嗯,用户让我帮忙总结一下这篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头,直接写描述就行。首先,我需要仔细阅读文章内容,理解其主要信息。 文章主要讲的是微软警告说有攻击者通过篡改过的游戏工具传播远程访问木马(RAT)。这些攻击者利用浏览器和聊天平台分发恶意软件,比如Xeno.exe和RobloxPlayerBeta.exe。恶意软件使用了PowerShell、LOLBins(如cmstp.exe)以及避开微软 Defender 的策略来保持隐蔽性。最终的恶意软件可以作为加载器、下载器、运行器和RAT,连接到C2服务器进行数据窃取和其他恶意活动。 接下来,我需要将这些关键点浓缩到100字以内。要确保涵盖攻击手段、传播方式、技术细节以及后果。同时,语言要简洁明了,避免复杂的句子结构。 可能的结构是:微软警告攻击者通过篡改游戏工具传播RAT,利用PowerShell和LOLBins隐蔽执行,避开Defender检测,并通过计划任务和启动脚本维持持久性。最终payload具备多种功能,并连接C2服务器进行控制。 检查字数是否在限制内,并确保所有重要信息都被包含进去。这样用户就能快速了解文章的核心内容了。 </think> 微软警告称,攻击者通过篡改游戏工具传播远程访问木马(RAT),利用PowerShell、LOLBins等技术隐蔽执行,并规避微软 Defender 检测。最终payload具备多种功能,并连接C2服务器进行控制。 2026-2-28 07:33:39 Author: securityaffairs.com(查看原文) 阅读量:6 收藏
Microsoft warns of RAT delivered through trojanized gaming utilities
Pierluigi Paganini
February 28, 2026
Attackers spread trojanized gaming tools to deliver a stealthy RAT using PowerShell, LOLBins, and Defender evasion tactics.
Threat actors are tricking users into running trojanized gaming utilities shared through browsers and chat platforms to deploy a remote access trojan.
“Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT).” Microsoft Threat Intelligence team wrote on X.
— Microsoft Threat Intelligence (@MsftSecIntel) February 26, 2026Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT).
A malicious downloader… pic.twitter.com/87Yum5y78z
A malicious downloader deployed a portable Java runtime to run a harmful JAR file, using PowerShell and LOLBins like cmstp.exe for stealth. It deleted itself, added Microsoft Defender exclusions, and set up persistence via a scheduled task and startup script. The final payload was a multi-purpose malware acting as a loader, downloader, runner, and remote access trojan.
“Finally, it deployed the final payload, a multi-purpose malware that acted as loader, runner, downloader, and RAT.” concludes Microsoft.
“The RAT connected to the IP address 79.110.49[.]15 for command and control (C2), enabling threat actors to perform various actions like data theft and additional payload deployment.”
Microsoft also published indicators of compromise (IoCs) for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RAT)
如有侵权请联系:admin#unsafe.sh