STX RAT Malware Evades Detection with Hidden RDP and Infostealer Functions
Key Takeaways A new, sophisticated remote access trojan, STX RAT, has been identified, posing a significant threat with its hidden remote desktop and infostealer capabilities. STX RAT utilizes...
Key Takeaways
- A new, sophisticated remote access trojan, STX RAT, has been identified, posing a significant threat with its hidden remote desktop and infostealer capabilities.
- STX RAT utilizes advanced anti-analysis techniques, including VM detection and AMSI-ghosting, making it challenging for security tools to detect.
- Initial infections have been observed in the financial sector via VBScript and through trojanized software installers like FileZilla.
- The malware can silently control compromised systems through a Hidden Virtual Network Computing (HVNC) module and steal credentials from popular FTP/SFTP clients.
STX RAT Emerges: A Stealthy Threat with Hidden Remote Desktop and Infostealer Modules
A sophisticated new remote access trojan (RAT), named STX RAT, has been identified as a significant cybersecurity threat for 2026. This malware combines covert remote desktop functionalities with potent credential-stealing features, enabling it to compromise target systems silently and effectively.
Table Of Content
The name “STX RAT” originates from the Start of Text (STX) magic byte x02, which the malware consistently prepends to all communications with its command-and-control (C2) server. This subtle yet precise design element highlights the malware’s meticulous construction, as detailed in an analysis document by eSentire’s Threat Response Unit (TRU), which can be accessed here.
Initial Infiltration and Evasion Tactics
The malware’s initial appearance was noted in late February 2026, targeting a financial sector organization. Attackers deployed STX RAT using a multi-stage infection chain: a VBScript file downloaded via a browser initiated the process, which then dropped a JScript file. This JScript subsequently fetched a TAR archive and activated a PowerShell loader, injecting the final STX RAT payload directly into memory.
By early March, a separate campaign surfaced, documented by Malwarebytes, demonstrating STX RAT’s spread through compromised FileZilla installers. This rapid diversification of delivery methods underscores the operators’ agility and the malware’s active deployment across multiple fronts.

Researchers at eSentire’s Threat Response Unit (TRU) meticulously analyzed STX RAT after the late-February incident. Their findings reveal a highly sophisticated implant engineered with robust anti-analysis mechanisms. These include checks for virtualized environments such as VirtualBox, VMware, and QEMU. Upon detecting these artifacts, STX RAT employs a “jitter exit,” introducing a random delay before self-termination, significantly complicating its analysis in automated sandbox environments.
Beyond virtual machine detection, STX RAT leverages an “AMSI-ghosting” technique. This involves patching a critical Windows RPC function, effectively disabling a layer of security that many tools rely on for scanning active processes. Furthermore, the malware hides its terminal window from both the Alt+Tab switcher and the Windows Taskbar, making its presence even harder to detect for an unsuspecting user.
Once successfully established, the implant initiates contact with its C2 server at 95.216.51.236. It then transmits an initial message containing vital system information, including the hostname, username, operating system version, administrative privileges, installed RAM, and a list of detected antivirus products. All communications with the C2 server are secured using an ECDH key exchange with X25519 and ChaCha20-Poly1305 authenticated encryption, rendering decryption without the specific session keys virtually impossible.
The infostealer component of STX RAT specifically targets credentials stored by popular file transfer applications like FileZilla, WinSCP, and Cyberduck – tools frequently used by developers and IT administrators. Before exfiltrating the stolen data, the malware captures a desktop screenshot, providing attackers with a direct visual confirmation of the compromised machine’s state, as detailed in the <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/6fc59799-27b9-4014-9674-fd6fa8241dd3/New-STX-RAT-Uses-Hidden-Remote-Desktop-and-Infostealer-Features-to-Evade-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYEU7WYKWPV&Signature=th5MlEcfZLMrS%2FMuicK3gGEx9%2BY%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEwaCXVzLWVhc3QtMSJIMEYCIQDAcev86yVC4Tvqf7dXMol8ME7fc4OaCeqQ2AM7Axp0aAIhAIkj06pEp208nOHPwK3%2FSJkmVh5NpurJ0RIxrrP5RVwTKvMECBUQARoMNjk5NzUzMzA5NzA1IgyMk7zwZ79WSfZVBWIq0AQ48JprOiXjtdOjzBAuJ5tYc4LdA6%2F4hDsQSF3wqL96LtSQ3tt5GX1bDsZHKigDYwheFqgaVBsxIO%2BCZGgx2189i0ZrLKSi8Og118i4qD6DDs02oomKR7IhONk91rTrZuM3ZqAbWHABvgdlngxr5C0yO9a1ZuRoo%2FWepHKNQiuAZGCJAS1M06IcRDCoRvPkaLlQ4FuNyKtvAZrYhcPEAUK%2FGImEOM%2FqdC%2BJdir2WtCzp%2FCYnbYM9lm%2FbMbEsWm5T64pVIhmU1%2BSWXQZ5uBI5MahDal%2FRNt4RnVJK%2FFcg%2F5cJp%2B8WzBS%2BF6EHcmrHJkhfINOYmJ7UWDd%2BtDzUORjvFEQQYgLUglPRtIJJ4YyvfJVWi85bTdz2SkzJGrBpZNvVKDX97RbA9PBmz5k4W3dEYqhS2%2F1RTZJsLZW%2FxGTydLOvLT%2FEWu3G13bS%2BxZWqE4cD2%2BdmM9Zg5YRJ1HGjjI8Nv37lTOLmG4r8jjp%2BXLvG83dKj%2FdyuF%2BlQAzjSPtpRdfGYzFaqvB5fUZQoZSzp5Fr0LANJzu6PohdcgQLNWxPTDECn1RIXlwR0z8FsfG6iwIxTqOUH5okEng3JkNqrG3Rn7iw71WFKkJyFTCsUYOMaQx7WLmvh1blFPsSwov3ealzYBMPbmAg3Vg3CF8gsJsjfENmsxzIAoQpctzfjxIwBvImUrxUmj9NXcCdxPP4qGU%2BjuHaeVi9A9aKS3VfBon4bOS%2BMZyh2MxM28j1NW6fOyeX7PtzxjtMiV%2F%2BDQ2%2BaWBN4fGRia04ZLaRi1rqsGy0PyMMmp3s4GOpcBs%2FS3ffYyMQrXTAVaP3QPyUH%2BAJz%2BHJ01K7ueCdsaao7c9P0Qyu7Ww%2BpsCk6O47yGYcW3jSYZ23XDcrfeYBHsiH2TzbQ%2FBI0AdJs40fqVL1RlADrHNKGw8xDAkMUXXHnekRYxZr1SKeafOjQdnhaiSSh6%2BegYWmqUQVYDdcYyq2aSH79YOFHVwRICDesn3r3sDapm5SrPWA%3D%3D&Expires
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.