好的,用户让我总结这篇文章的内容,控制在100字以内,而且不需要特定的开头。首先,我需要快速浏览文章,抓住主要信息。 文章标题提到微软警告通过恶意游戏工具传播的RAT。内容里说攻击者通过浏览器和聊天平台分发被篡改的游戏工具,比如Xeno.exe和RobloxPlayerBeta.exe。这些工具部署了远程访问木马,利用PowerShell和LOLBins来隐藏自己,并规避微软的防御措施。 最后,RAT连接到特定的C2服务器进行数据窃取和其他恶意活动。微软还提供了相关的IOC指标。 现在要将这些信息浓缩到100字以内,确保涵盖攻击方式、使用的工具、技术手段以及结果。可能需要去掉一些细节,比如具体的文件名和IP地址,但保留关键点。 最终总结应该清晰明了,让读者一目了然攻击的过程和影响。 </think> 微软警告称,网络攻击者通过分发被篡改的游戏工具(如Xeno.exe或RobloxPlayerBeta.exe),利用PowerShell、LOLBins及防御规避技术部署远程访问木马(RAT)。这些恶意工具通过浏览器和聊天平台传播,最终在受害者设备上建立持久性并连接至C2服务器以执行数据窃取等操作。 2026-2-28 07:33:39 Author: securityaffairs.com(查看原文) 阅读量:3 收藏
Microsoft warns of RAT delivered through trojanized gaming utilities
Pierluigi Paganini
February 28, 2026
Attackers spread trojanized gaming tools to deliver a stealthy RAT using PowerShell, LOLBins, and Defender evasion tactics.
Threat actors are tricking users into running trojanized gaming utilities shared through browsers and chat platforms to deploy a remote access trojan.
“Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT).” Microsoft Threat Intelligence team wrote on X.
— Microsoft Threat Intelligence (@MsftSecIntel) February 26, 2026Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT).
A malicious downloader… pic.twitter.com/87Yum5y78z
A malicious downloader deployed a portable Java runtime to run a harmful JAR file, using PowerShell and LOLBins like cmstp.exe for stealth. It deleted itself, added Microsoft Defender exclusions, and set up persistence via a scheduled task and startup script. The final payload was a multi-purpose malware acting as a loader, downloader, runner, and remote access trojan.
“Finally, it deployed the final payload, a multi-purpose malware that acted as loader, runner, downloader, and RAT.” concludes Microsoft.
“The RAT connected to the IP address 79.110.49[.]15 for command and control (C2), enabling threat actors to perform various actions like data theft and additional payload deployment.”
Microsoft also published indicators of compromise (IoCs) for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RAT)
如有侵权请联系:admin#unsafe.sh