Ddos 
Bytes to be replaced in memory, enabling spoofing Ed25519 public key | Image: TRU
A sophisticated new player entered the cyber-threat landscape. Analysts at eSentire’s Threat Response Unit (TRU) have identified a previously undocumented malware family targeting the finance industry, a threat they are now tracking as STX RAT.
The malware’s moniker isn’t just a random string of letters; “TRU is tracking this threat as STX RAT, named for its consistent use of the Start of Text (STX) magic byte ‘\x02’ prefixed to C2 messages”. This subtle technical signature marks the arrival of a remote access trojan (RAT) that prioritizes stealth, sophisticated encryption, and modular theft.
The delivery of STX RAT has proven to be adaptable. While TRU first observed the malware arriving via a browser-downloaded VBScript file, threat actors quickly expanded their reach. By early March 2026, separate reports emerged of a more opportunistic vector: trojanized FileZilla installers hosted on fraudulent websites.
Once executed, the VBScript initiates a complex multi-stage unpacking chain. It writes a JScript file to disk and relaunchs it with administrator privileges to ensure the payload has the “elevated” permissions required for full system control.
What sets STX RAT apart from common malware is its “well-thought-out cryptographic design.”
The malware employs a “Hidden Virtual Network Computing” (HVNC) feature, essentially a hidden remote desktop. This allows attackers to interact with the victim’s machine—simulating mouse movements and keystrokes—without the user seeing a single window move on their actual screen.
To remain undetected in offline sandboxes, STX RAT employs a “gated” activation strategy. According to the TRU analysis, “Credential and data theft is gated by C2 interaction, with the stealer functionality only activating after the malware successfully connects to its C2 server and receives an explicit instruction”. This significantly reduces the behavioral evidence left behind if the malware is analyzed without an active command-and-control (C2) connection.
To frustrate reverse engineering, the malware uses several high-level techniques:
- String Obfuscation: “To hinder reverse engineering, STX RAT employs multiple string-obfuscation layers, including rolling XOR with variable start keys and AES-128-CTR encrypted strings that are decrypted on demand”.
- AMSI Ghosting: “Immediately after the malware hides its window, if configured to do so, it uses a known AMSI (Anti-Malware Scan Interface)-bypass technique called AMSI Ghosting”. This patches the Windows API to disable the core layer that many security solutions rely on for telemetry.
- API Hashing: Instead of plain imports, it resolves Windows APIs using salted SHA-1 hashes, making static analysis nearly impossible.
STX RAT handles its C2 communications with the same level of care as its evasion. It uses a proprietary protocol over TCP, supporting both clearweb and Tor as a fallback.
The handshake process is particularly robust, using X25519 ECDH to derive per-session shared secrets while utilizing Ed25519 signatures to validate the C2 server’s identity. This ensures that only the intended attacker can decrypt the traffic, preventing third parties from hijacking the botnet.
With capabilities ranging from stealing browser cookies and crypto-wallets to simulating a full remote desktop, STX RAT represents a significant escalation in malware sophistication for 2026. Its ability to “jitter exit”—randomizing sleep delays before terminating upon detecting a virtual machine—makes it a ghost in the machine that financial institutions must prioritize.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
