STX RAT Hides Remote Desktop, Steals Data to Dodge Detection

A stealthy new remote access trojan, dubbed STX RAT, that blends hidden remote desktop control with powerful infostealer capabilities while using advanced evasion and encryption techniques to stay under the radar of security tools.

The operators rely on opportunistic initial access, including malicious VBScript and JScript chains that download a TAR archive containing the core payload and a PowerShell loader.

The PowerShell script reverses and Base64-decodes the embedded STX RAT binary, allocates read‑write‑execute memory, and injects the decrypted payload directly into the PowerShell process, avoiding writing the final executable to disk.

eSentire’s Threat Response Unit (TRU) first observed STX RAT in late February 2026 during an intrusion attempt against a financial services organization, with subsequent reporting from Malwarebytes linking it to fake FileZilla download sites that distributed trojanized installers.

The VBScript concatenates JScript contents, writes them to a JScript file on disk, and executes the JScript file via WScript with elevated privileges.

VBScript that writes/launches JScript in elevated WScript (bottom half) (Source : eSentire).
VBScript that writes/launches JScript in elevated WScript (bottom half) (Source : eSentire).

STX RAT itself is protected by a custom packer that exposes only two exports, “init” and “run,” and uses XXTEA decryption and Zlib decompression to unpack the main payload, further complicating static detection.

Encryption, evasion, and hidden desktop

On the wire, STX RAT uses a proprietary TCP protocol and a well‑designed cryptographic stack: it performs X25519 Elliptic Curve Diffie‑Hellman (ECDH) to derive a per‑session shared secret, verifies the C2’s public key using an embedded Ed25519 key, and then encrypts all traffic with ChaCha20‑Poly1305 for confidentiality and integrity.

Pseudo-code of unpacking routine in STX RAT loader (Source : eSentire).
Pseudo-code of unpacking routine in STX RAT loader (Source : eSentire).

All messages are length‑prefixed, making the traffic appear as generic encrypted blobs over TCP rather than easily signatured HTTP patterns.

To frustrate analysis, the malware layers multiple string‑obfuscation schemes (rolling XOR and AES‑128‑CTR) and resolves Windows APIs via salted SHA‑1 hashes instead of plaintext imports.

It performs extensive anti‑VM and anti‑analysis checks, scanning for VirtualBox, VMware, and QEMU artifacts; inspecting the PEB BeingDebugged flag; and insisting that it appears to run only inside PowerShell or MSBuild, exiting if launched under more typical analysis loaders.

One of STX RAT’s standout capabilities is a Hidden VNC (HVNC) style remote desktop feature that lets attackers interact with a “hidden” desktop environment on the victim host.

Malware analysis via debugger as malware is often dumped to disk in the analysis process and executed via rundll32 or a custom loader.

BeingDebugged and process name check (Source : eSentire).
BeingDebugged and process name check (Source : eSentire).

The malware supports commands such as “starthvnc,” “keypress,” “mouseinput,” “mousewheel,” and “switchdesktop,” injecting keyboard and mouse events via the SendInput API so operators can control the system without visible windows or user awareness.

STX RAT acts as a fully featured infostealer, but it activates data theft only after receiving explicit commands from the C2, reducing observable behavior in sandboxes and in cases where the C2 infrastructure is offline.

Once instructed (typically via a “getcreds” command following an introductory “intro” message), it harvests browser cookies and passwords from Firefox, SeaMonkey, and Chromium‑based browsers, Windows Vault credentials, FTP client secrets (including FileZilla and WinSCP), and desktop cryptocurrency wallets such as Litecoin‑Qt and Electrum.

Before exfiltrating credentials, the malware takes a screenshot of the victim’s desktop using GDI BitBlt and sends it as a Base64‑encoded JPEG, giving operators visual context on the compromised system.

STX RAT can also function as a loader, accepting C2‑supplied payloads in multiple formats EXE/BIN, reflective DLLs, raw shellcode, and PowerShell scripts and executing them in memory, including fully fileless PowerShell via a hijacked STDIN pipe.

Persistence and defensive guidance

To maintain persistence, STX RAT leverages several techniques, including HKCU Run keys that launch obfuscated PowerShell loaders, MSBuild‑based project abuse to execute decrypted payloads in memory, and COM object hijacking via malicious scriptlets that ultimately reinvoke its autorun script.

Diffie-Hellman key exchange (Source : eSentire).
Diffie-Hellman key exchange (Source : eSentire).

The malware communicates with its C2 server over TCP sockets via Winsock and protects C2 traffic using ECDH (Elliptic Curve Diffie–Hellman) key exchange.

It also enumerates security products by process and driver names, compiling a list of installed AV solutions to report back to the C2 in its initial beacon.

TRU assesses STX RAT as a low‑visibility but mature threat that blends modern cryptography, sandbox evasion, hidden remote desktop control, and staged infostealing to bypass traditional defenses.

Defenders are advised to harden script execution (for example, redirecting risky extensions like VBS, JS, and HTA, and disabling wscript where possible), deploy robust NGAV/EDR, and consider 24×7 managed detection and response to quickly isolate hosts if STX RAT or similar multi‑stage loaders are detected in their environment.

Related Articles

Back to top button