Cybersecurity experts at Microsoft Threat Intelligence have uncovered a concerning trend in the gaming community: attackers are distributing counterfeit gaming tools that, when executed, install a remote access trojan (RAT) on unsuspecting users’ systems. This deceptive campaign primarily utilizes trojanized executables, which are shared through various browsers and chat platforms, enticing victims to download seemingly legitimate software like Xeno.exe or RobloxPlayerBeta.exe.
Mechanics of the Attack
The initial executable serves as a downloader, setting the stage for subsequent malicious actions. It installs a portable Java runtime environment and subsequently launches a harmful Java archive, jd-gui.jar, which perpetuates the infection process.
In a clever evasion tactic, the attackers leverage built-in Windows tools rather than overt malware components. The downloader executes commands via PowerShell and exploits trusted system binaries such as cmstp.exe. These trusted executables, commonly referred to as living-off-the-land binaries (LOLBins), enable the execution of malicious actions while mimicking normal system operations, thereby minimizing the risk of immediate detection.
The PowerShell script embedded within the attack chain attempts to connect to several remote locations, downloading an executable into the user’s local application data directory. Upon a successful connection, the file is saved as update.exe and is automatically executed. Notably, one of the domains referenced in the script is powercatdog, alongside two endpoints hosted on PythonAnywhere.
Once the malware is operational, it actively works to erase any evidence of the original downloader. Additionally, it modifies Microsoft Defender settings by adding exclusions for the malicious files, allowing the RAT components to function without interference from the security engine.
According to a detailed tweet from Microsoft, the malware establishes persistence through scheduled tasks and a startup script named world.vbs. These entries ensure that the malware can restart following a system reboot, granting attackers prolonged access to the compromised device. This access enables operators to issue commands, gather data, and deploy further payloads. Ultimately, the malware acts as a loader, runner, downloader, and remote access tool, affording attackers extensive control over the infected system.
Fortunately, Microsoft Defender is already equipped to detect both the malware and the behavioral patterns associated with this campaign. Nevertheless, the company advises organizations to closely monitor outbound traffic and block connections to the domains and IP addresses identified in the indicators of compromise.
Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT).A malicious downloader… pic.twitter.com/87Yum5y78z— Microsoft Threat Intelligence (@MsftSecIntel) February 26, 2026
Microsoft encourages organizations to scrutinize Microsoft Defender exclusions and scheduled tasks for any irregularities. Any suspicious entries, including startup scripts like world.vbs, should be examined and removed as part of a comprehensive incident response strategy.
For gamers utilizing Windows, it is crucial to remain vigilant. Tools shared within chat groups or forums that promise enhancements or shortcuts may conceal malware behind familiar names. Downloading and executing such files, particularly from unofficial sources, can inadvertently grant attackers access to your system without your knowledge.
