A newly identified remote access trojan, known as STX RAT, has emerged as a formidable cybersecurity concern in 2026. This malware seamlessly integrates hidden remote desktop access with features designed to steal credentials, allowing it to infiltrate targeted systems with remarkable stealth.
The moniker “STX” is derived from the Start of Text (STX) magic byte x02, which it appends to every communication sent to its command-and-control (C2) server. This subtle detail reflects the meticulous design behind the malware’s operation.
Initial sightings of STX RAT occurred in late February 2026, when attackers attempted to deliver it within a financial organization via a browser-downloaded VBScript file. This script subsequently deployed a JScript file that fetched a TAR archive, ultimately executing a PowerShell loader that injected the final payload into memory.
By early March, Malwarebytes reported a distinct campaign distributing STX RAT through compromised FileZilla installers, indicating that the operators were employing multiple delivery methods concurrently.
Researchers from eSentire’s Threat Response Unit (TRU) took the initiative to identify and analyze the malware after the late-February incident, subsequently designating it as STX RAT. Their investigation unveiled a technically sophisticated implant equipped with extensive anti-analysis measures, including checks for artifacts associated with VirtualBox, VMware, and QEMU environments.
Upon detecting such artifacts, the malware executes a “jitter exit,” introducing a random delay before termination, thereby complicating automated analysis in sandbox environments. Furthermore, STX RAT employs an AMSI-ghosting technique that alters a core Windows RPC function, effectively disabling a security layer that tools rely on to scan running processes. It also conceals its terminal window from both the Alt+Tab switcher and the Taskbar.
Once operational, the implant establishes contact with a C2 server at 95.216.51.236, transmitting an introduction message that includes the hostname, username, OS version, administrative status, installed RAM, and a list of detected antivirus products. All communications with the C2 are secured through an ECDH key exchange utilizing X25519 and ChaCha20-Poly1305 authenticated encryption, rendering decryption without the session keys exceedingly difficult.
The infostealer module specifically targets saved credentials from applications such as FileZilla, WinSCP, and Cyberduck—tools commonly used by developers and IT administrators. It captures a screenshot of the desktop before relaying the stolen data, providing attackers with a direct visual representation of the compromised machine.
Hidden Remote Desktop Control: How STX RAT Takes Over Silently
The most alarming feature within STX RAT’s arsenal is its Hidden Virtual Network Computing (HVNC) module, which grants threat actors complete interactive control over a victim’s machine without their awareness. Unlike traditional remote desktop software that visibly takes over a user’s display, HVNC operates through a separate desktop session running discreetly in the background.
All activities conducted by the attacker—such as browsing websites, opening files, and launching applications—occur within this invisible layer, entirely undetected by the victim.
HVNC is activated via a starthvnc command dispatched from the C2. Once engaged, attackers can inject keystrokes using keypress, simulate mouse movements with mouseinput, scroll through applications using mousewheel, and paste content directly with the paste command, all leveraging Windows’ SendInput API. A switchdesktop command enables operators to manage multiple hidden desktop sessions concurrently, and upon completion, connectionlost and channel_closed commands quietly terminate sessions and clean up desktop handles, leaving no trace behind.
This architecture elevates STX RAT beyond the capabilities of a typical credential stealer. While the victim continues their work on the visible screen, an attacker can simultaneously access internal platforms, explore sensitive files, or deploy additional payloads within the concealed session. Coupled with the credential-harvesting module, HVNC transforms an initial breach into a persistent foothold that is both challenging to detect and difficult to eradicate.
To mitigate this threat, security teams are advised to block the known C2 IP 95.216.51.236 and the associated Tor onion address at the network perimeter. Implementing YARA detection rules from eSentire’s TRU—covering both the unpacked payload and loader—is recommended for identifying infections in memory. Additionally, monitoring for elevated WScript executions involving JScript files in Temp directories and suspicious PowerShell STDIN executions can assist in catching early infections. Where VBScript and JScript are not essential, disabling them entirely can significantly reduce the initial attack surface.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.