A sophisticated Python-based remote access trojan has emerged in the gaming community, disguising itself as a legitimate Minecraft client to compromise unsuspecting users.
The malware, identified as a multi-function RAT, leverages the Telegram Bot API as its command and control infrastructure, enabling attackers to exfiltrate stolen data and remotely interact with victim machines.
By masquerading as “Nursultan Client,” a name associated with a legitimate Minecraft modification popular among Eastern-European and Russian gaming communities, the threat successfully deceives users into executing the malicious payload.
The malware was packaged using PyInstaller, resulting in an unusually large 68.5 MB executable file.
This inflation serves a dual purpose: accommodating Python dependencies while evading security tools configured to bypass files exceeding certain size thresholds.
Upon execution, the sample immediately conceals its presence by hiding the console window on Windows systems while displaying a fake installation progress bar to maintain the illusion of legitimate software installation.
.webp "New Python RAT Mimic as Legitimate Minecraft App Steals Sensitive Data from Users Computer 3")
Netskope researchers identified the threat during routine threat hunting activities, discovering the executable with SHA256 hash 847ef096af4226f657cdd5c8b9c9e2c924d0dbab24bb9804d4b3afaf2ddf5a61.
The analysis revealed that the malware attempts to establish persistence by creating a registry key named “NursultanClient” in the Windows startup path. However, this persistence mechanism contains critical flaws that will likely cause it to fail.
The malware incorrectly constructs the startup command for the compiled executable, as it was designed for a raw Python script rather than a PyInstaller application.
Additionally, the temporary directory created during execution is deleted once the process exits, preventing the malware from running on subsequent system startups.
Telegram-Based Command and Control Infrastructure
The malware’s core operation centers on its abuse of Telegram as a covert command and control channel.
The script contains a hardcoded Telegram Bot Token (8362039368:AAGj_jyw6oYftV2QQYiYoUslJOmXq6bsAYs) and a restricted list of allowed Telegram user IDs (6804277757), ensuring only the authorized attacker can issue commands to infected machines.
This design suggests a Malware-as-a-Service distribution model, where the hardcoded user ID functions as a basic licensing mechanism.
The threat actor can easily modify this single identifier for each buyer, recompile the executable, and distribute personalized copies that only individual purchasers can control.
The malware signature “by fifetka” embedded within system reconnaissance reports further supports this commercialized approach, indicating an operation designed to attract low-level threat actors rather than representing a single attacker’s campaign.
The RAT includes extensive information-stealing capabilities targeting Discord authentication tokens across multiple platforms, including stable, PTB, and Canary builds.
It scans local storage files and user data directories of major web browsers such as Chrome, Edge, Firefox, Opera, and Brave, extracting tokens from both LevelDB and SQLite databases.
Beyond credential theft, the malware provides comprehensive surveillance features, including screenshot capture, webcam photography, and system reconnaissance capabilities that collect detailed profiles containing computer names, usernames, operating system versions, processor specifications, memory usage, and both local and external IP addresses.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
