Microsoft Defender researchers have uncovered a new campaign that abuses trojanized gaming utilities to deliver multi‑stage malware with remote access, data theft, and payload delivery capabilities.
Attackers are masquerading as popular tools such as Xeno.exe and RobloxPlayerBeta.exe, tricking gamers into launching the malicious chain via downloads shared through web browsers and chat platforms.
Once a victim executes the trojanized utility, a malicious downloader silently stages a portable Java Runtime Environment (JRE) and launches a Java archive named jd-gui.jar.
The JAR file, which mimics a legitimate Java decompiler name, is used as the primary loader to run attacker‑controlled code and begin persistence setup.
The downloader relies heavily on PowerShell to orchestrate subsequent steps, using hidden windows and delayed execution to avoid drawing user attention.
According to the report, Microsoft Defender exclusions that cover directories and files associated with the RAT components, allowing later stages to operate with minimal scanning.
To blend with normal system activity, it abuses living‑off‑the‑land binaries (LOLBins), such as cmstp.exe, a trusted Windows component, to proxy malicious commands and evade traditional signature‑based detection.
Defense evasion and persistence
To reduce forensic artifacts, the malware deletes the initial downloader after execution, effectively removing the first‑stage file that delivered the JRE and jd-gui.jar payload.
Persistence is achieved through a scheduled task and a startup script named world.vbs, ensuring the malware chain restarts on reboot without user interaction.
The VBScript launches a hidden PowerShell command that re‑invokes the staged components, maintaining long‑term access to compromised gaming systems.
In the final stage, the attack deploys a multi‑purpose malware that combines loader, runner, downloader, and RAT capabilities into a single payload.
This component can execute additional binaries, fetch new modules, and run arbitrary commands issued by the operators, making it a flexible platform for follow‑on attacks.
The RAT establishes command‑and‑control (C2) communication with IP address 79.110.49[.]15, giving threat actors interactive remote control over infected hosts.
Through this C2 channel, attackers can exfiltrate sensitive files, harvest credentials, monitor user activity, and deploy further malware such as stealers or ransomware.
Detection coverage by Microsoft Defender
Microsoft Defender provides detections across multiple points in this attack chain, including malicious PowerShell usage, suspicious LOLBin abuse, unauthorized Defender exclusion changes, and the RAT’s network activity.
Defender’s behavioral monitoring also raises alerts on unusual scheduled tasks and script‑based persistence linked to world.vbs and related artifacts.
Organizations using Microsoft Defender for Endpoint gain additional telemetry and automated investigation capabilities that can correlate these behaviors into a single incident, speeding containment and response.
Combined with network controls, this coverage helps disrupt both initial compromise and ongoing C2 traffic associated with 79.110.49[.]15.
Security teams should block or closely monitor outbound connections to the identified C2 IP and any related domains, and alert on downloads of java[.]zip or jd-gui.jar originating from unofficial or non‑corporate sources.
Hunting should focus on processes such as Xeno.exe, RobloxPlayerBeta.exe, PowerShell, cmstp.exe, and scripts or tasks referencing world.vbs or similarly random names.
Administrators are advised to audit Microsoft Defender exclusion lists and scheduled tasks for suspicious or unfamiliar entries, promptly removing malicious configurations and startup items.
For confirmed infections, incident responders should isolate affected endpoints, collect endpoint detection and response (EDR) telemetry, and reset credentials associated with users active on compromised machines to prevent lateral movement and account takeover.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
