A significant evolution of the Millenium remote access trojan (RAT) has emerged, impacting over 62,000 Windows devices across more than 160 countries. This latest iteration continues to utilize Telegram bots for its command-and-control operations, marking a notable shift in its operational architecture.
Insights from Group-IB
Group-IB has closely examined version 4.* of the Millenium RAT, which they describe as a substantial departure from its previous .NET-based versions. The researchers attribute the ongoing malware campaigns to a threat cluster they refer to as Y2K Operators, identifying the malware’s creator as “ShinyEnigma.” The scale of the infection is staggering, with 62,289 infected endpoints detected, and a remarkable 39,730 of those infections occurring in just the first quarter of 2026, indicating a sharp rise in malicious activity.
The Millenium RAT is marketed as a malware-as-a-service (MaaS) offering, with ShinyEnigma promoting it through underground forums, a dedicated website, and developer platforms such as GitHub, GitLab, and Gitea—though several repositories have since been taken down. The pricing model is notably accessible, set at for the first month, for each subsequent month, or a one-time fee of for a lifetime license.
Technical Advancements
Distinct from its predecessors, Millenium RAT 4 is crafted in native C++, eliminating its reliance on the .NET framework. It continues to leverage the Telegram Bot API for command-and-control communications, allowing its operators to sidestep the complexities of maintaining dedicated C2 servers.
Once installed, the RAT boasts a range of capabilities, including:
- Stealing browser data
- Collecting system information
- Logging keystrokes
- Capturing screenshots and microphone audio
- Accessing Telegram and Discord data
- Downloading and executing additional payloads
- Executing arbitrary Windows or PowerShell commands
To ensure persistence, the malware replicates itself into the %APPDATA% directory and creates an autorun registry entry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.
Interestingly, despite its extensive capabilities, Group-IB notes that Millenium RAT does not employ sophisticated exploits. Instead, it relies on standard Windows API functions, even displaying legitimate User Account Control (UAC) prompts when seeking elevated privileges.
Distribution Tactics
Researchers have observed the malware being disseminated through various social engineering tactics, including:
- Cracked software
- Cryptocurrency utilities
- Hacking toolkits
- OSINT tools
- Exploit builders
- Roblox-related cheats
In some instances, operators have even trojanized malware builders and offensive security tools, inadvertently infecting cybercriminals who attempt to download them. One notable campaign analyzed by Group-IB utilized PDF-themed lures, where a malicious Windows shortcut activated PowerShell to download both a decoy PDF and the Millenium RAT payload. The legitimate document would open as expected while the malware executed silently in the background, subsequently deleting the downloader script.
To further blend into infected systems, payloads often adopted filenames associated with Windows components or security software, such as svchost.exe, MsEdgeUpdate.exe, Microsoft Antivirus.exe, and setup.exe.
In light of these developments, Group-IB recommends several precautionary measures for users: avoid executables from untrusted sources, apply security updates promptly, enable multi-factor authentication, and approach unexpected UAC prompts requesting administrator privileges with caution. Additionally, users should monitor for unusual autorun registry entries and system-named processes executing from user-writable directories.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
