Gaming Utilities Used to Deploy Stealthy RAT in Multi-Stage PowerShell Campaign

By Ash K
Trojanized Gaming Utilities Used to Deploy Stealthy RAT in Multi-Stage PowerShell Campaign

Threat actors are leveraging trojanized gaming utilities to distribute a stealthy remote access trojan in a campaign that blends social engineering with advanced defense evasion techniques. The operation, uncovered by Microsoft Defender researchers, lured users into running malicious versions of popular gaming-related executables such as Xeno.exe and RobloxPlayerBeta.exe.

The files were distributed via browsers and chat platforms, capitalizing on gaming communities where users frequently exchange tools, mods, and beta executables. Once executed, the seemingly legitimate programs initiated a carefully staged infection chain designed to evade detection and maintain persistence.

A Multi-Stage Infection Chain

The attack began with a malicious downloader that deployed a portable Java runtime environment. It then executed a harmful Java archive file named jd-gui.jar, disguising its activity within what appeared to be a benign development utility.

PowerShell played a central role in the execution flow. The downloader relied on living-off-the-land binaries, including cmstp.exe, to blend malicious activity with legitimate system processes. By abusing trusted Windows components, the attackers reduced the likelihood of triggering conventional detection mechanisms.

Shortly after staging the payload, the initial downloader deleted itself to minimize forensic artifacts. The malware also added Microsoft Defender exclusions for its own components, effectively weakening endpoint defenses before the final payload was deployed.

Persistence and Defender Evasion

Persistence mechanisms included the creation of a scheduled task and a startup script named world.vbs. These ensured the malware would execute automatically upon system reboot, maintaining long-term access for the attackers.

The campaign demonstrated deliberate attempts to evade security controls. By modifying Defender configurations and using LOLBins for execution, the threat actors reduced behavioral anomalies that might otherwise raise alerts in enterprise environments.

Final Payload: A Multi-Purpose RAT

The final stage delivered a multi-functional malware strain acting as loader, downloader, runner, and remote access trojan. Once active, the RAT established command-and-control communication with the IP address 79.110.49[.]15.

Through this connection, attackers could perform data theft, execute additional payloads, and maintain interactive control over compromised endpoints. Such capabilities enable credential harvesting, lateral movement, and further exploitation of enterprise networks.

Indicators of Compromise

Microsoft published several indicators of compromise linked to this campaign, including:

  • decompiler.exe — SHA-256: 48cd5d1ef968bf024fc6a1a119083893b4191565dba59592c541eb77358a8cbb
  • jd-gui.jar — SHA-256: a33a96cbd92eef15116c0c1dcaa8feb6eee28a818046ac9576054183e920eeb5
  • worldview.db-wal / StandardName.exe — SHA-256: 4442ba4c60a6fc24a2b2dfd041a86f601e03b38deab0300a6116fea68042003f
  • world.vbs — SHA-256: 65f003998af7dd8103607c8e18ef418b131ba7d9962bd580759d90f4ac51da36
  • C2 Infrastructure — powercat[.]dog:443 and IP 79.110.49[.]15

Defensive Recommendations

Microsoft advises organizations to block or closely monitor outbound connections to the listed IP addresses and domains. Security teams should also alert on downloads of java.zip or jd-gui.jar originating from non-corporate sources.

Hunting for suspicious PowerShell executions, auditing Defender exclusions, and reviewing scheduled tasks for random or unfamiliar names are critical defensive measures. Any compromised endpoints should be isolated immediately, followed by collection of endpoint detection telemetry and credential resets for affected users.

Gaming Communities as a Growing Target

The campaign underscores how gaming communities continue to serve as fertile ground for malware distribution. Executables shared under the guise of mods, performance boosters, or beta builds often bypass user suspicion.

As attackers increasingly combine social engineering with legitimate system tools for execution, organizations must rely on behavioral detection and strict endpoint hygiene to counter evolving threat tactics. What begins as a gaming download can quickly become an enterprise-wide intrusion if left unchecked.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.