A sophisticated Python-based remote access trojan (RAT) has surfaced within the gaming community, cleverly disguising itself as a legitimate Minecraft client to ensnare unsuspecting users. This malware, known for its multi-functional capabilities, utilizes the Telegram Bot API as its command and control infrastructure, allowing attackers to exfiltrate sensitive data and interact with compromised machines remotely.
Operating under the guise of “Nursultan Client,” a name familiar to fans of a legitimate Minecraft modification popular among Eastern-European and Russian gamers, this threat successfully lures users into executing its malicious payload. Packaged with PyInstaller, the malware manifests as an unusually large executable file, weighing in at 68.5 MB. This size serves a dual purpose: it accommodates necessary Python dependencies while cleverly evading security tools that are configured to bypass files exceeding certain thresholds.
Upon execution, the malware immediately conceals its presence by hiding the console window on Windows systems, presenting a deceptive installation progress bar to maintain the facade of a legitimate software installation.
Netskope researchers uncovered this threat during routine threat hunting activities, identifying the executable with the SHA256 hash 847ef096af4226f657cdd5c8b9c9e2c924d0dbab24bb9804d4b3afaf2ddf5a61. Their analysis revealed that the malware attempts to establish persistence by creating a registry key named “NursultanClient” in the Windows startup path. However, this persistence mechanism is fundamentally flawed, likely leading to its failure. The startup command for the compiled executable is incorrectly constructed, as it was designed for a raw Python script rather than a PyInstaller application. Additionally, the temporary directory created during execution is deleted once the process exits, thwarting any attempts for the malware to run on subsequent system startups.
Telegram-Based Command and Control Infrastructure
The core operation of this malware revolves around its exploitation of Telegram as a covert command and control channel. The script includes a hardcoded Telegram Bot Token (8362039368:AAGj_jyw6oYftV2QQYiYoUslJOmXq6bsAYs) along with a restricted list of allowed Telegram user IDs (6804277757), ensuring that only the authorized attacker can issue commands to infected machines. This design hints at a Malware-as-a-Service distribution model, where the hardcoded user ID acts as a basic licensing mechanism.
Threat actors can easily modify this identifier for each buyer, recompile the executable, and distribute personalized copies that only individual purchasers can control. The embedded malware signature “by fifetka” within system reconnaissance reports further supports this commercialized approach, indicating an operation aimed at attracting low-level threat actors rather than representing a single attacker’s campaign.
The RAT boasts extensive information-stealing capabilities, specifically targeting Discord authentication tokens across various platforms, including stable, PTB, and Canary builds. It meticulously scans local storage files and user data directories of major web browsers such as Chrome, Edge, Firefox, Opera, and Brave, extracting tokens from both LevelDB and SQLite databases.
Beyond credential theft, the malware offers comprehensive surveillance features, including screenshot capture, webcam photography, and system reconnaissance capabilities that compile detailed profiles containing computer names, usernames, operating system versions, processor specifications, memory usage, and both local and external IP addresses.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
