By rssfeeds-admin 
The attackers tricked users into downloading and running fake tools disguised as legitimate files such as Xeno.exe or RobloxPlayerBeta.exe. These files were distributed through web browsers and chat platforms, making them appear safe and trustworthy.
According to MsftSecIntel, once executed, the fake utility launched a malicious downloader. This downloader staged a portable Java runtime environment and executed a harmful Java archive (JAR) file named jd-gui.jar.
The attackers used PowerShell and trusted Windows system tools known as living-off-the-land binaries (LOLBins), including cmstp.exe, to avoid detection.
By using legitimate system tools, the malware blended into normal system activity. To further evade security products, the downloader deleted itself after execution.
It also modified Microsoft Defender settings by adding exclusions for the malicious files, preventing them from being scanned.
Persistence was achieved by creating a scheduled task and a startup script named world.vbs, ensuring the malware would run every time the system restarted.
After establishing persistence, the campaign deployed its final payload: a multi-purpose malware. This malware acted as a loader, runner, downloader, and remote access trojan (RAT).
The RAT connected to a command-and-control (C2) server at IP address 79.110.49[.]15, allowing attackers to control infected machines remotely. Through this connection, threat actors could steal sensitive data, deploy additional malware, or execute commands on the compromised device.
Microsoft Defender successfully detects the malware and identifies the suspicious behavior throughout the attack chain.
Technical Indicators and Defense Measures
To defend against this threat, organizations should block or closely monitor outbound connections to the listed IP address and suspicious domains.
Security teams should generate alerts for downloads of Java [.]zip or jd-gui.jar from non-corporate sources.
It is also important to hunt for related processes and components across endpoints.
Administrators should review Microsoft Defender exclusions and audit scheduled tasks for unusual or randomly named entries. Any malicious startup scripts or scheduled tasks should be removed immediately.
| File/Component | SHA-256 Hash |
|---|---|
| decompiler.exe | 48cd5d1ef968bf024fc6a1a119083893b4191565dba59592c541eb77358a8cbb |
| jd-gui.jar | a33a96cbd92eef15116c0c1dcaa8feb6eee28a818046ac9576054183e920eeb5 |
| worldview.db-wal/StandardName.exe | 4442ba4c60a6fc24a2b2dfd041a86f601e03b38deab0300a6116fea68042003f |
| world.vbs | 65f003998af7dd8103607c8e18ef418b131ba7d9962bd580759d90f4ac51da36 |
If infection is suspected, isolate affected endpoints from the network. Collect endpoint detection and response (EDR) telemetry for investigation and reset credentials for users who were active on compromised systems.
This campaign highlights how attackers continue to exploit gaming communities by disguising malware as useful tools, reinforcing the need for strong endpoint monitoring and user awareness.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Cybercriminals Exploit Gaming Community With Malicious Utilities Spreading RATs appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.