MICROSOFT Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities, specifically Xeno[.]exe or RobloxPlayerBeta[.]exe, distributed through browsers and chat platforms to deploy a remote access trojan. Attackers used PowerShell and LOLBins to run a stealthy downloader that delivered a portable Java runtime to execute a harmful JAR file.
The malware removed traces by deleting itself, added Microsoft Defender exclusions, and established persistence via a scheduled task and startup script. The final payload was a multi-purpose malware acting as loader, downloader, runner, and RAT, with the RAT later connecting to the IP address 79.110.49[.]15 for command and control. Microsoft also published indicators of compromise for this campaign. The findings were shared on 26 February 2026 by the Microsoft Threat Intelligence team, as reported by Security Affairs.