Microsoft Defender Uncovers Trojanized Gaming Utility Campaign Targeting Users with RATs and Remote Data Theft

Cybercriminals have found a new way to get past users’ defenses — by hiding malware inside gaming tools that look completely normal. Microsoft’s security team has uncovered an active campaign where attackers are distributing trojanized versions of popular gaming utilities to unsuspecting users.

These fake tools, once run, quietly deploy a Remote Access Trojan (RAT) that gives attackers full and unrestricted control over the infected machine.

The campaign marks a clear shift in how threat actors are now using everyday software to reach a much wider and less suspicious pool of victims.​

The malware was spread through browsers and chat platforms, making it far too easy for users to unknowingly download and run infected files.

The two main files used in this campaign were named Xeno.exe and RobloxPlayerBeta.exe — names chosen specifically because they look familiar and completely trustworthy to gamers.

By targeting gaming communities, attackers are betting on the fact that younger or casual users may be far less cautious about running executable files downloaded from chat groups or informal third-party websites.

This tactic effectively lowers the victim’s guard and significantly raises the attacker’s overall success rate.​

Microsoft Threat Intelligence analysts identified the malware and traced its full attack chain, revealing a well-planned, multi-stage infection process.

Researchers noted that the final payload was a multi-purpose threat capable of acting as a loader, runner, downloader, and RAT — all in one.

This kind of combined capability makes it far more dangerous than a simple data-stealing tool, as attackers can use it to install additional malware, run remote commands, and exfiltrate sensitive information at any point in time.​

The impact of this campaign is significant and should not be underestimated.

Once the RAT is successfully installed, attackers connect to the victim’s machine through a command-and-control (C2) server at IP address 79.110.49[.]15. From that point forward, the compromised system is fully under the attacker’s control.

Personal files, login credentials, and any data stored or typed on the machine can be quietly stolen without the user ever realizing anything is wrong.

For organizations where employees may use personal machines for work, this threat carries serious and far-reaching consequences.​

Infection Mechanism and Persistence Tactics

What makes this campaign particularly clever is the way the malware installs itself and hides from security tools.

After the victim runs the trojanized gaming utility, a malicious downloader quietly stages a portable Java runtime environment on the machine and then executes a malicious Java Archive (JAR) file named jd-gui.jar.

Using a portable Java runtime means the attacker does not need Java pre-installed on the victim’s device, as the malware brings everything it needs with it.

To avoid being caught, the downloader takes several careful steps. It uses PowerShell alongside living-off-the-land binaries (LOLBins) — specifically cmstp.exe, a legitimate Windows tool — to run its code in a way that blends in with normal system activity.

After completing its job, the downloader deletes itself to remove all traces of its presence from the system. Attackers also added exclusions directly into Microsoft Defender for the RAT’s components, essentially telling the security tool to ignore the malicious files entirely.​

To ensure the malware survives a system restart, the attackers created a scheduled task and a startup script named world.vbs.

These persistence mechanisms make certain the RAT launches every time the machine boots, giving attackers a reliable and continuous foothold on the infected system.​

Organizations and individual users should take the following steps to defend against this threat:​

• Block or monitor outbound connections to known malicious domains and IP addresses, and set up alerts for downloads of java[.]zip or jd-gui.jar from non-corporate sources.
• Hunt for related processes and components across endpoints using EDR telemetry.
• Audit Microsoft Defender exclusions and scheduled tasks for suspicious or randomly named entries, then remove any malicious tasks and startup scripts.
• Isolate affected endpoints immediately upon detection, collect EDR telemetry, and reset credentials for any users active on compromised hosts.

Indicators of Compromise (IOCs)

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.