A previously undocumented remote access trojan (RAT) known as STX RAT has been identified following an attempted deployment in a financial services environment in late February 2026.
The malware, tracked by eSentire’s Threat Response Unit, uses a distinctive communication marker tied to its command-and-control (C2) traffic and demonstrates a high level of technical sophistication.
The researchers said the malware relies on opportunistic delivery methods, including browser-downloaded scripts and trojanized installers, to gain initial access.
Sophisticated Delivery and Execution Chain
STX RAT is delivered through multi-stage scripts that escalate privileges and execute payloads directly in memory, avoiding traditional file-based detection. In one observed case, a VBScript file generated and launched a JScript component, which then retrieved a compressed archive containing the main payload and a PowerShell loader.
Key characteristics include:
-
Multi-stage unpacking using XXTEA encryption and Zlib compression
-
In-memory execution via PowerShell and reflective loading techniques
-
Multiple persistence mechanisms, including registry-based autorun and COM hijacking
A defining feature of STX RAT is its encrypted communication protocol. It uses modern cryptographic methods to secure data exchanges between infected systems and attacker infrastructure, making interception and analysis more difficult.
The malware also delays its credential-stealing functions until it receives explicit instructions from its command server. This reduces detectable behavior during automated analysis.
Defensive evasion is extensive. STX RAT scans for virtual environments, terminates execution if analysis is suspected and obscures internal strings using layered encryption techniques.
Broad Surveillance and Control Capabilities
Once active, the malware enables attackers to remotely control infected machines through a hidden virtual desktop. This functionality allows actions to be carried out without the user’s awareness.
Its capabilities extend to harvesting sensitive information from browsers, FTP clients and cryptocurrency wallets. It can also execute additional payloads, create network tunnels and simulate user input.
Read more on remote access trojans: Hackers Hijack Axios npm Package to Spread RATs
The command structure supports a wide range of post-exploitation actions, from credential extraction to full system interaction. eSentire noted that its design suggests ongoing development, with some features not yet fully operational.
The researchers said the team isolated the affected system to contain the threat and are continuing to monitor related activity. The firm also urged organizations to strengthen endpoint protections and limit exposure to script-based attacks commonly used in initial compromise.
