Researchers said the malware was first observed in late February 2026 during an attempted delivery into a finance-sector customer environment. By 2 March, a separate campaign had already been documented in which a fake FileZilla download site distributed a tampered archive containing a malicious DLL. On 8 April, a detailed technical analysis gave the malware its current name, STX RAT, derived from its use of the start-of-text byte in command-and-control traffic, and follow-up industry reporting on 9 April framed it as a finance-focused stealth threat rather than a one-off loader.
What makes the threat notable is the way it narrows the gap between a traditional RAT and an infostealer. Analysts found that STX RAT can give operators covert control of a victim machine through a hidden virtual desktop, allowing them to interact with the system away from the user’s view. At the same time, it has the ability to harvest browser credentials, cookies, crypto-wallet information and FTP-related data. One of the more calculated design choices is that credential theft is triggered only after the malware successfully checks in with its control server and receives a direct instruction, which reduces the chance of exposing its full capability in offline sandboxes or disrupted infections.
Its delivery chain also reflects a wider pattern in modern malware operations: use whatever access path works, then keep the final payload off disk for as long as possible. In one chain, a VBScript leads to JScript, which downloads a TAR archive containing the main payload and a PowerShell loader. That loader reverses and decodes the embedded malware, allocates executable memory and launches the implant directly in memory. In the FileZilla case, the infection relied on DLL search order hijacking through a fake software package hosted on a lookalike domain rather than any flaw in FileZilla itself.
The technical design suggests a threat actor investing in stealth, not just reach. The malware uses a custom unpacking chain with XXTEA decryption and Zlib decompression, obscures strings with rolling XOR and AES-128-CTR, resolves Windows APIs through hashed values instead of plain imports and can hide its own interface from normal user view. Researchers also said it can use a known AMSI-bypass method, scan for virtualised environments and insert random sleep delays to frustrate automated analysis. These features do not make it invisible, but they do raise the cost of detection and reverse engineering.
Its communications stack is unusually mature for a newly tracked family. Analysts found that STX RAT communicates over TCP with a proprietary protocol and can fall back to Tor infrastructure if needed. The control channel uses X25519 for key exchange, Ed25519 to validate the server’s public key and ChaCha20-Poly1305 for encrypted session traffic. That combination indicates an effort to secure the malware’s own communications against interception and takedown, while also complicating network-level inspection for defenders.
The campaign also matters because of who may be exposed beyond the first victim. Malwarebytes found that the fake FileZilla package could access saved FTP credentials and potentially give attackers a path into websites or hosting accounts managed by the infected user. That expands the risk from endpoint compromise to downstream web infrastructure. Combined with STX RAT’s screenshot capture, remote execution options, persistence features and tunnelling capabilities, the tool looks suited not only for espionage-style access but also for follow-on criminal activity once a foothold is secured.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
