A new malware campaign utilizing a Telegram-based remote access trojan (RAT) named Millenium RAT has infected over 60,000 Windows devices worldwide, primarily in early 2026. Security firm Group-IB highlighted that the latest version has transitioned from .NET to native C++, increasing its evasion effectiveness against security tools. The malware serves as malware-as-a-service (MaaS), sold cheaply and operated via Telegram’s Bot API, allowing for command execution without dedicated servers.
Millenium RAT captures sensitive data, logs keystrokes, and can execute varied commands, including file encryption. Spread tactics involve social engineering, promoting the RAT as beneficial downloads like game cheats. Group-IB identified these operations as linked to the Y2K Operators, emphasizing the need for caution against untrusted files and unexpected user elevation prompts.