A new Python-based remote-access trojan (RAT) has been uncovered by researchers at Netskope, specifically targeting gamers through a deceptive impersonation of the “Nursultan Client,” a legitimate application widely used among Eastern European Minecraft enthusiasts.
This sophisticated malware operates using the Telegram Bot API as its command-and-control (C2) channel, allowing attackers to exfiltrate sensitive data and remotely control victim systems across various platforms, including Windows, Linux, and macOS.
Malware Deception and Capabilities
Under the guise of the “Nursultan Client,” the malware employs fake installation screens and manipulates the Windows registry by registering misleading startup keys, thereby masquerading as legitimate gaming software. However, its persistence mechanism is inadequately designed, failing to endure system reboots due to improper path handling in its PyInstaller-based executable.
The trojan’s design leverages Telegram for C2 operations, enabling attackers to issue commands to compromised systems. Hardcoded within the malware are credentials, including a Telegram Bot Token and a single authorized user ID, which restricts control to a specific attacker. This setup allows the RAT to perform a range of functions, such as system reconnaissance, data theft, and remote surveillance.
A significant focus of this malware is the theft of Discord authentication tokens. By scanning local storage and browser directories—including those of Chrome, Edge, Firefox, Opera, and Brave—the RAT can identify and exfiltrate tokens, granting attackers unauthorized access to victims’ Discord accounts. The malware also executes the “/info” command, which gathers comprehensive system information, including hardware specifications, operating system details, and both local and public IP addresses. This data is then relayed back to the attacker in reports formatted in Russian and signed “by fifetka.”
Telegram C2 and Surveillance Functions
The surveillance capabilities of the RAT extend to commands such as “/screenshot,” which captures desktop images, and “/camera,” which activates the webcam. These images are sent through the Telegram API, complicating detection efforts as the traffic resembles legitimate encrypted communication with Telegram servers.
Additionally, the malware incorporates adware-like features; upon receiving messages containing URLs or images, it displays them on the victim’s system, facilitating phishing attempts, fake alerts, or intrusive advertisements.
Researchers suggest that this malware is likely part of an evolving Malware-as-a-Service (MaaS) ecosystem, where each build can be tailored for different clients by altering the authorized Telegram ID. Despite its extensive capabilities, the RAT’s flawed persistence and lack of obfuscation indicate that it may be operated by a mid-level actor who relies heavily on open-source components rather than employing advanced coding techniques.
Netskope’s Advanced Threat Protection identifies this threat under the signature QD:Trojan.GenericKDQ.F8A018F2A0, highlighting the importance for organizations to monitor legitimate encrypted traffic for concealed C2 communications that exploit platforms like Telegram.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
