Emergence of STX RAT: A Stealthy Remote Access Trojan with Infostealer Capabilities
A new and sophisticated remote access trojan (RAT) known as STX RAT has emerged in the cybersecurity landscape, merging hidden remote desktop functionalities with robust infostealer capabilities. This malware demonstrates advanced evasion techniques and encryption methods designed to elude detection by security tools, posing a significant threat.
Operational Tactics of STX RAT
The operation of STX RAT begins with opportunistic initial access methods. It primarily employs malicious VBScript and JScript chains, which are capable of downloading a TAR archive that contains both the core malware payload and a PowerShell loader. This is a cunning approach to bypass security protocols, allowing the attacker to initiate an intrusion.
Once the PowerShell script executes, it reverses and Base64-decodes the STX RAT binary. The script then allocates memory with read, write, and execute capabilities, injecting the decrypted payload directly into the PowerShell process. This technique ensures that the final executable never touches the disk, reducing the chances of detection through static analysis.
The cybersecurity research group eSentire’s Threat Response Unit (TRU) first identified STX RAT in late February 2026 during an intrusion targeting a financial services organization. Subsequent analyses linked its distribution to counterfeit FileZilla download sites that hosted trojanized installers.
The initial phase of the attack involves the VBScript concatenating JScript contents into a file on disk. This file is executed through WScript, and it gains elevated privileges, making the subsequent attack vectors more effective.
Technical Resilience Against Detection
STX RAT employs a custom packer, which only reveals two exports: “init” and “run.” To complicate detection challenges, it uses XXTEA decryption and Zlib decompression to unpack its main payload. This addition makes static detection nearly impossible, as traditional signature-based methods struggle against such encryption methods.
In terms of network communication, STX RAT utilizes a proprietary TCP protocol and a well-structured cryptographic stack. It incorporates X25519 Elliptic Curve Diffie-Hellman (ECDH) for deriving a per-session shared secret and employs the ChaCha20-Poly1305 encryption algorithm to secure all transported data. This advanced encryption ensures the confidentiality and integrity of the communication channel, further masking its activities.
Traffic created by STX RAT appears more like generic encrypted blobs rather than clear, signatured HTTP patterns due to the use of length-prefixed messages. This method poses additional challenges for threat detection systems, making it difficult to flag malicious activity.
Evasion Tactics and Hidden Functionality
To further thwart analysis, STX RAT layers multiple string-obfuscation schemes such as rolling XOR and AES-128-CTR. The malware also demonstrates extensive self-preservation tactics through various anti-VM and anti-analysis checks. It scans for artifacts of VirtualBox, VMware, and QEMU, checks for the PEB BeingDebugged flag, and insists on executing within PowerShell or MSBuild environments, often terminating if executed in more common analysis settings.
One of STX RAT’s significant features is its hidden virtual network computing (HVNC) capability, which allows attackers to interact with a concealed desktop environment on the compromised machine. This facilitates more streamlined control without drawing the attention of users.
The malware can execute commands such as “starthvnc,” “keypress,” and “mouseinput.” By injecting keyboard and mouse events through the SendInput API, operators can control the victim’s system discreetly, without any visible indicators of unauthorized access.
Data Theft Protocol
While STX RAT is designed to operate as a comprehensive infostealer, it activates its data theft functionalities only upon receiving explicit commands from its command-and-control (C2) server. This strategic limitation reduces the observable behavior within sandbox environments, complicating timely detection.
Once activated, STX RAT can harvest crucial information such as browser cookies and passwords from various web browsers, Windows Vault credentials, FTP client secrets from applications, and even data from cryptocurrency wallets. In a careful approach, it captures screenshots of the infected desktop before exfiltrating sensitive credentials, sending the images as Base64-encoded JPEGs for visual context to its operators.
STX RAT can also act as a loader for extra payloads, accepting various formats such as EXE/BIN, reflective DLLs, raw shellcode, and PowerShell scripts. This versatility allows it to execute additional malicious operations directly in memory, reinforcing its effectiveness as a multi-tiered threat.
Persistence and Mitigation Strategies
To ensure persistence, STX RAT employs various techniques, including utilizing HKCU Run keys that launch its obfuscated PowerShell loaders and taking advantage of MSBuild-based project abuse for executing decrypted payloads directly in memory. It may even resort to COM object hijacking via maligned scriptlets that invoke its autorun script.
For secure communication with its C2 server, STX RAT utilizes TCP sockets via Winsock and employs ECDH for protecting its traffic. Furthermore, it actively enumerates installed antivirus products, relaying this information back to the C2 in its initial beacons.
According to eSentire’s TRU, STX RAT represents a low-visibility but highly advanced threat. By integrating modern cryptographic measures, sandbox evasion tactics, and stealthy remote desktop functionalities, it challenges traditional security defenses effectively.
For organizations seeking to safeguard against such threats, it’s recommended to harden script execution by managing risky extensions, employing robust next-generation antivirus (NGAV) solutions, and considering 24/7 managed detection-response services. Quick isolation of compromised hosts can mitigate the risks associated with encountering STX RAT or similar multi-stage malware loaders.