Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/STX RAT Malware Evades Detection with Hidden RDP and Infostealer Functions
Threats

STX RAT Malware Evades Detection with Hidden RDP and Infostealer Functions

Key Takeaways A new, sophisticated remote access trojan, STX RAT, has been identified, posing a significant threat with its hidden remote desktop and infostealer capabilities. STX RAT utilizes...

Marcus Rodriguez
Marcus Rodriguez
April 9, 2026 3 Min Read
29 0

Key Takeaways

  • A new, sophisticated remote access trojan, STX RAT, has been identified, posing a significant threat with its hidden remote desktop and infostealer capabilities.
  • STX RAT utilizes advanced anti-analysis techniques, including VM detection and AMSI-ghosting, making it challenging for security tools to detect.
  • Initial infections have been observed in the financial sector via VBScript and through trojanized software installers like FileZilla.
  • The malware can silently control compromised systems through a Hidden Virtual Network Computing (HVNC) module and steal credentials from popular FTP/SFTP clients.

STX RAT Emerges: A Stealthy Threat with Hidden Remote Desktop and Infostealer Modules

A sophisticated new remote access trojan (RAT), named STX RAT, has been identified as a significant cybersecurity threat for 2026. This malware combines covert remote desktop functionalities with potent credential-stealing features, enabling it to compromise target systems silently and effectively.

Table Of Content

  • Key Takeaways
  • STX RAT Emerges: A Stealthy Threat with Hidden Remote Desktop and Infostealer Modules
  • Initial Infiltration and Evasion Tactics

The name “STX RAT” originates from the Start of Text (STX) magic byte x02, which the malware consistently prepends to all communications with its command-and-control (C2) server. This subtle yet precise design element highlights the malware’s meticulous construction, as detailed in an analysis document by eSentire’s Threat Response Unit (TRU), which can be accessed here.

Initial Infiltration and Evasion Tactics

The malware’s initial appearance was noted in late February 2026, targeting a financial sector organization. Attackers deployed STX RAT using a multi-stage infection chain: a VBScript file downloaded via a browser initiated the process, which then dropped a JScript file. This JScript subsequently fetched a TAR archive and activated a PowerShell loader, injecting the final STX RAT payload directly into memory.

By early March, a separate campaign surfaced, documented by Malwarebytes, demonstrating STX RAT’s spread through compromised FileZilla installers. This rapid diversification of delivery methods underscores the operators’ agility and the malware’s active deployment across multiple fronts.

VBScript that writes - launches JScript in elevated WScript (Source - eSentire)
VBScript that writes – launches JScript in elevated WScript (Source – eSentire)

Researchers at eSentire’s Threat Response Unit (TRU) meticulously analyzed STX RAT after the late-February incident. Their findings reveal a highly sophisticated implant engineered with robust anti-analysis mechanisms. These include checks for virtualized environments such as VirtualBox, VMware, and QEMU. Upon detecting these artifacts, STX RAT employs a “jitter exit,” introducing a random delay before self-termination, significantly complicating its analysis in automated sandbox environments.

Beyond virtual machine detection, STX RAT leverages an “AMSI-ghosting” technique. This involves patching a critical Windows RPC function, effectively disabling a layer of security that many tools rely on for scanning active processes. Furthermore, the malware hides its terminal window from both the Alt+Tab switcher and the Windows Taskbar, making its presence even harder to detect for an unsuspecting user.

Once successfully established, the implant initiates contact with its C2 server at 95.216.51.236. It then transmits an initial message containing vital system information, including the hostname, username, operating system version, administrative privileges, installed RAM, and a list of detected antivirus products. All communications with the C2 server are secured using an ECDH key exchange with X25519 and ChaCha20-Poly1305 authenticated encryption, rendering decryption without the specific session keys virtually impossible.

The infostealer component of STX RAT specifically targets credentials stored by popular file transfer applications like FileZilla, WinSCP, and Cyberduck – tools frequently used by developers and IT administrators. Before exfiltrating the stolen data, the malware captures a desktop screenshot, providing attackers with a direct visual confirmation of the compromised machine’s state, as detailed in the <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/6fc59799-27b9-4014-9674-fd6fa8241dd3/New-STX-RAT-Uses-Hidden-Remote-Desktop-and-Infostealer-Features-to-Evade-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYEU7WYKWPV&Signature=th5MlEcfZLMrS%2FMuicK3gGEx9%2BY%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEwaCXVzLWVhc3QtMSJIMEYCIQDAcev86yVC4Tvqf7dXMol8ME7fc4OaCeqQ2AM7Axp0aAIhAIkj06pEp208nOHPwK3%2FSJkmVh5NpurJ0RIxrrP5RVwTKvMECBUQARoMNjk5NzUzMzA5NzA1IgyMk7zwZ79WSfZVBWIq0AQ48JprOiXjtdOjzBAuJ5tYc4LdA6%2F4hDsQSF3wqL96LtSQ3tt5GX1bDsZHKigDYwheFqgaVBsxIO%2BCZGgx2189i0ZrLKSi8Og118i4qD6DDs02oomKR7IhONk91rTrZuM3ZqAbWHABvgdlngxr5C0yO9a1ZuRoo%2FWepHKNQiuAZGCJAS1M06IcRDCoRvPkaLlQ4FuNyKtvAZrYhcPEAUK%2FGImEOM%2FqdC%2BJdir2WtCzp%2FCYnbYM9lm%2FbMbEsWm5T64pVIhmU1%2BSWXQZ5uBI5MahDal%2FRNt4RnVJK%2FFcg%2F5cJp%2B8WzBS%2BF6EHcmrHJkhfINOYmJ7UWDd%2BtDzUORjvFEQQYgLUglPRtIJJ4YyvfJVWi85bTdz2SkzJGrBpZNvVKDX97RbA9PBmz5k4W3dEYqhS2%2F1RTZJsLZW%2FxGTydLOvLT%2FEWu3G13bS%2BxZWqE4cD2%2BdmM9Zg5YRJ1HGjjI8Nv37lTOLmG4r8jjp%2BXLvG83dKj%2FdyuF%2BlQAzjSPtpRdfGYzFaqvB5fUZQoZSzp5Fr0LANJzu6PohdcgQLNWxPTDECn1RIXlwR0z8FsfG6iwIxTqOUH5okEng3JkNqrG3Rn7iw71WFKkJyFTCsUYOMaQx7WLmvh1blFPsSwov3ealzYBMPbmAg3Vg3CF8gsJsjfENmsxzIAoQpctzfjxIwBvImUrxUmj9NXcCdxPP4qGU%2BjuHaeVi9A9aKS3VfBon4bOS%2BMZyh2MxM28j1NW6fOyeX7PtzxjtMiV%2F%2BDQ2%2BaWBN4fGRia04ZLaRi1rqsGy0PyMMmp3s4GOpcBs%2FS3ffYyMQrXTAVaP3QPyUH%2BAJz%2BHJ01K7ueCdsaao7c9P0Qyu7Ww%2BpsCk6O47yGYcW3jSYZ23XDcrfeYBHsiH2TzbQ%2FBI0AdJs40fqVL1RlADrHNKGw8xDAkMUXXHnekRYxZr1SKeafOjQdnhaiSSh6%2BegYWmqUQVYDdcYyq2aSH79YOFHVwRICDesn3r3sDapm5SrPWA%3D%3D&Expires

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCybersecurityMalwarePatchSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

LucidRook Malware Delivered by Fake Security Software in Taiwan

Next Post

ClickFix macOS Vulnerability (CVE-2023-XXXX) Lets Attackers Deliver notnullOSX

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us