The campaign has accelerated sharply this year, with about 39,700 infections recorded during the first quarter of 2026 alone. The scale points to an expanding malware-as-a-service operation in which attackers can rent or buy a ready-made spying tool, use Telegram as command infrastructure and avoid the cost of maintaining dedicated servers.
Millenium RAT version 4 marks a significant technical shift from earlier builds. The malware has moved from. NET to native C++, making it less dependent on installed frameworks and more difficult for basic detection systems to flag through older signatures. Its operators continue to rely on Telegram’s bot application programming interface for command and control, allowing malicious traffic to blend with legitimate messaging activity.
The trojan is designed to take extensive control of infected Windows machines. Its functions include stealing browser and system data, capturing screenshots, recording audio, logging keystrokes, downloading and running additional files, listing folders and processes, and attempting privilege escalation through standard Windows prompts. Such capabilities place personal users, small businesses and poorly monitored corporate endpoints at risk of credential theft, financial fraud and follow-on intrusion.
The malware is being sold cheaply. Subscription models linked to the tool have included an initial monthly price of about $50, lower renewal costs and a lifetime option of about $90. Earlier versions were advertised for even less, showing how criminal software is moving towards consumer-style pricing and support models. This affordability lowers the barrier for less capable attackers, enabling broader campaigns without requiring advanced coding skills.
Security analysis has linked current exploitation activity to a cluster tracked as Y2K Operators, while development and promotion have been associated with the online alias ShinyEnigma. The tool has been advertised not only in underground spaces but also through mainstream code-sharing platforms, some of which later removed related repositories. That pattern reflects a recurring problem for open developer ecosystems, where offensive tools can be presented as research or administration utilities before being adapted for abuse.
The infection routes observed in the campaign rely heavily on social engineering. Victims are lured into opening compressed archives, disguised executable files or shortcut files made to look like documents. One chain uses a file posing as a PDF, which launches PowerShell in the background, downloads a script, shows a decoy document and quietly runs the Millenium RAT payload. Other samples use names resembling system processes, browser updates, antivirus components or generic installers to reduce suspicion.
The operators have also targeted other cybercriminals by circulating trojanised versions of RAT builders, exploit kits and similar tools. This tactic infects would-be attackers who download what appears to be a working offensive utility, turning criminal forums and malware markets into distribution channels as well as customer bases. It underlines how the cybercrime economy increasingly feeds on itself.
Millenium RAT’s configuration is embedded inside the malware and protected with Base64 encoding and a custom XOR-based routine. It stores Telegram bot tokens, chat identifiers, persistence settings, keylogging options, sandbox checks and file paths used during installation. The malware can create autorun entries under the current user’s registry hive and place files inside user-writable application folders, helping it restart after a reboot.
Its use of ordinary Windows application programming interfaces gives it a further advantage. Rather than relying on exotic techniques, it performs many actions through functions that are common across legitimate software. That makes behaviour-based monitoring more important than static file matching, particularly because the malware can alter configuration data to change file hashes while preserving its core capabilities.
The campaign fits a broader shift in cybercrime. Intrusions are moving faster, malware services are becoming cheaper, and attackers are increasingly exploiting trusted platforms, cloud services and identity systems instead of depending only on bespoke criminal infrastructure. Messaging platforms, software repositories and file-sharing services remain attractive because they provide scale, credibility and resilience.
For organisations, the practical risk is not limited to the first infected machine. A RAT can serve as an entry point for credential theft, lateral movement, data theft or ransomware deployment. Stolen browser passwords, session cookies and cryptocurrency wallet data may give attackers access to email, banking, cloud dashboards and business applications even after the original malware is removed.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
