THREAT actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to spread a remote access trojan (RAT). A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui[.]jar, according to Microsoft Threat Intelligence. The downloader used PowerShell and living-off-the-land binaries (LOLBins) such as cmstp[.]exe for stealthy execution.
The attack chain is designed to evade detection by deleting the initial downloader and by configuring Microsoft Defender exclusions for the RAT components. Persistence is achieved via a scheduled task and a Windows startup script named world[.]vbs, before the final payload is deployed on the compromised host. Once launched, the malware connects to an external server at 79.110.49[.]15 for command-and-control communications, enabling data exfiltration and deployment of additional payloads.