Python RAT Disguised as Minecraft Client Uses Telegram Bot API for Cross-Platform Command & Control

Researchers from Netskope have uncovered a new cross-platform Python-based Remote Access Trojan (RAT) disguised as a popular Minecraft client, weaponizing the Telegram Bot API for command and control (C2) operations.

Netskope identified “a new, multi-function Python RAT that leverages the Telegram Bot API as a command and control (C2) channel, allowing attackers to exfiltrate stolen data and remotely interact with victim machines.” The malware, internally dubbed Nursultan Client, poses as a legitimate Minecraft modification tool to deceive players, particularly within Eastern-European and Russian gaming communities.

According to the report, the malware “attempts to add a layer of legitimacy by using the name ‘Nursultan Client’ in its persistence mechanisms and on-screen deceptions,” tricking victims into believing they’re installing a genuine game client. Once executed, the program hides its console window and displays a fake installation progress bar — an effective ruse to mask malicious activity.

Unlike many Windows-only RATs, this threat is built on cross-platform libraries that allow it to function on Windows, Linux, and Darwin (macOS) systems. As Netskope notes, “the malware uses the Telegram Bot API for all C2 communications, exfiltrating data and receiving commands through the popular messaging service.”

The sample analyzed contained a hardcoded Telegram bot token and attacker user ID, ensuring that only a specific threat actor could issue commands to infected machines. This C2 channel provides attackers with full control over surveillance, exfiltration, and adware functions.

Among its key objectives, the malware is designed to steal Discord authentication tokens — a tactic commonly used by cybercriminals to hijack accounts and steal sensitive communications. The command /tokens triggers a scan of local storage files in Discord and major web browsers including Chrome, Edge, Firefox, Opera, and Brave, extracting any tokens found in .ldb or SQLite databases.

Netskope highlights that “the stolen tokens are then exfiltrated to the attacker, who can use them to take over the victim’s Discord account.”

Additionally, the /info command performs detailed system reconnaissance, gathering information such as device name, OS version, processor type, and IP addresses. Each report is labeled in Russian and marked with the author’s signature, “by fifetka.”

The RAT is not limited to credential theft. It also provides the attacker with surveillance capabilities through /screenshot and /camera commands, enabling live captures from the victim’s desktop or webcam.

Beyond espionage, the malware includes adware-like behaviors that can manipulate the victim’s user interface. If the attacker sends text or image commands, the RAT automatically opens URLs in the victim’s browser or displays arbitrary text and images on-screen, potentially delivering phishing pages or fraudulent messages.

While the malware demonstrates a broad feature set, its code reveals operational immaturity. Netskope’s reverse engineers note that “the persistence code is designed for a raw Python script and incorrectly constructs the startup command for the compiled executable,” rendering its autorun mechanism ineffective.

Moreover, the analysis concludes that this RAT is part of a Malware-as-a-Service (MaaS) operation rather than a sophisticated espionage campaign. The report states, “The hardcoded ‘ALLOWED_USERS’ Telegram ID acts as a simple licensing mechanism… allowing the author to recompile and sell personalized copies to other low-level threat actors.”

Related Posts:

• 50,000 Minecraft players are infected with a malicious program
• Fake Free VPN & Minecraft Mod Repositories Deliver Lumma Stealer
• Kaspersky Lab: Minecraft is still a big malware target
• Researchers Uncovers Sophisticated Phishing Campaigns Leveraging Cloudflare Workers