Cybersecurity researchers at Microsoft Threat Intelligence have found that attackers are circulating fake gaming tools that install a remote access trojan (RAT) when users run the files. The campaign relies on trojanized executables distributed through browsers and chat platforms, convincing victims to download software such as Xeno.exe or RobloxPlayerBeta.exe, which appear legitimate at first glance.
According to the researchers, the initial file acts as a downloader that prepares the system for the next stage of the attack. It installs a portable Java runtime and launches a malicious Java archive named jd-gui.jar, which continues the infection process.
Instead of relying on obvious malware components, the attackers rely on built-in Windows tools. The downloader runs commands through PowerShell and abuses legitimate system binaries such as cmstp.exe.
These trusted executables, often referred to as living-off-the-land binaries (LOLBins), allow attackers to run malicious actions through software already present on Windows systems. This method reduces the chance of immediate detection because the activity resembles normal system processes.
The PowerShell script included in the attack chain attempts to contact several remote locations and download an executable into the user’s local application data directory. If a connection succeeds, the file is saved as update.exe and launched automatically. One of the domains listed in the script includes powercatdog, along with two PythonAnywhere-hosted endpoints.
Once the malware is running, it works to remove traces of the original downloader. It also modifies Microsoft Defender settings by adding exclusions for the malicious files. That step allows the RAT components to run without interference from the security engine.
According to the company’s detailed tweet, the malware also adds persistence through scheduled tasks and a startup script named world.vbs. These entries allow the malware to restart after a reboot, giving attackers long-term access to the infected device, where operators issue commands, collect data, and push additional payloads. The final malware functions as a loader, runner, downloader, and remote access tool, giving the attackers broad control over the compromised system.
Microsoft Defender already detects the malware and behavior patterns used in this campaign. Still, the company advises organizations to monitor outbound traffic and block connections to the domains and IP addresses listed in the indicators of compromise.
Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT).
A malicious downloader… pic.twitter.com/87Yum5y78z
— Microsoft Threat Intelligence (@MsftSecIntel) February 26, 2026
Microsoft urges companies to take a look at Microsoft Defender exclusions and scheduled tasks for anything unusual. Any suspicious entries should be reviewed and removed, including startup scripts like world.vbs, as part of the incident response process.
If you play games on Windows, remember that tools shared in chat groups or forums that promise tweaks or shortcuts can hide malware behind familiar names. Downloading and running those files, especially from unofficial sources, can give attackers access to the system without the user realizing it.
Waqas
