Microsoft‘s Threat Intelligence team has issued a warning regarding a malware campaign distributing Remote Access Trojans (RATs) disguised as popular gaming utilities.
According to a report on , attackers are luring gamers into running trojanized software that gives criminals complete control over their systems, enabling data theft and further malware deployment.
The campaign distributes malicious files masquerading as legitimate gaming tools, such as `Xeno.exe` and `RobloxPlayerBeta.exe`, through web browsers and chat platforms. Once a user executes the file, a multi-stage infection process begins. According to Microsoft Threat Intelligence, the malware uses PowerShell and legitimate Windows tools, known as living-off-the-land binaries (LOLBins), to execute its code stealthily. The process is designed to evade detection by adding exclusions to Microsoft Defender and then deploying the final RAT payload.
A Remote Access Trojan (RAT) is a type of malware that provides an attacker with full administrative control over an infected computer. In this campaign, the payload is a multi-purpose malware that functions as a loader, downloader, and RAT. After installation, the RAT connects to a command-and-control (C2) server, which in this case was identified at the IP address `79.110.49[.]15`. This connection allows attackers to perform actions such as stealing files, harvesting login credentials, monitoring user activity, and installing additional malicious software like ransomware.
Gamers are a frequent target for such attacks due to the common practice of downloading third-party tools, cheats, and modifications to enhance gameplay. Attackers exploit this behavior, knowing that users seeking cheats are often willing to disable security software or ignore warnings about running unverified executables. A previous report from game publisher Activision highlighted a similar campaign where a dropper named “COD-Dropper v0.1” was disguised as a cheat tool for `Call of Duty`, demonstrating this as a recurring and effective social engineering tactic.
Microsoft has published indicators of compromise (IoCs) to help network defenders and security professionals identify and mitigate the threat. It is expected that security software, including Microsoft Defender, will continue to be updated to detect and block these specific threats. Both Microsoft and game publishers like Activision will likely continue to monitor for and warn users about similar malware campaigns targeting the gaming community.
Users are advised to take several steps to protect themselves from this type of threat. These actions include:
- Download gaming utilities and software only from official websites and verified sources.
- Avoid using cheat programs or unofficial game modifiers, which often require disabling security features.
- Ensure security software, such as Microsoft Defender, is active and up-to-date.
- Regularly audit scheduled tasks and startup scripts for any suspicious or unrecognized entries.
- Reset account credentials immediately if a compromise is suspected and enable multi-factor authentication wherever possible.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
